Windows Analysis Report
Setup.exe

Overview

General Information

Sample name: Setup.exe
Analysis ID: 1500125
MD5: 0323967594788684ded929f83f6d9f23
SHA1: 538d6f53242c1a68820f9b5e86a76897c6981717
SHA256: b25258b4956eb18431a014b71987efa95a9c4b8395057c1e4ef3cbb081a662a6
Tags: exe
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 83.4% probability
Uses 32bit PE files
Source: Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00405B98 FindFirstFileW,FindClose, 0_2_00405B98
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406559
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004029F1 FindFirstFileW, 0_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00344005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00344005
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_0034494A
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0034FA36
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00343CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00343CE2
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0034C2FF
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034CD14 FindFirstFileW,FindClose, 10_2_0034CD14
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_0034CD9F
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0034F5D8
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0034F735
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00424005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00424005
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042494A GetFileAttributesW,FindFirstFileW,FindClose, 15_2_0042494A
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_0042FA36
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_0042C2FF
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042CD14 FindFirstFileW,FindClose, 15_2_0042CD14
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_0042CD9F
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_0042F5D8
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_0042F735
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00423CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00423CE2
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\412421 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\412421\ Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003529BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 10_2_003529BA
Source: global traffic DNS traffic detected: DNS query: BkByEfukMORgCb.BkByEfukMORgCb
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Setup.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Setup.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Setup.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Setup.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Setup.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Setup.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: Setup.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Setup.exe, 00000000.00000002.1670379188.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Linux.pif, 0000000A.00000000.1698620856.00000000003A9000.00000002.00000001.01000000.00000005.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, ScribeSync.pif, 0000000F.00000002.2922325608.0000000000489000.00000002.00000001.01000000.00000009.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Setup.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup.exe String found in binary or memory: https://sectigo.com/CPS0
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: ScribeSync.pif.10.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, Linux.pif, 0000000A.00000003.1705749417.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Hollow.0.dr, Linux.pif.1.dr, ScribeSync.pif.10.dr String found in binary or memory: https://www.globalsign.com/repository/06
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00404BB4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404BB4
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00354830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 10_2_00354830
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00434830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 15_2_00434830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00354632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 10_2_00354632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00340508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 10_2_00340508
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0036D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 10_2_0036D164
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0044D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 15_2_0044D164

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00344254: CreateFileW,DeviceIoControl,CloseHandle, 10_2_00344254
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00338F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 10_2_00338F2E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00403415 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_00403415
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00345778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 10_2_00345778
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00425778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 15_2_00425778
Detected potential crypto function
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0040447D 0_2_0040447D
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0040680A 0_2_0040680A
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406E34 0_2_00406E34
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002EB020 10_2_002EB020
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002E94E0 10_2_002E94E0
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002E9C80 10_2_002E9C80
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003023F5 10_2_003023F5
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00368400 10_2_00368400
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00316502 10_2_00316502
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0031265E 10_2_0031265E
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002EE6F0 10_2_002EE6F0
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0030282A 10_2_0030282A
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003189BF 10_2_003189BF
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00360A3A 10_2_00360A3A
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00316A74 10_2_00316A74
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002F0BE0 10_2_002F0BE0
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0030CD51 10_2_0030CD51
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0033EDB2 10_2_0033EDB2
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00348E44 10_2_00348E44
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00360EB7 10_2_00360EB7
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00316FE6 10_2_00316FE6
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002E32C2 10_2_002E32C2
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003033B7 10_2_003033B7
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0030F409 10_2_0030F409
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002FD45D 10_2_002FD45D
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002FF628 10_2_002FF628
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002E1663 10_2_002E1663
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003016B4 10_2_003016B4
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002EF6A0 10_2_002EF6A0
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003078C3 10_2_003078C3
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0030DBA5 10_2_0030DBA5
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00301BA8 10_2_00301BA8
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00319CE5 10_2_00319CE5
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002E7CCD 10_2_002E7CCD
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002FDD28 10_2_002FDD28
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0030BFD6 10_2_0030BFD6
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00301FC0 10_2_00301FC0
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003CB020 15_2_003CB020
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003C94E0 15_2_003C94E0
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003C9C80 15_2_003C9C80
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003E23F5 15_2_003E23F5
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00448400 15_2_00448400
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003F6502 15_2_003F6502
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003F265E 15_2_003F265E
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003CE6F0 15_2_003CE6F0
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003E282A 15_2_003E282A
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003F89BF 15_2_003F89BF
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003F6A74 15_2_003F6A74
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00440A3A 15_2_00440A3A
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003D0BE0 15_2_003D0BE0
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003ECD51 15_2_003ECD51
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0041EDB2 15_2_0041EDB2
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00428E44 15_2_00428E44
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00440EB7 15_2_00440EB7
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003F6FE6 15_2_003F6FE6
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003E33B7 15_2_003E33B7
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003EF409 15_2_003EF409
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003DD45D 15_2_003DD45D
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003DF628 15_2_003DF628
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003C1663 15_2_003C1663
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003E16B4 15_2_003E16B4
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003CF6A0 15_2_003CF6A0
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003E78C3 15_2_003E78C3
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003E1BA8 15_2_003E1BA8
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003EDBA5 15_2_003EDBA5
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003F9CE5 15_2_003F9CE5
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003DDD28 15_2_003DDD28
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003EBFD6 15_2_003EBFD6
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003E1FC0 15_2_003E1FC0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\412421\Linux.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: String function: 003E8B30 appears 42 times
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: String function: 003D1A36 appears 34 times
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: String function: 003E0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: String function: 00300D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: String function: 002F1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: String function: 00308B30 appears 42 times
PE / OLE file has an invalid certificate
Source: Setup.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal72.expl.evad.winEXE@28/17@2/0
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034A6AD GetLastError,FormatMessageW, 10_2_0034A6AD
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00338DE9 AdjustTokenPrivileges,CloseHandle, 10_2_00338DE9
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00339399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00339399
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00418DE9 AdjustTokenPrivileges,CloseHandle, 15_2_00418DE9
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00419399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 15_2_00419399
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0040400B GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040400B
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00344148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 10_2_00344148
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00402218 CoCreateInstance, 0_2_00402218
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 10_2_0034443D
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif File created: C:\Users\user\AppData\Local\ScribeSoft Systems Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\nsaA366.tmp Jump to behavior
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Biography Biography.cmd & Biography.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 412421
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "uncertaintycompetitionsadvertisingorganisation" Marie
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Participated + ..\Corner + ..\Domestic + ..\Disposition + ..\Diagnostic + ..\Options + ..\Mrs M
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Linux.pif M
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScribeSync.url" & echo URL="C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScribeSync.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif "C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif" "C:\Users\user\AppData\Local\ScribeSoft Systems\w"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Biography Biography.cmd & Biography.cmd & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 412421 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "uncertaintycompetitionsadvertisingorganisation" Marie Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Participated + ..\Corner + ..\Domestic + ..\Disposition + ..\Diagnostic + ..\Options + ..\Mrs M Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Linux.pif M Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScribeSync.url" & echo URL="C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScribeSync.url" & exit Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif "C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif" "C:\Users\user\AppData\Local\ScribeSoft Systems\w" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Setup.exe Static file information: File size 58731728 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405BBF
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00308B75 push ecx; ret 10_2_00308B88
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003E8B75 push ecx; ret 15_2_003E8B88
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003DCBDB push eax; retf 15_2_003DCBF8

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif File created: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif File created: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScribeSync.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScribeSync.url Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003659B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 10_2_003659B3
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002F5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_002F5EDA
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_004459B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 15_2_004459B3
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003D5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 15_2_003D5EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003033B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_003033B7
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif API coverage: 5.2 %
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif API coverage: 4.7 %
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00405B98 FindFirstFileW,FindClose, 0_2_00405B98
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406559
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004029F1 FindFirstFileW, 0_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00344005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00344005
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_0034494A
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0034FA36
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00343CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00343CE2
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0034C2FF
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034CD14 FindFirstFileW,FindClose, 10_2_0034CD14
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_0034CD9F
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0034F5D8
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0034F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0034F735
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00424005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00424005
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042494A GetFileAttributesW,FindFirstFileW,FindClose, 15_2_0042494A
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_0042FA36
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_0042C2FF
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042CD14 FindFirstFileW,FindClose, 15_2_0042CD14
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_0042CD9F
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_0042F5D8
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0042F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_0042F735
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00423CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_00423CE2
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002F5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 10_2_002F5D13
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\412421 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\412421\ Jump to behavior
Source: Linux.pif, 0000000A.00000002.2923389487.0000000004070000.00000004.00000800.00020000.00000000.sdmp, ScribeSync.pif, 0000000F.00000002.2923218463.00000000031EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003545D5 BlockInput, 10_2_003545D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002F5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_002F5240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00315CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 10_2_00315CAC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405BBF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003388CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_003388CD
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0030A354 SetUnhandledExceptionFilter, 10_2_0030A354
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0030A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_0030A385
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003EA354 SetUnhandledExceptionFilter, 15_2_003EA354
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_003EA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_003EA385
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00339369 LogonUserW, 10_2_00339369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_002F5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_002F5240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00341AC6 SendInput,keybd_event, 10_2_00341AC6
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003451E2 mouse_event, 10_2_003451E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Biography Biography.cmd & Biography.cmd & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 412421 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "uncertaintycompetitionsadvertisingorganisation" Marie Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Participated + ..\Corner + ..\Domestic + ..\Disposition + ..\Diagnostic + ..\Options + ..\Mrs M Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Linux.pif M Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif "C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif" "C:\Users\user\AppData\Local\ScribeSoft Systems\w" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\scribesync.url" & echo url="c:\users\user\appdata\local\scribesoft systems\scribesync.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\scribesync.url" & exit
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\scribesync.url" & echo url="c:\users\user\appdata\local\scribesoft systems\scribesync.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\scribesync.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_003388CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_003388CD
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00344F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 10_2_00344F1C
Source: Linux.pif, 0000000A.00000002.2922190098.0000000000396000.00000002.00000001.01000000.00000005.sdmp, Linux.pif, 0000000A.00000003.1705650105.0000000003959000.00000004.00000800.00020000.00000000.sdmp, ScribeSync.pif, 0000000F.00000002.2922236612.0000000000476000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Linux.pif, ScribeSync.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0030885B cpuid 10_2_0030885B
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00320030 GetLocalTime,__swprintf, 10_2_00320030
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00320722 GetUserNameW, 10_2_00320722
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0031416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 10_2_0031416A
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00405C70 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle, 0_2_00405C70
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: ScribeSync.pif Binary or memory string: WIN_81
Source: ScribeSync.pif Binary or memory string: WIN_XP
Source: ScribeSync.pif Binary or memory string: WIN_XPe
Source: ScribeSync.pif Binary or memory string: WIN_VISTA
Source: ScribeSync.pif Binary or memory string: WIN_7
Source: ScribeSync.pif Binary or memory string: WIN_8
Source: ScribeSync.pif.10.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_0035696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 10_2_0035696E
Source: C:\Users\user\AppData\Local\Temp\412421\Linux.pif Code function: 10_2_00356E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 10_2_00356E32
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_0043696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 15_2_0043696E
Source: C:\Users\user\AppData\Local\ScribeSoft Systems\ScribeSync.pif Code function: 15_2_00436E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 15_2_00436E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500125 Sample: Setup.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 72 44 www.download.windowsupdate.com.cdn.dnsv1.com 2->44 46 microsoft-10.ovslegodl.sched.ovscdns.com 2->46 48 BkByEfukMORgCb.BkByEfukMORgCb 2->48 52 Sigma detected: Search for Antivirus process 2->52 54 Sigma detected: Drops script at startup location 2->54 56 Sigma detected: WScript or CScript Dropper 2->56 58 AI detected suspicious sample 2->58 10 Setup.exe 18 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 2 10->15         started        62 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->62 19 ScribeSync.pif 12->19         started        process6 file7 40 C:\Users\user\AppData\Local\...\Linux.pif, PE32 15->40 dropped 50 Drops PE files with a suspicious file extension 15->50 21 Linux.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 36 C:\Users\user\AppData\...\ScribeSync.pif, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...\ScribeSync.js, ASCII 21->38 dropped 60 Drops PE files with a suspicious file extension 21->60 31 cmd.exe 2 21->31         started        signatures11 process12 file13 42 C:\Users\user\AppData\...\ScribeSync.url, MS 31->42 dropped 34 conhost.exe 31->34         started        process14
No contacted IP infos

Contacted Domains

Name IP Active
microsoft-10.ovslegodl.sched.ovscdns.com 43.152.28.43 true
BkByEfukMORgCb.BkByEfukMORgCb unknown unknown