Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523781
MD5:db7b43084f7a44e3290774e36d49ce41
SHA1:1e1321a6e0c6f63b719daccdacbde4a10547021e
SHA256:a6da6ca04ee56f1e10dc25c07f938300fff7b3c1b50abe925b5f2b10b084216b
Tags:exeuser-Bitsight
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • file.exe (PID: 2504 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DB7B43084F7A44E3290774E36D49CE41)
    • cmd.exe (PID: 1368 cmdline: "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 3428 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2872 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 824 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2008 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 2688 cmdline: cmd /c md 182349 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 5752 cmdline: findstr /V "RefundAlienConservativeChapters" Coral MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6640 cmdline: cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Beginners.pif (PID: 7092 cmdline: Beginners.pif l MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • cmd.exe (PID: 1900 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 5996 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 2416 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • TradeHub.scr (PID: 1460 cmdline: "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , ProcessId: 2416, ProcessName: wscript.exe
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Beginners.pif l, CommandLine: Beginners.pif l, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: Beginners.pif l, ProcessId: 7092, ProcessName: Beginners.pif
Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , ProcessId: 2416, ProcessName: wscript.exe

Data Obfuscation

barindex
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 1900, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 2008, ProcessName: findstr.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifVirustotal: Detection: 10%Perma Link
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrVirustotal: Detection: 10%Perma Link
Source: file.exeVirustotal: Detection: 16%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.5% probability
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00114005
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011CD14 FindFirstFileW,FindClose,10_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0011FA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00DC4005
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC494A GetFileAttributesW,FindFirstFileW,FindClose,15_2_00DC494A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_00DCC2FF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,15_2_00DCCD9F
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCCD14 FindFirstFileW,FindClose,15_2_00DCCD14
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_00DCF5D8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_00DCF735
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_00DCFA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00DC3CE2
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\182349\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\182349Jump to behavior
Source: unknownDNS traffic detected: query: bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_001229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,10_2_001229BA
Source: global trafficDNS traffic detected: DNS query: bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: file.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000000.1687736473.0000000000179000.00000002.00000001.01000000.00000006.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr, 0000000F.00000002.3506982744.0000000000E29000.00000002.00000001.01000000.00000008.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Sp.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00124830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00124830
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DD4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,15_2_00DD4830
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00124632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00124632
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0013D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_0013D164
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DED164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,15_2_00DED164

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00114254: CreateFileW,DeviceIoControl,CloseHandle,10_2_00114254
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00108F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00108F2E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00115778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_00115778
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_00DC5778
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\AdoptionSectionsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\AdvisorUsbJump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\ProminentSavingsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\ValuablePeninsulaJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040497C0_2_0040497C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406ED20_2_00406ED2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004074BB0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000BB02010_2_000BB020
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000B94E010_2_000B94E0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000B9C8010_2_000B9C80
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D23F510_2_000D23F5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0013840010_2_00138400
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E650210_2_000E6502
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E265E10_2_000E265E
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000BE6F010_2_000BE6F0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D282A10_2_000D282A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E89BF10_2_000E89BF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00130A3A10_2_00130A3A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E6A7410_2_000E6A74
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000C0BE010_2_000C0BE0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DCD5110_2_000DCD51
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0010EDB210_2_0010EDB2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00118E4410_2_00118E44
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00130EB710_2_00130EB7
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E6FE610_2_000E6FE6
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D33B710_2_000D33B7
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DF40910_2_000DF409
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000CD45D10_2_000CD45D
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000CF62810_2_000CF628
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000B166310_2_000B1663
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000BF6A010_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D16B410_2_000D16B4
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D78C310_2_000D78C3
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D1BA810_2_000D1BA8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DDBA510_2_000DDBA5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E9CE510_2_000E9CE5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000CDD2810_2_000CDD28
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D1FC010_2_000D1FC0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DBFD610_2_000DBFD6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D6B02015_2_00D6B020
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D694E015_2_00D694E0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D69C8015_2_00D69C80
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D823F515_2_00D823F5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DE840015_2_00DE8400
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D9650215_2_00D96502
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D6E6F015_2_00D6E6F0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D9265E15_2_00D9265E
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8282A15_2_00D8282A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D989BF15_2_00D989BF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D96A7415_2_00D96A74
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DE0A3A15_2_00DE0A3A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D70BE015_2_00D70BE0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DBEDB215_2_00DBEDB2
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8CD5115_2_00D8CD51
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DE0EB715_2_00DE0EB7
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC8E4415_2_00DC8E44
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D96FE615_2_00D96FE6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D833B715_2_00D833B7
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D7D45D15_2_00D7D45D
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8F40915_2_00D8F409
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D816B415_2_00D816B4
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D6F6A015_2_00D6F6A0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D6166315_2_00D61663
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D7F62815_2_00D7F628
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D878C315_2_00D878C3
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D81BA815_2_00D81BA8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8DBA515_2_00D8DBA5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D99CE515_2_00D99CE5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D7DD2815_2_00D7DD28
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8BFD615_2_00D8BFD6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D81FC015_2_00D81FC0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: String function: 00D71A36 appears 34 times
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: String function: 00D80D17 appears 70 times
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: String function: 00D88B30 appears 42 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: String function: 000C1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: String function: 000D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: String function: 000D8B30 appears 42 times
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal92.expl.evad.winEXE@28/18@2/0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011A6AD GetLastError,FormatMessageW,10_2_0011A6AD
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00108DE9 AdjustTokenPrivileges,CloseHandle,10_2_00108DE9
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00109399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00109399
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DB8DE9 AdjustTokenPrivileges,CloseHandle,15_2_00DB8DE9
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DB9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_00DB9399
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00114148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,10_2_00114148
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,10_2_0011443D
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifFile created: C:\Users\user\AppData\Local\TradeOptimize DynamicsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_03
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsn1295.tmpJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 16%
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior