Windows Analysis Report
C3KzPHU3UG.exe

Overview

General Information

Sample name: C3KzPHU3UG.exe
renamed because original name is a hash value
Original sample name: b1202e7766f87458e7bbee5a2b2103ca.exe
Analysis ID: 1502253
MD5: b1202e7766f87458e7bbee5a2b2103ca
SHA1: a1e2d3d973fc37992a07668ab024f5df81e1545a
SHA256: 48a4042854a402824d35f4c95aed1e448d652d79ed0c251635acbc073200dfcf
Tags: AsyncRATexeRAT
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: C3KzPHU3UG.exe ReversingLabs: Detection: 33%
Source: C3KzPHU3UG.exe Virustotal: Detection: 36% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.7% probability
Uses 32bit PE files
Source: C3KzPHU3UG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00405B98 FindFirstFileW,FindClose, 0_2_00405B98
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406559
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_004029F1 FindFirstFileW, 0_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B94005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00B94005
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_00B9494A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B93CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00B93CE2
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00B9C2FF
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_00B9CD9F
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9CD14 FindFirstFileW,FindClose, 10_2_00B9CD14
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00B9F5D8
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00B9F735
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00B9FA36
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006F4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_006F4005
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006F494A GetFileAttributesW,FindFirstFileW,FindClose, 15_2_006F494A
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_006FC2FF
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FCD14 FindFirstFileW,FindClose, 15_2_006FCD14
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_006FCD9F
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_006FF5D8
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_006FF735
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_006FFA36
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006F3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_006F3CE2
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\585723\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\585723 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIF replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BA29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 10_2_00BA29BA
Source: global traffic DNS traffic detected: DNS query: XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIF
Source: C3KzPHU3UG.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: C3KzPHU3UG.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: C3KzPHU3UG.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: C3KzPHU3UG.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: C3KzPHU3UG.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: C3KzPHU3UG.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: C3KzPHU3UG.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: C3KzPHU3UG.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: C3KzPHU3UG.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: C3KzPHU3UG.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C3KzPHU3UG.exe String found in binary or memory: http://ocsp.digicert.com0
Source: C3KzPHU3UG.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: C3KzPHU3UG.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: C3KzPHU3UG.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: C3KzPHU3UG.exe, 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif, 0000000A.00000000.1685729671.0000000000BF9000.00000002.00000001.01000000.00000005.sdmp, EchoSync.pif, 0000000F.00000002.2896500055.0000000000759000.00000002.00000001.01000000.00000008.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: C3KzPHU3UG.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Statute.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.dr String found in binary or memory: https://www.globalsign.com/repository/06
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00404BB4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404BB4
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BA4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 10_2_00BA4830
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_00704830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 15_2_00704830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BA4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 10_2_00BA4632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B90508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 10_2_00B90508
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BBD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 10_2_00BBD164
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_0071D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 15_2_0071D164

