Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Analysis ID:	1546294
MD5:	3722d2ad2f7e099039229456b7472711
SHA1:	c47a0ee5139f2da6f90dd3f84b447c3bc3553c67
SHA256:	b45d4d18149c6ba9966559208f3c5303dd9b20eeb43d5cf75aba272f2021364e
Tags:	Amadeyexe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found large amount of non-executed APIs

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\calibre-launcher.dll

Avira: detection malicious, Label: TR/Dldr.Deyma.haljq

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Documents\calibre-launcher.dll

ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 45.202.35.101 45.202.35.101

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://calibre-ebook.com
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\Public\Documents\calibre.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8948D0 NtWriteFile,WaitForSingleObject,		0_2_00007FF63B8948D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8947B0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,		0_2_00007FF63B8947B0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8517B0	0_2_00007FF63B8517B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8C64F0	0_2_00007FF63B8C64F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B858500	0_2_00007FF63B858500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B89E530	0_2_00007FF63B89E530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B87F520	0_2_00007FF63B87F520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8D1450	0_2_00007FF63B8D1450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8E9490	0_2_00007FF63B8E9490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B996CB2	0_2_00007FF63B996CB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B853410	0_2_00007FF63B853410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B857400	0_2_00007FF63B857400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B887C30	0_2_00007FF63B887C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B858C20	0_2_00007FF63B858C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8A1370	0_2_00007FF63B8A1370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B885B70	0_2_00007FF63B885B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B89F310	0_2_00007FF63B89F310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B880240	0_2_00007FF63B880240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85AAA0	0_2_00007FF63B85AAA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8DC9D0	0_2_00007FF63B8DC9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85CA10	0_2_00007FF63B85CA10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8E3970	0_2_00007FF63B8E3970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B882180	0_2_00007FF63B882180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8648F0	0_2_00007FF63B8648F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85E0F0	0_2_00007FF63B85E0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85C935	0_2_00007FF63B85C935
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85A130	0_2_00007FF63B85A130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8CB880	0_2_00007FF63B8CB880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B9987CF	0_2_00007FF63B9987CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B88D7E0	0_2_00007FF63B88D7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8DB760	0_2_00007FF63B8DB760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8E5F90	0_2_00007FF63B8E5F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85BF90	0_2_00007FF63B85BF90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B884EC0	0_2_00007FF63B884EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85D637	0_2_00007FF63B85D637
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8DAE80	0_2_00007FF63B8DAE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85D6A8	0_2_00007FF63B85D6A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85B550	0_2_00007FF63B85B550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B857D70	0_2_00007FF63B857D70

PE file contains more sections than normal

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, 00000000.00000000.2110369412.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecalibre.exe0 vs SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Binary or memory string: OriginalFilenamecalibre.exe0 vs SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Source: classification engine

Classification label: mal100.expl.evad.winEXE@6/6@0/1

Source: C:\Users\Public\Documents\calibre.exe

Code function: 4_2_000B121C GetProcAddress,GetLastError,FormatMessageW,LocalFree,

4_2_000B121C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

File created: C:\Users\Public\Documents\calibre.exe

Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe	Mutant created: \Sessions\1\BaseNamedObjects\vDbXW
Source: C:\Users\Public\Documents\calibre.exe	Mutant created: \Sessions\1\BaseNamedObjects\2f985c58743b38fb2171f673f820cbba

Source: C:\Users\Public\Documents\calibre.exe

File created: C:\Users\user\AppData\Local\Temp\WikG.zip

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

ReversingLabs: Detection: 47%

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: Failed to get the calibre-launcher dll entry point
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: calibre-launcher.dll
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: Failed to load: calibre-launcher.dll
Source: calibre.exe	String found in binary or memory: calibre-launcher.dll
Source: calibre.exe	String found in binary or memory: Failed to get the calibre-launcher dll entry point
Source: calibre.exe	String found in binary or memory: Failed to load: calibre-launcher.dll
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: calibre.execalibre-launcher.dllMZ
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: Installation directory path too longExecutable path has no path separatorsapp\bin%sFailed to set DLL directoryucrtbase.dllUnable to find ucrtbase.dll. You should install all Windows updates on your computer to get this file.calibre-launcher.dllFailed to load: calibre-launcher.dllexecute_python_entrypointFailed to get the calibre-launcher dll entry pointsimple_printcalibrecalibre.gui_launch

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Process created: C:\Users\Public\Documents\calibre.exe C:\Users\Public\Documents\calibre.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\Documents\calibre.exe "C:\Users\Public\Documents\calibre.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Process created: C:\Users\Public\Documents\calibre.exe C:\Users\Public\Documents\calibre.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\Documents\calibre.exe "C:\Users\Public\Documents\calibre.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: calibre-launcher.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: calibre-launcher.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static file information: File size 3107319 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x200200

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Documents\calibre.exe

Code function: 4_2_000B108C GetModuleFileNameW,wsprintfW,SetDllDirectoryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_000B108C

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Static PE information: section name: .xdata
Source: calibre-launcher.dll.0.dr	Static PE information: section name: .eh_fram

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	File created: C:\Users\Public\Documents\calibre-launcher.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	File created: C:\Users\Public\Documents\calibre.exe			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\Public\Documents\calibre.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\Public\Documents\calibre.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

API coverage: 5.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Documents\calibre.exe TID: 5444	Thread sleep time: -6000000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 5432	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 1628	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 1628	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 5444	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\Public\Documents\calibre.exe

Last function: Thread delayed

Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: wscript.exe, 00000003.00000002.2250035011.000001DDF2591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0
Source: wscript.exe, 00000003.00000002.2250035011.000001DDF2591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000003.00000002.2250035011.000001DDF2591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\Public\Documents\calibre.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Documents\calibre.exe

Code function: 4_2_000B108C GetModuleFileNameW,wsprintfW,SetDllDirectoryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_000B108C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B851180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,		0_2_00007FF63B851180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63BB01B88 SetUnhandledExceptionFilter,		0_2_00007FF63BB01B88

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

NtWriteFile: Indirect: 0x7FF63B894946

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\Public\Documents\calibre.exe "C:\Users\Public\Documents\calibre.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Queries volume information: C:\Users\Public\Documents VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\Public\Documents VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\Public\Documents\calibre.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Searches for user specific document files

Source: C:\Windows\System32\wscript.exe

Directory queried: C:\Users\Public\Documents

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.202.35.101	unknown	Seychelles		139086	ONL-HKOCEANNETWORKLIMITEDHK	false

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\calibre-launcher.dll

Avira: detection malicious, Label: TR/Dldr.Deyma.haljq

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Documents\calibre-launcher.dll

ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 45.202.35.101 45.202.35.101

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://calibre-ebook.com
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\Public\Documents\calibre.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8948D0 NtWriteFile,WaitForSingleObject,		0_2_00007FF63B8948D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8947B0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,		0_2_00007FF63B8947B0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8517B0	0_2_00007FF63B8517B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8C64F0	0_2_00007FF63B8C64F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B858500	0_2_00007FF63B858500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B89E530	0_2_00007FF63B89E530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B87F520	0_2_00007FF63B87F520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8D1450	0_2_00007FF63B8D1450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8E9490	0_2_00007FF63B8E9490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B996CB2	0_2_00007FF63B996CB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B853410	0_2_00007FF63B853410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B857400	0_2_00007FF63B857400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B887C30	0_2_00007FF63B887C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B858C20	0_2_00007FF63B858C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8A1370	0_2_00007FF63B8A1370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B885B70	0_2_00007FF63B885B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B89F310	0_2_00007FF63B89F310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B880240	0_2_00007FF63B880240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85AAA0	0_2_00007FF63B85AAA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8DC9D0	0_2_00007FF63B8DC9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85CA10	0_2_00007FF63B85CA10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8E3970	0_2_00007FF63B8E3970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B882180	0_2_00007FF63B882180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8648F0	0_2_00007FF63B8648F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85E0F0	0_2_00007FF63B85E0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85C935	0_2_00007FF63B85C935
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85A130	0_2_00007FF63B85A130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8CB880	0_2_00007FF63B8CB880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B9987CF	0_2_00007FF63B9987CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B88D7E0	0_2_00007FF63B88D7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8DB760	0_2_00007FF63B8DB760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8E5F90	0_2_00007FF63B8E5F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85BF90	0_2_00007FF63B85BF90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B884EC0	0_2_00007FF63B884EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85D637	0_2_00007FF63B85D637
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8DAE80	0_2_00007FF63B8DAE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85D6A8	0_2_00007FF63B85D6A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85B550	0_2_00007FF63B85B550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B857D70	0_2_00007FF63B857D70

PE file contains more sections than normal

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, 00000000.00000000.2110369412.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecalibre.exe0 vs SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Binary or memory string: OriginalFilenamecalibre.exe0 vs SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Source: classification engine

Classification label: mal100.expl.evad.winEXE@6/6@0/1

Source: C:\Users\Public\Documents\calibre.exe

Code function: 4_2_000B121C GetProcAddress,GetLastError,FormatMessageW,LocalFree,

4_2_000B121C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

File created: C:\Users\Public\Documents\calibre.exe

Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe	Mutant created: \Sessions\1\BaseNamedObjects\vDbXW
Source: C:\Users\Public\Documents\calibre.exe	Mutant created: \Sessions\1\BaseNamedObjects\2f985c58743b38fb2171f673f820cbba

