Windows Analysis Report
Copyright_Infringement_Evidence.exe

Overview

General Information

Sample name: Copyright_Infringement_Evidence.exe
Analysis ID: 1528565
MD5: de2b7ec32d3a5c530e5a1aa6f2b27b16
SHA1: 83c3c02a1c5746882094939ed4f1ab61954ff8f0
SHA256: 0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f
Tags: exeuser-SquiblydooBlog
Infos:

Detection

Score: 45
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Initial sample is a PE file and has a suspicious name
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Copyright_Infringement_Evidence.exe ReversingLabs: Detection: 36%
Source: Copyright_Infringement_Evidence.exe Virustotal: Detection: 36% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37AF110 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036, 0_2_00007FF6F37AF110
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F3823050 DecryptMessage, 0_2_00007FF6F3823050
Source: Copyright_Infringement_Evidence.exe Static PE information: certificate valid
Source: Copyright_Infringement_Evidence.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: Copyright_Infringement_Evidence.pdb source: Copyright_Infringement_Evidence.exe
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 96.17.64.189 96.17.64.189
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2109417660.0000027288C6C000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229274058.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109482035.0000027288C6D000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2159295573.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109528029.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109279747.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229786855.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000002.2231084790.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109279747.0000027288BFC000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2160002982.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109528029.0000027288BFD000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229055221.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1p_stc.js
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2229274058.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2159295573.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109528029.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109279747.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229786855.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000002.2231084790.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2160002982.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229055221.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1p_stc.js8
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2159295573.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2160002982.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1p_stc.jsh
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2159295573.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2160002982.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1p_stc.jst
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2159295573.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1p_stc.js~
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2229055221.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1x_stc.js
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2229274058.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2159295573.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109528029.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109279747.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229786855.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000002.2231084790.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2160002982.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229055221.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1x_stc.js%
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2229274058.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229786855.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000002.2231084790.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229055221.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1x_stc.jsZ
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2229274058.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229786855.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000002.2231084790.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229055221.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1x_stc.jsk
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2229274058.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229786855.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000002.2231084790.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229055221.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/1x_stc.js~
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2159858256.0000027288BF7000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109417660.0000027288C6C000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229274058.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109482035.0000027288C6D000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000002.2230343770.0000027288BF7000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2159295573.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109528029.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109279747.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229786855.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000002.2231084790.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109279747.0000027288BFC000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2160002982.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2153022905.0000027288BF7000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109528029.0000027288BFD000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229055221.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2152900914.0000027288BF6000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229274058.0000027288BF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/privacy_policy.pdf
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2159295573.0000027288C49000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2160002982.0000027288C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://65.52.240.233/data/privacy_policy.pdfr
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: infringing_content.pdf.0.dr String found in binary or memory: http://copyright.cornell.edu/)
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: infringing_content.pdf.0.dr String found in binary or memory: http://fairuse.stanford.edu/)
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: 2D85F72862B55C4EADD9E66E06947F3D0.5.dr String found in binary or memory: http://x1.i.lencr.org/
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288BFA000.00000004.00000020.00020000.00000000.sdmp, infringing_content.pdf.0.dr String found in binary or memory: https://ccsearch.creativecommons.org/)
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288BFA000.00000004.00000020.00020000.00000000.sdmp, infringing_content.pdf.0.dr String found in binary or memory: https://copyright.columbia.edu/index.html)
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288BFA000.00000004.00000020.00020000.00000000.sdmp, infringing_content.pdf.0.dr String found in binary or memory: https://creativecommons.org/)
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288BFA000.00000004.00000020.00020000.00000000.sdmp, infringing_content.pdf.0.dr String found in binary or memory: https://drive.google.com/file/d/0BxyQzf2unIzKM0FMZ2pydklwMWc/view)
Source: Copyright_Infringement_Evidence.exe, 00000000.00000002.2230343770.0000027288BDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.ru/test/config.json
Source: Copyright_Infringement_Evidence.exe, 00000000.00000002.2230343770.0000027288BDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.ru/test/config.jsonS
Source: Copyright_Infringement_Evidence.exe, 00000000.00000002.2230343770.0000027288BDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rdoge.ru/test/config.json_
Source: infringing_content.pdf.0.dr String found in binary or memory: https://www.bu.edu/academics/policies/intellectual-property-policy/)
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: https://www.certum.pl/CPS0
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: https://www.globalsign.com/repository/0

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Copyright_Infringement_Evidence.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38FA4C8 NtWriteFile,FreeCredentialsHandle, 0_2_00007FF6F38FA4C8
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38FA4A0 NtCreateFile,FreeCredentialsHandle, 0_2_00007FF6F38FA4A0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38FA4A0 NtCreateFile,FreeCredentialsHandle, 0_2_00007FF6F38FA4A0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38945F0 NtCancelIoFileEx,RtlNtStatusToDosError, 0_2_00007FF6F38945F0
Detected potential crypto function
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37C8FE7 0_2_00007FF6F37C8FE7
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37A4CC5 0_2_00007FF6F37A4CC5
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38EECC0 0_2_00007FF6F38EECC0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F3835CF0 0_2_00007FF6F3835CF0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37EB440 0_2_00007FF6F37EB440
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38EA440 0_2_00007FF6F38EA440
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37E8CA0 0_2_00007FF6F37E8CA0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38434B0 0_2_00007FF6F38434B0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38F14A0 0_2_00007FF6F38F14A0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37AABD7 0_2_00007FF6F37AABD7
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F3852370 0_2_00007FF6F3852370
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37B33B2 0_2_00007FF6F37B33B2
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F387C2F0 0_2_00007FF6F387C2F0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F381C310 0_2_00007FF6F381C310
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F3881300 0_2_00007FF6F3881300
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F3836A40 0_2_00007FF6F3836A40
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38E4260 0_2_00007FF6F38E4260
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38E8AB0 0_2_00007FF6F38E8AB0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38F32A0 0_2_00007FF6F38F32A0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F384E2A0 0_2_00007FF6F384E2A0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37E81F0 0_2_00007FF6F37E81F0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38E2A00 0_2_00007FF6F38E2A00
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37F7230 0_2_00007FF6F37F7230
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37E88E0 0_2_00007FF6F37E88E0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38C6060 0_2_00007FF6F38C6060
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38EB060 0_2_00007FF6F38EB060
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37E8070 0_2_00007FF6F37E8070
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37F78B0 0_2_00007FF6F37F78B0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38F8830 0_2_00007FF6F38F8830
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F383AF70 0_2_00007FF6F383AF70
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38EBFA0 0_2_00007FF6F38EBFA0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38E96D0 0_2_00007FF6F38E96D0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F384E650 0_2_00007FF6F384E650
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F3888E90 0_2_00007FF6F3888E90
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F3836690 0_2_00007FF6F3836690
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38EDE80 0_2_00007FF6F38EDE80
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F37E7E10 0_2_00007FF6F37E7E10
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38EE570 0_2_00007FF6F38EE570
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38DF580 0_2_00007FF6F38DF580
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: String function: 00007FF6F38F8F30 appears 148 times
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: String function: 00007FF6F38F9030 appears 104 times
Source: Copyright_Infringement_Evidence.exe Binary string: \Device\Afd\Mio
Source: Copyright_Infringement_Evidence.exe Binary string: Failed to open \Device\Afd\Mio:
Source: classification engine Classification label: mal45.winEXE@20/48@0/3
Source: infringing_content.pdf.0.dr Initial sample: https://copyright.columbia.edu/index.html
Source: infringing_content.pdf.0.dr Initial sample: http://copyright.cornell.edu/
Source: infringing_content.pdf.0.dr Initial sample: https://creativecommons.org/
Source: infringing_content.pdf.0.dr Initial sample: https://drive.google.com/file/d/0BxyQzf2unIzKM0FMZ2pydklwMWc/view
Source: infringing_content.pdf.0.dr Initial sample: https://www.bu.edu/academics/policies/intellectual-property-policy/
Source: infringing_content.pdf.0.dr Initial sample: http://fairuse.stanford.edu/
Source: infringing_content.pdf.0.dr Initial sample: https://ccsearch.creativecommons.org/
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe File created: C:\Users\Public\Documents\infringing_content.pdf Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2544:120:WilError_03
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-07 20-08-04-931.log Jump to behavior
Source: Copyright_Infringement_Evidence.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Copyright_Infringement_Evidence.exe ReversingLabs: Detection: 36%
Source: Copyright_Infringement_Evidence.exe Virustotal: Detection: 36%
Source: Copyright_Infringement_Evidence.exe String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block`
Source: unknown Process created: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe "C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe"
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\infringing_content.pdf
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\infringing_content.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1676,i,12330115841079905350,6086354628428383365,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\infringing_content.pdf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\infringing_content.pdf" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1676,i,12330115841079905350,6086354628428383365,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Copyright_Infringement_Evidence.exe Static PE information: certificate valid
Source: Copyright_Infringement_Evidence.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Copyright_Infringement_Evidence.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Copyright_Infringement_Evidence.exe Static file information: File size 2215688 > 1048576
Source: Copyright_Infringement_Evidence.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x158800
Source: Copyright_Infringement_Evidence.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Copyright_Infringement_Evidence.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Copyright_Infringement_Evidence.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Copyright_Infringement_Evidence.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Copyright_Infringement_Evidence.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Copyright_Infringement_Evidence.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Copyright_Infringement_Evidence.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Copyright_Infringement_Evidence.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Copyright_Infringement_Evidence.pdb source: Copyright_Infringement_Evidence.exe
Source: Copyright_Infringement_Evidence.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Copyright_Infringement_Evidence.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Copyright_Infringement_Evidence.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Copyright_Infringement_Evidence.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Copyright_Infringement_Evidence.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (98).png
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe API coverage: 9.2 %
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38BF700 GetSystemInfo, 0_2_00007FF6F38BF700
Source: Copyright_Infringement_Evidence.exe, 00000000.00000003.2159295573.0000027288BFD000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2148092042.0000027288BFE000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2160002982.0000027288BFD000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229055221.0000027288BFD000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229786855.0000027288C01000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109279747.0000027288BFC000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2109528029.0000027288BFD000.00000004.00000020.00020000.00000000.sdmp, Copyright_Infringement_Evidence.exe, 00000000.00000003.2229274058.0000027288BFD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38FA298 CloseHandle,SetUnhandledExceptionFilter, 0_2_00007FF6F38FA298
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start C:\Users\Public\Documents\infringing_content.pdf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Public\Documents\infringing_content.pdf" Jump to behavior
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38EC7CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6F38EC7CC
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Searches for user specific document files
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\Public\Documents Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38940C0 bind, 0_2_00007FF6F38940C0
Source: C:\Users\user\Desktop\Copyright_Infringement_Evidence.exe Code function: 0_2_00007FF6F38D6DF0 getsockname,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00007FF6F38D6DF0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528565 Sample: Copyright_Infringement_Evid... Startdate: 08/10/2024 Architecture: WINDOWS Score: 45 29 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Initial sample is a PE file and has a suspicious name 2->33 9 Copyright_Infringement_Evidence.exe 2 2->9         started        process3 dnsIp4 25 65.52.240.233 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->25 27 172.67.158.129 CLOUDFLARENETUS United States 9->27 12 cmd.exe 3 2 9->12         started        process5 process6 14 Acrobat.exe 20 72 12->14         started        16 conhost.exe 12->16         started        process7 18 AcroCEF.exe 107 14->18         started        process8 20 AcroCEF.exe 2 18->20         started        dnsIp9 23 96.17.64.189 AKAMAI-ASUS United States 20->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
96.17.64.189
 unknown United States
16625 AKAMAI-ASUS false
65.52.240.233
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.67.158.129
 unknown United States
13335 CLOUDFLARENETUS false