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B942D5: CreateFileW,DeviceIoControl,CloseHandle, 10_2_00B942D5
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B88F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 10_2_00B88F2E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00403415 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_00403415
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B95778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 10_2_00B95778
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006F5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 15_2_006F5778
Detected potential crypto function
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_0040447D 0_2_0040447D
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_0040680A 0_2_0040680A
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00406E34 0_2_00406E34
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B3B020 10_2_00B3B020
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B394E0 10_2_00B394E0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B39C80 10_2_00B39C80
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B523F5 10_2_00B523F5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BB8400 10_2_00BB8400
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B66502 10_2_00B66502
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B3E6F0 10_2_00B3E6F0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B6265E 10_2_00B6265E
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5282A 10_2_00B5282A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B689BF 10_2_00B689BF
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BB0A3A 10_2_00BB0A3A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B66A74 10_2_00B66A74
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B40BE0 10_2_00B40BE0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B8EDB2 10_2_00B8EDB2
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5CD51 10_2_00B5CD51
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BB0EB7 10_2_00BB0EB7
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B98E44 10_2_00B98E44
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B66FE6 10_2_00B66FE6
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B533B7 10_2_00B533B7
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5F409 10_2_00B5F409
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B4D45D 10_2_00B4D45D
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B516B4 10_2_00B516B4
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B3F6A0 10_2_00B3F6A0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B4F628 10_2_00B4F628
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B31663 10_2_00B31663
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B578C3 10_2_00B578C3
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5DBA5 10_2_00B5DBA5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B51BA8 10_2_00B51BA8
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B69CE5 10_2_00B69CE5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B4DD28 10_2_00B4DD28
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5BFD6 10_2_00B5BFD6
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B51FC0 10_2_00B51FC0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_0069B020 15_2_0069B020
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006994E0 15_2_006994E0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_00699C80 15_2_00699C80
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006B23F5 15_2_006B23F5
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_00718400 15_2_00718400
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006C6502 15_2_006C6502
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006C265E 15_2_006C265E
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_0069E6F0 15_2_0069E6F0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006B282A 15_2_006B282A
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006C89BF 15_2_006C89BF
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006C6A74 15_2_006C6A74
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_00710A3A 15_2_00710A3A
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006A0BE0 15_2_006A0BE0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006BCD51 15_2_006BCD51
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006EEDB2 15_2_006EEDB2
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006F8E44 15_2_006F8E44
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_00710EB7 15_2_00710EB7
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006C6FE6 15_2_006C6FE6
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006B33B7 15_2_006B33B7
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006AD45D 15_2_006AD45D
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006BF409 15_2_006BF409
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_00691663 15_2_00691663
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006AF628 15_2_006AF628
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_0069F6A0 15_2_0069F6A0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006B16B4 15_2_006B16B4
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006B78C3 15_2_006B78C3
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006B1BA8 15_2_006B1BA8
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006BDBA5 15_2_006BDBA5
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006C9CE5 15_2_006C9CE5
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006ADD28 15_2_006ADD28
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006B1FC0 15_2_006B1FC0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006BBFD6 15_2_006BBFD6
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\585723\Designing.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: String function: 00B41A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: String function: 00B58B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: String function: 00B50D17 appears 70 times
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: String function: 006B0D17 appears 70 times
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: String function: 006A1A36 appears 34 times
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: String function: 006B8B30 appears 42 times
PE / OLE file has an invalid certificate
Source: C3KzPHU3UG.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: C3KzPHU3UG.exe, 00000000.00000002.1653619753.00000000007B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs C3KzPHU3UG.exe
Uses 32bit PE files
Source: C3KzPHU3UG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal80.expl.evad.winEXE@28/15@2/0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9A6AD GetLastError,FormatMessageW, 10_2_00B9A6AD
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B88DE9 AdjustTokenPrivileges,CloseHandle, 10_2_00B88DE9
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B89399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00B89399
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006E8DE9 AdjustTokenPrivileges,CloseHandle, 15_2_006E8DE9
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006E9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 15_2_006E9399
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_0040400B GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040400B
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B94148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 10_2_00B94148
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00402218 CoCreateInstance, 0_2_00402218
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 10_2_00B9443D
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif File created: C:\Users\user\AppData\Local\SyncTech Innovations Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe File created: C:\Users\user\AppData\Local\Temp\nshE67D.tmp Jump to behavior
Source: C3KzPHU3UG.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C3KzPHU3UG.exe ReversingLabs: Detection: 33%
Source: C3KzPHU3UG.exe Virustotal: Detection: 36%
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe File read: C:\Users\user\Desktop\C3KzPHU3UG.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\C3KzPHU3UG.exe "C:\Users\user\Desktop\C3KzPHU3UG.exe"
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 585723
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TranscriptHousesConstitutesMedicaid" Hate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Rod + ..\Keep + ..\Prep + ..\Tsunami + ..\Invitations F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Designing.pif F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & echo URL="C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif" "C:\Users\user\AppData\Local\SyncTech Innovations\p"
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 585723 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TranscriptHousesConstitutesMedicaid" Hate Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Rod + ..\Keep + ..\Prep + ..\Tsunami + ..\Invitations F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Designing.pif F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & echo URL="C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & exit Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif" "C:\Users\user\AppData\Local\SyncTech Innovations\p" Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405BBF
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5E93F push edi; ret 10_2_00B5E941
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5EA58 push esi; ret 10_2_00B5EA5A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B58B75 push ecx; ret 10_2_00B58B88
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5EC33 push esi; ret 10_2_00B5EC35
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5ED1C push edi; ret 10_2_00B5ED1E
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006B8B75 push ecx; ret 15_2_006B8B88

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif File created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif File created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BB59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 10_2_00BB59B3
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B45EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_00B45EDA
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_007159B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 15_2_007159B3
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006A5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 15_2_006A5EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B533B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_00B533B7
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif API coverage: 4.5 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00405B98 FindFirstFileW,FindClose, 0_2_00405B98
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406559
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_004029F1 FindFirstFileW, 0_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B94005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00B94005
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_00B9494A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B93CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00B93CE2
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00B9C2FF
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_00B9CD9F
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9CD14 FindFirstFileW,FindClose, 10_2_00B9CD14
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00B9F5D8
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00B9F735
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B9FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00B9FA36
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006F4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_006F4005
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006F494A GetFileAttributesW,FindFirstFileW,FindClose, 15_2_006F494A
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_006FC2FF
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FCD14 FindFirstFileW,FindClose, 15_2_006FCD14
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_006FCD9F
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_006FF5D8
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_006FF735
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006FFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_006FFA36
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006F3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_006F3CE2
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B45D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 10_2_00B45D13
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\585723\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\585723 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: EchoSync.pif, 0000000F.00000002.2897348540.0000000003339000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHI
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BA45D5 BlockInput, 10_2_00BA45D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B45240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_00B45240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B65CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 10_2_00B65CAC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405BBF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_00B888CD
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00B5A385
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5A354 SetUnhandledExceptionFilter, 10_2_00B5A354
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006BA354 SetUnhandledExceptionFilter, 15_2_006BA354
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_006BA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_006BA385
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B89369 LogonUserW, 10_2_00B89369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B45240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_00B45240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B91AC6 SendInput,keybd_event, 10_2_00B91AC6
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B951E2 mouse_event, 10_2_00B951E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 585723 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TranscriptHousesConstitutesMedicaid" Hate Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Rod + ..\Keep + ..\Prep + ..\Tsunami + ..\Invitations F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Designing.pif F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif" "C:\Users\user\AppData\Local\SyncTech Innovations\p" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echosync.url" & echo url="c:\users\user\appdata\local\synctech innovations\echosync.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echosync.url" & exit
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echosync.url" & echo url="c:\users\user\appdata\local\synctech innovations\echosync.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echosync.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_00B888CD
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B94F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 10_2_00B94F1C
Source: Designing.pif, 0000000A.00000003.1692590846.0000000004653000.00000004.00000800.00020000.00000000.sdmp, Designing.pif, 0000000A.00000000.1685656569.0000000000BE6000.00000002.00000001.01000000.00000005.sdmp, EchoSync.pif, 0000000F.00000000.1790935077.0000000000746000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Designing.pif, EchoSync.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B5885B cpuid 10_2_00B5885B
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B70030 GetLocalTime,__swprintf, 10_2_00B70030
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B70722 GetUserNameW, 10_2_00B70722
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00B6416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 10_2_00B6416A
Source: C:\Users\user\Desktop\C3KzPHU3UG.exe Code function: 0_2_00405C70 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle, 0_2_00405C70
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: EchoSync.pif Binary or memory string: WIN_81
Source: EchoSync.pif Binary or memory string: WIN_XP
Source: EchoSync.pif Binary or memory string: WIN_XPe
Source: EchoSync.pif Binary or memory string: WIN_VISTA
Source: EchoSync.pif Binary or memory string: WIN_7
Source: EchoSync.pif Binary or memory string: WIN_8
Source: Statute.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BA696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 10_2_00BA696E
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Code function: 10_2_00BA6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 10_2_00BA6E32
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_0070696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 15_2_0070696E
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif Code function: 15_2_00706E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 15_2_00706E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502253 Sample: C3KzPHU3UG.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 80 44 XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIF 2->44 48 Multi AV Scanner detection for submitted file 2->48 50 Sigma detected: Search for Antivirus process 2->50 52 Sigma detected: Drops script at startup location 2->52 54 2 other signatures 2->54 10 C3KzPHU3UG.exe 16 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 2 10->15         started        58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->58 19 EchoSync.pif 12->19         started        process6 file7 40 C:\Users\user\AppData\Local\...\Designing.pif, PE32 15->40 dropped 46 Drops PE files with a suspicious file extension 15->46 21 Designing.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 36 C:\Users\user\AppData\Local\...choSync.pif, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...choSync.js, ASCII 21->38 dropped 56 Drops PE files with a suspicious file extension 21->56 31 cmd.exe 2 21->31         started        signatures11 process12 file13 42 C:\Users\user\AppData\...choSync.url, MS 31->42 dropped 34 conhost.exe 31->34         started        process14
No contacted IP infos

Contacted Domains

Name IP Active
XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIF unknown unknown