Source: C:\Users\Public\Documents\calibre.exe

File created: C:\Users\user\AppData\Local\Temp\WikG.zip

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

ReversingLabs: Detection: 47%

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: Failed to get the calibre-launcher dll entry point
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: calibre-launcher.dll
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: Failed to load: calibre-launcher.dll
Source: calibre.exe	String found in binary or memory: calibre-launcher.dll
Source: calibre.exe	String found in binary or memory: Failed to get the calibre-launcher dll entry point
Source: calibre.exe	String found in binary or memory: Failed to load: calibre-launcher.dll
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: calibre.execalibre-launcher.dllMZ
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: Installation directory path too longExecutable path has no path separatorsapp\bin%sFailed to set DLL directoryucrtbase.dllUnable to find ucrtbase.dll. You should install all Windows updates on your computer to get this file.calibre-launcher.dllFailed to load: calibre-launcher.dllexecute_python_entrypointFailed to get the calibre-launcher dll entry pointsimple_printcalibrecalibre.gui_launch

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Process created: C:\Users\Public\Documents\calibre.exe C:\Users\Public\Documents\calibre.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\Documents\calibre.exe "C:\Users\Public\Documents\calibre.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Process created: C:\Users\Public\Documents\calibre.exe C:\Users\Public\Documents\calibre.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\Documents\calibre.exe "C:\Users\Public\Documents\calibre.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: calibre-launcher.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: calibre-launcher.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static file information: File size 3107319 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x200200

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Documents\calibre.exe

Code function: 4_2_000B108C GetModuleFileNameW,wsprintfW,SetDllDirectoryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_000B108C

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Static PE information: section name: .xdata
Source: calibre-launcher.dll.0.dr	Static PE information: section name: .eh_fram

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	File created: C:\Users\Public\Documents\calibre-launcher.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	File created: C:\Users\Public\Documents\calibre.exe			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\Public\Documents\calibre.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\Public\Documents\calibre.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

API coverage: 5.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Documents\calibre.exe TID: 5444	Thread sleep time: -6000000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 5432	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 1628	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 1628	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 5444	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\Public\Documents\calibre.exe

Last function: Thread delayed

Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: wscript.exe, 00000003.00000002.2250035011.000001DDF2591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0
Source: wscript.exe, 00000003.00000002.2250035011.000001DDF2591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000003.00000002.2250035011.000001DDF2591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\Public\Documents\calibre.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Documents\calibre.exe

Code function: 4_2_000B108C GetModuleFileNameW,wsprintfW,SetDllDirectoryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_000B108C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B851180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,		0_2_00007FF63B851180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63BB01B88 SetUnhandledExceptionFilter,		0_2_00007FF63BB01B88

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

NtWriteFile: Indirect: 0x7FF63B894946

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\Public\Documents\calibre.exe "C:\Users\Public\Documents\calibre.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Queries volume information: C:\Users\Public\Documents VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\Public\Documents VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\Public\Documents\calibre.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Searches for user specific document files

Source: C:\Windows\System32\wscript.exe

Directory queried: C:\Users\Public\Documents

Jump to behavior

ID:	1546294
Product:	CloudBasic
Start time:	18:26:06
Start date:	31.10.2024
Sample:	SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3722d2ad2f7e099039229456b7472711
SHA1:	c47a0ee5139f2da6f90dd3f84b447c3bc3553c67
SHA256:	b45d4d18149c6ba9966559208f3c5303dd9b20eeb43d5cf75aba272f2021364e
Filetype:	MS Flight Simulator Gauge (35075/8) 68.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Documents\CalibreLauncher.js	ASCII text	8486D6BD6C65F7FAB3BDF24FD9B715CB	2937534C0F81BB1F0E7D217F2DC0BACD1C89FCE9	537AB7D9F2E639C83D0E1AA672A2D0D8556E6EB12CEB41A7897C907A5D3479DC
C:\Users\Public\Documents\calibre-launcher.dll	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows	374FBD650936435626A9940406662FFD	D7FD20E2B2805883EB97BD383CCB24E8B62FEA32	4B7B5BC7B0D1F70ADF6B80390F1273723C409B837C9575EE1CD4B963CF9E5C7D
C:\Users\Public\Documents\calibre.exe	PE32 executable (GUI) Intel 80386, for MS Windows	853D888553D002A04484C098A3D7045F	D275AB06CC89DB7293F9575D24DD83DCB41F56CA	64BDDE10CFFF243A25B021296773816057DB1620DF56EBD4DB9178DCB88D2EAA
C:\Users\user\AppData\Local\Temp\246122658369	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3	EAB97AFF6E10A22D48E96558366CA74C	5EB08EF394278512532F556C368AB35CCBBA5510	D4A20B50D5DC218798A7633B36A017C64B9ED30E6BD542D065C32A16BA33B153
C:\Users\user\AppData\Local\Temp\WikG.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	6BC43168B53411F432B1FC8D811E2E50	64FF05095F5AD2CBE5ECEA8E8DCE50FC53A373E5	4067D756583BB1BEC8D76E83E6252F50BDD2E84BDAA7DC90AB891AC719F8654D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url	MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\Public\Documents\CalibreLauncher.js>), ASCII text	B57269D59D51FFF22FB523B705A783C4	EAFD4DFB619C55616C2EB09C5EFFD8A97DF39BBA	B5D078FC21D1724F04CABAA1792F5250819C7F892A9958EE775ED7B81374F47C

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe