Loading ...

Play interactive tourEdit tour

Analysis Report FRSTEnglish.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:215241
Start date:13.03.2020
Start time:10:30:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:FRSTEnglish.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.evad.winEXE@9/33@1/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 26.9% (good quality ratio 20.3%)
  • Quality average: 44.7%
  • Quality standard deviation: 30.9%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, MusNotifyIcon.exe, conhost.exe, VSSVC.exe, CompatTelRunner.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42, 8.238.36.126, 8.253.207.120, 8.253.95.121, 8.248.119.254, 8.241.88.126, 93.184.221.240, 67.26.139.254, 8.248.127.254, 8.238.37.126, 67.26.81.254, 8.241.121.126, 67.26.83.254, 8.248.117.254, 8.248.115.254, 8.253.95.249, 8.241.9.254, 40.90.22.183, 40.90.22.188, 40.90.22.190, 67.26.137.254, 8.253.95.120, 8.248.141.254, 13.107.4.52
  • Excluded domains from analysis (whitelisted): lgin.msa.trafficmanager.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, v4ncsi.msedge.net, wu.azureedge.net, login.msa.msidentity.com, 4-c-0003.c-msedge.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ncsi.4-c-0003.c-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, www.msftconnecttest.com, wu.wpc.apr-52dd2.edgecastdns.net
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Timeout during Intezer genetic analysis for /opt/package/joesandbox/database/analysis/215241/sample/FRSTEnglish.exe
  • Timeout during Intezer genetic analysis for unpackpe/0.2.FRSTEnglish.exe.7ff6271e0000.5.unpack

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2Execution through API2Valid Accounts2Exploitation for Privilege Escalation1Disabling Security Tools1Input Capture11System Time Discovery2Remote File Copy2Input Capture11Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaGraphical User Interface22Application Shimming1Valid Accounts2Deobfuscate/Decode Files or Information1Network SniffingAccount Discovery1Remote ServicesClipboard Data2Exfiltration Over Other Network MediumRemote File Copy2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationInhibit System Recovery1
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesAccess Token Manipulation21Obfuscated Files or Information2Input CaptureSecurity Software Discovery31Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareProcess Injection12Masquerading1Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationApplication Shimming1Valid Accounts2Account ManipulationSystem Information Discovery26Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion1Brute ForceVirtualization/Sandbox Evasion1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation21Two-Factor Authentication InterceptionProcess Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection12Bash HistoryApplication Window Discovery11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainRemote System Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627254364 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00007FF627254364
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272536C4 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00007FF6272536C4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272532C8 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00007FF6272532C8
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272611F0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00007FF6272611F0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725E378 FindFirstFileW,FindClose,0_2_00007FF62725E378
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725E424 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,_swprintf,_swprintf,_swprintf,_swprintf,_swprintf,_swprintf,_swprintf,0_2_00007FF62725E424
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725D650 FindFirstFileW,FindNextFileW,FindClose,0_2_00007FF62725D650
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627261724 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00007FF627261724
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627261390 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00007FF627261390

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272655A8 InternetReadFile,fwrite,fclose,0_2_00007FF6272655A8
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /farbar/up64 HTTP/1.1User-Agent: AutoItHost: download.bleepingcomputer.comCache-Control: no-cache
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: download.bleepingcomputer.com
Urls found in memory or binary dataShow sources
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOECCCertificationAuthority.crl0r
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl0
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpString found in binary or memory: http://crl.trust-provider.com/AddTrustExternalCARoot.crl0:
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpString found in binary or memory: http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt0%
Source: FRSTEnglish.exe, 00000000.00000002.2477951608.00000147F2E7E000.00000004.00000001.sdmpString found in binary or memory: http://download.bleepingcomputer.com/farbar/up64
Source: FRSTEnglish.exe, 00000000.00000002.2484305940.00000147F3A40000.00000004.00000001.sdmpString found in binary or memory: http://download.bleepingcomputer.com/farbar/up64R
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca4.com0
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca4.com0T
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.trust-provider.com0
Source: FRSTEnglish.exe, 00000000.00000002.2481610820.00000147F3600000.00000004.00000001.sdmpString found in binary or memory: http://search.live.com
Source: FRSTEnglish.exe, version.txtString found in binary or memory: http://www.autoitscript.com/autoit3/
Source: FRSTEnglish.exe, 00000000.00000002.2477854055.00000147F2E32000.00000004.00000001.sdmpString found in binary or memory: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/a
Source: FRSTEnglish.exe, 00000000.00000002.2478509634.00000147F2FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
Source: SOFTWARE.0.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: SOFTWARE.0.drString found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: SOFTWARE.0.drString found in binary or memory: https://api.login.yahoo.com/oauth2/get_token
Source: SOFTWARE.0.drString found in binary or memory: https://api.login.yahoo.com/oauth2/request_auth4
Source: SOFTWARE.0.drString found in binary or memory: https://apis.live.net/v5.0/me
Source: FRSTEnglish.exe, 00000000.00000002.2484249850.00000147F3A14000.00000004.00000001.sdmpString found in binary or memory: https://download.bleepingcomputer.com/
Source: FRSTEnglish.exe, 00000000.00000002.2476059295.00000147F102E000.00000004.00000001.sdmpString found in binary or memory: https://download.bleepingcomputer.com/dl/.
Source: FRSTEnglish.exe, 00000000.00000002.2484688180.00000147F3B3F000.00000004.00000001.sdmpString found in binary or memory: https://download.bleepingcomputer.com/farbar/up64
Source: FRSTEnglish.exe, 00000000.00000002.2484688180.00000147F3B3F000.00000004.00000001.sdmp, FRSTEnglish.exe, 00000000.00000002.2484574464.00000147F3AF8000.00000004.00000001.sdmpString found in binary or memory: https://download.bleepingcomputer.com/farbar/up64n
Source: FRSTEnglish.exe, 00000000.00000002.2484574464.00000147F3AF8000.00000004.00000001.sdmpString found in binary or memory: https://download.bleepingcomputer.com/farbar/up64x
Source: SOFTWARE.0.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf
Source: SOFTWARE.0.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: SOFTWARE.0.drString found in binary or memory: https://login.live.com/oauth20_token.srf
Source: SOFTWARE.0.drString found in binary or memory: https://login.live.comion
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: SOFTWARE.0.drString found in binary or memory: https://www.googleapis.com/oauth2/v2/userinfo
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627267764 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00007FF627267764
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627267764 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00007FF627267764
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627250590 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,0_2_00007FF627250590

System Summary:

barindex
AutoIt script contains suspicious stringsShow sources
Source: FRSTEnglish.exeAutoIt Script: ware\\VMware Tools\\vmtoolsd.exe \[.+\] \(VMware.+\)
Binary is likely a compiled AutoIt script fileShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: This is a third-party compiled AutoIt script.0_2_00007FF6271FAB60
Source: FRSTEnglish.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: FRSTEnglish.exe, 00000000.00000002.2502647402.00007FF6272AB000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: FRSTEnglish.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: FRSTEnglish.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725B4CC: GetFullPathNameW,_swprintf,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,0_2_00007FF62725B4CC
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627245924 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00007FF627245924
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627255344 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00007FF627255344
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62720E8400_2_00007FF62720E840
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62721E4E00_2_00007FF62721E4E0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271E71100_2_00007FF6271E7110
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271EEE800_2_00007FF6271EEE80
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62726EC680_2_00007FF62726EC68
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627276D300_2_00007FF627276D30
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271FF6B00_2_00007FF6271FF6B0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62726D5B40_2_00007FF62726D5B4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272154540_2_00007FF627215454
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272073F80_2_00007FF6272073F8
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271FA0C40_2_00007FF6271FA0C4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271E1F980_2_00007FF6271E1F98
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271EFFD00_2_00007FF6271EFFD0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271EBEA00_2_00007FF6271EBEA0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627275DC00_2_00007FF627275DC0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627219C640_2_00007FF627219C64
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627281A800_2_00007FF627281A80
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272028600_2_00007FF627202860
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271EC7900_2_00007FF6271EC790
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62726E7780_2_00007FF62726E778
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271E24E80_2_00007FF6271E24E8
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271EA3C00_2_00007FF6271EA3C0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272822480_2_00007FF627282248
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62727C30C0_2_00007FF62727C30C
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272201680_2_00007FF627220168
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62726C1740_2_00007FF62726C174
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62726A2280_2_00007FF62726A228
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272170500_2_00007FF627217050
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627282E600_2_00007FF627282E60
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271EEC000_2_00007FF6271EEC00
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62721ED800_2_00007FF62721ED80
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627268C680_2_00007FF627268C68
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627280CD40_2_00007FF627280CD4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62720EB4C0_2_00007FF62720EB4C
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271EEC000_2_00007FF6271EEC00
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627286AB00_2_00007FF627286AB0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725894C0_2_00007FF62725894C
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62724CA180_2_00007FF62724CA18
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62727F84C0_2_00007FF62727F84C
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62721D8C80_2_00007FF62721D8C8
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272596380_2_00007FF627259638
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272196780_2_00007FF627219678
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62720955A0_2_00007FF62720955A
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272554740_2_00007FF627255474
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62721D5180_2_00007FF62721D518
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62720B34C0_2_00007FF62720B34C
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725F4100_2_00007FF62725F410
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62721D2500_2_00007FF62721D250
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272772C80_2_00007FF6272772C8
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272031E80_2_00007FF6272031E8
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272191D00_2_00007FF6272191D0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62721A0C80_2_00007FF62721A0C8
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272120280_2_00007FF627212028
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627269EB40_2_00007FF627269EB4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627269EA40_2_00007FF627269EA4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271E7EF40_2_00007FF6271E7EF4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627215C480_2_00007FF627215C48
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271FFC500_2_00007FF6271FFC50
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627213B400_2_00007FF627213B40
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62720DBF40_2_00007FF62720DBF4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271E19E40_2_00007FF6271E19E4
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: String function: 00007FF6271FF0BC appears 38 times
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: String function: 00007FF627206070 appears 71 times
PE file contains strange resourcesShow sources
Source: FRSTEnglish.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FRSTEnglish.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FRSTEnglish.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: FRSTEnglish.exe, 00000000.00000002.2480709782.00000147F33A6000.00000004.00000001.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuildG vs FRSTEnglish.exe
Source: FRSTEnglish.exe, 00000000.00000002.2476974342.00000147F2CF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs FRSTEnglish.exe
Source: FRSTEnglish.exe, 00000000.00000002.2477016266.00000147F2D30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs FRSTEnglish.exe
Source: FRSTEnglish.exe, 00000000.00000002.2484688180.00000147F3B3F000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs FRSTEnglish.exe
Source: FRSTEnglish.exe, 00000000.00000002.2493398738.00000147F5ED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameimageres.DLLj% vs FRSTEnglish.exe
Source: FRSTEnglish.exe, 00000000.00000002.2475427549.00000147F0EAB000.00000004.00000001.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs FRSTEnglish.exe
Source: FRSTEnglish.exe, 00000000.00000002.2484574464.00000147F3AF8000.00000004.00000001.sdmpBinary or memory string: \StringFileInfo\080904B0\OriginalFilename4-194312298-1002 vs FRSTEnglish.exe
Source: FRSTEnglish.exe, 00000000.00000002.2476259131.00000147F2820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs FRSTEnglish.exe
Source: FRSTEnglish.exe, 00000000.00000002.2476246460.00000147F2810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameimageres.DLL.MUIj% vs FRSTEnglish.exe
Binary contains paths to development resourcesShow sources
Source: SOFTWARE.0.drBinary or memory string: Microsoft.Vbe.Interop.VBProjectClass
Source: SOFTWARE.0.drBinary or memory string: .vbproj
Source: SOFTWARE.0.drBinary or memory string: Microsoft.Vbe.Interop.VBProjectsClass
Source: SOFTWARE.0.drBinary or memory string: .csproj
Classification labelShow sources
Source: classification engineClassification label: mal52.evad.winEXE@9/33@1/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725B364 GetLastError,FormatMessageW,0_2_00007FF62725B364
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272457A8 AdjustTokenPrivileges,CloseHandle,0_2_00007FF6272457A8
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62724609C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00007FF62724609C
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725CD20 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_00007FF62725CD20
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627253854 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,0_2_00007FF627253854
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62726E778 CoInitializeSecurity,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00007FF62726E778
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271FB390 ftell,CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00007FF6271FB390
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMCJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:120:WilError_01
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeFile created: C:\Users\user\AppData\Local\Temp\aut3D51.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: FRSTEnglish.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeFile read: C:\$Recycle.Bin\S-1-5-21-58933367-3072710494-194312298-1002\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\FRSTEnglish.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
SQL strings found in memory and binary dataShow sources
Source: FRSTEnglish.exe, 00000000.00000002.2478378294.00000147F2F85000.00000004.00000001.sdmpBinary or memory string: Select * From moz_perms;
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\FRSTEnglish.exe 'C:\Users\user\Desktop\FRSTEnglish.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo 2
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
Source: C:\Users\user\Desktop\FRSTEnglish.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo 2Jump to behavior
Source: C:\Users\user\Desktop\FRSTEnglish.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCDJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCDJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeFile written: C:\FRST\Logs\ct.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeWindow detected: Number of UI elements: 17
PE file has a high image base, often used for DLLsShow sources
Source: FRSTEnglish.exeStatic PE information: Image base 0x140000000 > 0x60000000
Submission file is bigger than most known malware samplesShow sources
Source: FRSTEnglish.exeStatic file information: File size 2279936 > 1048576
PE file has a big raw sectionShow sources
Source: FRSTEnglish.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x145400
PE file contains a mix of data directories often seen in goodwareShow sources
Source: FRSTEnglish.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FRSTEnglish.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FRSTEnglish.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FRSTEnglish.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FRSTEnglish.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FRSTEnglish.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: FRSTEnglish.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
PE file contains a debug data directoryShow sources
Source: FRSTEnglish.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: FRSTEnglish.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FRSTEnglish.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FRSTEnglish.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FRSTEnglish.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FRSTEnglish.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62724AC80 LoadLibraryA,GetProcAddress,0_2_00007FF62724AC80
PE file contains an invalid checksumShow sources
Source: FRSTEnglish.exeStatic PE information: real checksum: 0x230e00 should be: 0x235524
Source: sqlite3_x64.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1140d6
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627206709 push 8B490002h; ret 0_2_00007FF627206716
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271ED690 push rax; retf 0000h0_2_00007FF6271ED691
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271ED68C push rax; retf 0000h0_2_00007FF6271ED68D
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62720D6B9 push rdi; ret 0_2_00007FF62720D6C2
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62720DBCD push rdi; ret 0_2_00007FF62720DBD4

Persistence and Installation Behavior:

barindex
Uses bcdedit to modify the Windows boot settingsShow sources
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCDJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeFile created: C:\FRST\bin\sqlite3_x64.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271FA0C4 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00007FF6271FA0C4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62727D0D4 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00007FF62727D0D4
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272073F8 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF6272073F8
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\FRSTEnglish.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeWindow / User API: threadDelayed 5549Jump to behavior
Source: C:\Users\user\Desktop\FRSTEnglish.exeWindow / User API: foregroundWindowGot 449Jump to behavior
Source: C:\Users\user\Desktop\FRSTEnglish.exeWindow / User API: foregroundWindowGot 1343Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeDropped PE file which has not been started: C:\FRST\bin\sqlite3_x64.dllJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-107653
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeAPI coverage: 9.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exe TID: 396Thread sleep time: -55490s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627254364 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00007FF627254364
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272536C4 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00007FF6272536C4
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272532C8 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00007FF6272532C8
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272611F0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00007FF6272611F0
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725E378 FindFirstFileW,FindClose,0_2_00007FF62725E378
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725E424 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,_swprintf,_swprintf,_swprintf,_swprintf,_swprintf,_swprintf,_swprintf,0_2_00007FF62725E424
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62725D650 FindFirstFileW,FindNextFileW,FindClose,0_2_00007FF62725D650
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627261724 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00007FF627261724
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627261390 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00007FF627261390
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271F9ED8 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_00007FF6271F9ED8
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: FRSTEnglish.exe, 00000000.00000002.2483794286.00000147F38F2000.00000004.00000001.sdmpBinary or memory string: \\Program Files\\VMware\\VMware Tools\\vmrawdsk.sys \[.+\] \(VMware, Inc. -> VMware.+\)\v{2})\v{2}2K
Source: bcdedit.exe, 00000009.00000002.2074915211.0000022244240000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: FRSTEnglish.exe, 00000000.00000002.2483968304.00000147F396E000.00000004.00000001.sdmpBinary or memory string: \\Program Files\\VMware\\VMware Tools\\TPVCGateway.exe \[.+\] \(ThinPrint.+\)\v{2}
Source: FRSTEnglish.exe, 00000000.00000002.2478960893.00000147F3154000.00000004.00000001.sdmpBinary or memory string: (?i):\\Windows\\SysWOW64\\(ctfmon|vmnetdhcp|vmnat)\.exe
Source: FRSTEnglish.exe, 00000000.00000002.2483812966.00000147F38FE000.00000004.00000001.sdmpBinary or memory string: \\Program Files(| \(x86\))\\VMware\\(VMware Player|VMware Workstation)\\vmware-authd.exe \[.+\] \(VMware.+\)\v{2}{2}9F
Source: FRSTEnglish.exe, 00000000.00000002.2483846390.00000147F3914000.00000004.00000001.sdmpBinary or memory string: (?i)[RSU][1234] VMTools; y;
Source: FRSTEnglish.exe, 00000000.00000002.2484173001.00000147F39E2000.00000004.00000001.sdmpBinary or memory string: (?i)[RSU][1234] (wlidsvc|PrintWorkflowUserSvc|PushToInstall|SharedRealitySvc|WarpJITSvc|SshProxy|SshBroker|SEMgrSvc|TokenBroker|WFDSConMgrSvc|XboxGipSvc|TimeBrokerSvc|tzautoupdate|W3SVC|w3logsvc|XboxNetApiSvc|XblGameSave|XblAuthManager|WalletService|vmicvmsession|UserDataSvc|UnistoreSvc|StateRepository|RetailDemo|PimIndexMaintenanceSvc|OneSyncSvc|UserTrustedSignals|UserManager|UnistoreService|WpnService|TPAutoConnSvc|TPVCGateway|UserDataService|tiledatamodelsvc|THREADORDER|SmsRouter|RetailDemo|PhoneSvc|SensorService|p2psvc|vmicguestinterface|ScDeviceEnum|WEPHOSTSVC|workfolderssvc|smphost|p2pimsvc|PNRPsvc|PcaSvc|PeerDistSvc|WiaRpc|Wcmsvc|WSService|SystemEventsBroker|vmicheartbeat|vmickvpexchange|vmicrdv|vmicshutdown|vmictimesync|TimeBroker|pla|DeviceInstall|PlugPlay|PNRPAutoReg|PolicyAgent|Power|ProfSvc|QWAVE|RasAuto|RasMan|RemoteAccess|RemoteRegistry|RpcEpMap|RpcEptMapper|RpcSs|SCardSvr|Schedule|SCPolicySvc|SDRSVC|SENS|SensrSvc|SessionEnv|SharedAccess|ShellHWDetection|seclogon|SLUINotify|sppuinotify|SSDPSRV|SstpSvc|StiSvc|StorSvc|swprv|SysMain|TabletInputService|TapiSrv|TBS|TermService|Themes|TrkWks|UmRdpService|upnphost|UxSms|W32Time|WbioSrvc|WcesComm|wcncsvc|WcsPlugInService|WdiServiceHost|WdiSystemHost|WebClient|Wecsvc|wercplsupport|WerSvc|WinHttpAutoProxySvc|WinRM|Wlansvc|WPCSvc|WPDBusEnum|wscsvc|wuauserv|wudfsvc|WwanSvc); ["]*fg|Devices
Source: FRSTEnglish.exe, 00000000.00000002.2484429786.00000147F3A9A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: FRSTEnglish.exe, 00000000.00000002.2483526690.00000147F383C000.00000004.00000001.sdmpBinary or memory string: (?i)[RSU][1234] VMware NAT Service; vice;
Source: FRSTEnglish.exe, 00000000.00000002.2483968304.00000147F396E000.00000004.00000001.sdmpBinary or memory string: \\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe \[.+\] \(ThinPrint.+\)\v{2}v{2}L
Source: bcdedit.exe, 00000009.00000002.2074915211.0000022244240000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: FRSTEnglish.exe, 00000000.00000002.2483373782.00000147F37DA000.00000004.00000001.sdmpBinary or memory string: \\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe \[.+\] \(VMware.+\)\v{2}
Source: SOFTWARE.0.drBinary or memory string: Hyper-V Application Health Monitor
Source: FRSTEnglish.exe, 00000000.00000002.2484111841.00000147F39C0000.00000004.00000001.sdmpBinary or memory string: \\Windows\\SysWow64\\vmnat.exe \[.+\] \(VMware.+\)\v{2}
Source: FRSTEnglish.exe, 00000000.00000002.2483733820.00000147F38BC000.00000004.00000001.sdmpBinary or memory string: \\Windows\\SysWow64\\vmnetdhcp.exe \[.+\] \(VMware.+\)\v{2}
Source: FRSTEnglish.exe, 00000000.00000002.2483812966.00000147F38FE000.00000004.00000001.sdmpBinary or memory string: \\Program Files(| \(x86\))\\VMware\\VMware Workstation\\vstor2-ws60.sys \[.+\] \(VMware, Inc. -> VMware.+\)\v{2}yF
Source: FRSTEnglish.exe, 00000000.00000002.2484111841.00000147F39C0000.00000004.00000001.sdmpBinary or memory string: \\Program Files\\VMware\\VMware Tools\\VMUpgradeHelper.exe /service \[.+\] \(VMware.+\)\v{2}Hq
Source: FRSTEnglish.exe, 00000000.00000002.2483812966.00000147F38FE000.00000004.00000001.sdmpBinary or memory string: (?i)[RSU][1234] (osrss|wisvc|VacSvc|WaaSMedicSvc|WpcMonSvc|vmicvss|RmSvc|shpamsvc|vmicrdv|wisvc|WpnUserService); ["]*
Source: FRSTEnglish.exe, 00000000.00000002.2483690232.00000147F38A8000.00000004.00000001.sdmpBinary or memory string: \\Windows\\SysWow64\\Drivers\\vstor2-mntapi10-shared.sys \[.+\] \(VMware, Inc. -> VMware.+\)\v{2}{2}
Source: FRSTEnglish.exe, 00000000.00000002.2483846390.00000147F3914000.00000004.00000001.sdmpBinary or memory string: (?i)[RSU][1234] VMnetDHCP; e; 6
Source: FRSTEnglish.exe, 00000000.00000002.2484574464.00000147F3AF8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP
Source: FRSTEnglish.exe, 00000000.00000002.2483885606.00000147F3936000.00000004.00000001.sdmpBinary or memory string: (?i)[RSU][01234] (VMSMP|WinQuic|SgrmAgent|WdmCompanionFilter|VMSP|vmsproxy|VMSVSF|VMSVSP|WinNat|UcmTcpciCx\d+|UevAgentDriver|wcnfs|vmgid|volume|wcifs|xinputhid|xboxgip|xusb22|vhf|wdiwifi|Wof|vdrvroot|VX3000|vga|VgaSave|vhdmp|WUDFSensorLP|WUDFWpdMtp|viaagp|ViaC7|Vid|VerifierExt|WFPLWFS|wpcfltr|WpdUpFltr|WUDFWpdFs|vpci|vmbus|VMBusHID|vmm|vpcivsp|vmbusr|volmgr|volmgrx|vpcbus|VPCNetS2|vpcnfltr|vpcusb|vpcuxd|vpcvmm|WpdUsb|vwifibus|vwififlt|vwifimp|WacomPen|WANARP|Wanarpv6|Wd|Wdf01000|WfpLwf|WimFltr|WIMMount|WinUsb|WpdUsb|ws2ifsl|WmiAcpi|WSDPrintDevice|WSDScan|WudfPf|WUDFRd|VX1000|VX6000|xnacc|xwvskpdi|xusb21|zmhtrqla); usbhu
Source: FRSTEnglish.exe, 00000000.00000002.2483812966.00000147F38FE000.00000004.00000001.sdmpBinary or memory string: \\Program Files(| \(x86\))\\Common Files\\VMware\\USB\\vmware-usbarbitrato(r|r76|r64).exe \[.+\] \(VMware.+\)\v{2}
Source: bcdedit.exe, 00000009.00000002.2074915211.0000022244240000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: FRSTEnglish.exe, 00000000.00000002.2483885606.00000147F3936000.00000004.00000001.sdmpBinary or memory string: \\Windows\\System32\\Drivers\\(hcmon|vm3dmp|VMAUDIO|vmci|vmdebug|vmhgfs|vmkbd|vmmouse|VMnetAdapter|VMnetBridge|VMnetuserif|vmusb|vmwvusb|vmx86|vstor2-mntapi10-shared).sys \[.+\] \(VMware, Inc. -> VMware.*\)\v{2}LWUSB|RT
Source: FRSTEnglish.exe, 00000000.00000002.2483885606.00000147F3936000.00000004.00000001.sdmpBinary or memory string: \\Program Files\\VMware\\VMware Tools\\Drivers\\memctl\\vmmemctl.sys \[.+\] \(VMware, Inc. -> VMware.+\)\v{2}
Source: FRSTEnglish.exe, 00000000.00000002.2483885606.00000147F3936000.00000004.00000001.sdmpBinary or memory string: \\Windows\\System32\\DRIVERS\\(WinQuic|SgrmAgent|WdmCompanionFilter|Wof|vdrvroot|vga|vgapnp|vhdmp|viaagp|VerifierExt|WFPLWFS|wpcfltr|WpdUpFltr|WUDFWpdFs|ViaC7|vmbus|vpcivsp|VMBusHID|vmm|vmbusr|volmgr|volmgrx|vpchbus|vpcnfltr|vpcusb|vpcuxd|VMNetSrv|vpcvmm|WpdUsb|vwifibus|VX3000|vwififlt|vwifimp|WacomPen|WANARP|Wd|Wdf01000|WfpLwf|WimFltr|WIMMount|WinUsb|WmiAcpi|WpdUsb|ws2ifsl|xusb22|vhf|wdiwifi|WSDPrint|WSDScan|WudfPf|WUDFRd|VX1000|vpci|VX6000Xp|xnacc|xwvskpdi|Vid|WUDFRd|xusb21|zmhtrqla|xboxgip|xinputhid|UevAgentDriver|wcnfs|vmgid|volume|wcifs|UcmTcpciCx|WinNat|vmswitch|vmsproxy|vmswitch).sys \[.+\] \(Microsoft.+ -> Microsoft.+\)\v{2}
Source: FRSTEnglish.exe, 00000000.00000002.2483846390.00000147F3914000.00000004.00000001.sdmpBinary or memory string: (?i)[RSU][01234] VMMEMCTL;
Source: FRSTEnglish.exe, 00000000.00000002.2483885606.00000147F3936000.00000004.00000001.sdmpBinary or memory string: (?i)[RSU][01234] (hcmon|vm3dmp|VMAUDIO|vmci|vmdebug|vmhgfs|vmkbd|vmmouse|VMnetAdapter|VMnetBridge|VMnetuserif|vmusb|vmwvusb|vmx86|vstor2-mntapi10-shared);
Source: FRSTEnglish.exe, 00000000.00000002.2484173001.00000147F39E2000.00000004.00000001.sdmpBinary or memory string: \\Program Files\\VMware\\VMware View\\Client\\bin\\(wsnm|wsnm_usbctrl).exe.* \[.+\] \(VMware.+\)\v{2}
Source: bcdedit.exe, 00000009.00000002.2074915211.0000022244240000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeAPI call chain: ExitProcess graph end nodegraph_0-107821
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to block mouse and keyboard input (often used to hinder debugging)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272676F8 BlockInput,0_2_00007FF6272676F8
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271FAB60 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00007FF6271FAB60
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272217D0 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF6272217D0
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62724AC80 LoadLibraryA,GetProcAddress,0_2_00007FF62724AC80
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272104D8 GetProcessHeap,0_2_00007FF6272104D8
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62721AA9C terminate,SetUnhandledExceptionFilter,0_2_00007FF62721AA9C
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627211F94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF627211F94

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627245924 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00007FF627245924
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271FAB60 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00007FF6271FAB60
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271FA0C4 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00007FF6271FA0C4
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627269054 mouse_event,0_2_00007FF627269054
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo 2Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCDJump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272450BC GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00007FF6272450BC
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6272549B0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00007FF6272549B0
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: FRSTEnglish.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: FRSTEnglish.exe, 00000000.00000002.2476105332.00000147F13D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: FRSTEnglish.exeBinary or memory string: Shell_TrayWnd
Source: FRSTEnglish.exe, 00000000.00000002.2476105332.00000147F13D0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: FRSTEnglish.exe, 00000000.00000002.2476105332.00000147F13D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627217600 cpuid 0_2_00007FF627217600
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627229AF0 GetLocalTime,_swprintf,0_2_00007FF627229AF0
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627229B1D GetUserNameW,0_2_00007FF627229B1D
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF627219C64 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,0_2_00007FF627219C64
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF6271F9ED8 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_00007FF6271F9ED8

Stealing of Sensitive Information:

barindex
OS version to string mapping found (often used in BOTs)Show sources
Source: FRSTEnglish.exeBinary or memory string: WIN_81
Source: FRSTEnglish.exeBinary or memory string: WIN_XP
Source: FRSTEnglish.exeBinary or memory string: WIN_XPe
Source: FRSTEnglish.exeBinary or memory string: WIN_VISTA
Source: FRSTEnglish.exeBinary or memory string: WIN_7
Source: FRSTEnglish.exeBinary or memory string: WIN_8
Source: FRSTEnglish.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62726A524 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00007FF62726A524
Source: C:\Users\user\Desktop\FRSTEnglish.exeCode function: 0_2_00007FF62726AC1C socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00007FF62726AC1C

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 215241 Sample: FRSTEnglish.exe Startdate: 13/03/2020 Architecture: WINDOWS Score: 52 27 AutoIt script contains suspicious strings 2->27 29 Binary is likely a compiled AutoIt script file 2->29 31 Uses bcdedit to modify the Windows boot settings 2->31 7 FRSTEnglish.exe 59 2->7         started        process3 dnsIp4 25 download.bleepingcomputer.com 104.20.129.30, 443, 49779, 49780 unknown United States 7->25 23 C:\FRST\bin\sqlite3_x64.dll, PE32+ 7->23 dropped 33 Binary is likely a compiled AutoIt script file 7->33 12 cmd.exe 1 7->12         started        15 cmd.exe 1 7->15         started        file5 signatures6 process7 signatures8 35 Uses bcdedit to modify the Windows boot settings 12->35 17 bcdedit.exe 72 2 12->17         started        19 conhost.exe 12->19         started        21 conhost.exe 15->21         started        process9

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FRSTEnglish.exe3%VirustotalBrowse
FRSTEnglish.exe0%MetadefenderBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\FRST\bin\sqlite3_x64.dll0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://sectigo.com/CPS00%VirustotalBrowse
https://sectigo.com/CPS00%URL Reputationsafe
http://ocsp.comodoca4.com0T0%Avira URL Cloudsafe
http://ocsp.comodoca4.com00%URL Reputationsafe
http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl00%VirustotalBrowse
http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl00%Avira URL Cloudsafe
http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt0%0%VirustotalBrowse
http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt0%0%Avira URL Cloudsafe
https://apis.live.net/v5.0/me0%VirustotalBrowse
https://apis.live.net/v5.0/me0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
104.20.129.30FRSTEnglish.exeGet hashmaliciousBrowse
  • download.bleepingcomputer.com/farbar/up64

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
download.bleepingcomputer.comComboFix (1).exeGet hashmaliciousBrowse
  • 104.20.128.30
FRSTEnglish.exeGet hashmaliciousBrowse
  • 104.20.128.30
FRSTEnglish.exeGet hashmaliciousBrowse
  • 104.20.129.30

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownhttp://kr5644st.urbanizacionlagosazules.com/#https%3A//suzukirmkjakarta.com/k23br4cn/Q9/co0?61387497006653gang90471874546532&Pepper=them&data%3Dpavel.foltyn@cez.czGet hashmaliciousBrowse
  • 103.56.207.101
http://bitly.com/2vQ1Iy7Get hashmaliciousBrowse
  • 67.199.248.10
https://www.youtube.com/redirect?event=Jungheinrich&html_redirect=1&v=z29nI8RQV0U&redir_token=NZesqZ7iwiX7nlJfS85H7quCUE18MTU4NDEwMjAxMUAxNTg0MDE1NjEx&q=http://sharedfiles2020.azurewebsites.net%23Cynthia.Aybar@Jungheinrich.Pe##Get hashmaliciousBrowse
  • 51.116.96.53
IkQx957I2N.jarGet hashmaliciousBrowse
  • 43.226.229.110
Resume.xlsGet hashmaliciousBrowse
  • 34.91.87.40
IkQx957I2N.jarGet hashmaliciousBrowse
  • 43.226.229.110
https://drive.google.com/uc?export=download&id=10FPIxPZe8cXGMZYVfF4A6Jk5jDw8l7N_Get hashmaliciousBrowse
  • 172.217.23.225
http://www.saveearth.org.inGet hashmaliciousBrowse
  • 127.0.0.1
aligned.xbot_repacked.apkGet hashmaliciousBrowse
  • 216.58.201.99
aligned.whatsApp_repacked.apkGet hashmaliciousBrowse
  • 216.58.201.99
aligned.walkAndText_repacked.apkGet hashmaliciousBrowse
  • 216.58.201.99
aligned.voiceChange_repacked.apkGet hashmaliciousBrowse
  • 216.58.201.99
gl18N5eIH2.exeGet hashmaliciousBrowse
  • 127.0.0.1
https://leedclean.com/exch/index.php?m=kim.reece@hobsonwealth.co.nzGet hashmaliciousBrowse
  • 8.209.92.252
https://completeadvantagetrainingandtherapy.com/portef/index.php?m=kim.reece@hobsonwealth.co.nzGet hashmaliciousBrowse
  • 104.26.13.245
aligned.ru.savageknife_repacked.apkGet hashmaliciousBrowse
  • 216.58.201.99
aligned.skype_repacked.apkGet hashmaliciousBrowse
  • 172.217.23.206
aligned.monkeyJump2_repacked.apkGet hashmaliciousBrowse
  • 216.58.201.99
aligned.lovetrap_repacked.apkGet hashmaliciousBrowse
  • 216.58.201.99
aligned.krep_repacked.apkGet hashmaliciousBrowse
  • 216.58.201.99

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
37f463bf4616ecd445d4a1937da06e19gl18N5eIH2.exeGet hashmaliciousBrowse
  • 104.20.129.30
Invoice.exeGet hashmaliciousBrowse
  • 104.20.129.30
wn9gv5Y2pz.exeGet hashmaliciousBrowse
  • 104.20.129.30
https://download.filezilla-project.org/client/FileZilla_3.47.2.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
  • 104.20.129.30
https://sarvatravels.com/pl/outlook4/login.php?public/enroll/IdentifyUser-aspx-LOB=RBGLogon=NjM1NjQyOTE=NjM1NjQyOTE=&session=NjM1NjQyOTE=NjM1NjQyOTE=Get hashmaliciousBrowse
  • 104.20.129.30
https://satimoffisa.firebaseapp.com/xchh/Get hashmaliciousBrowse
  • 104.20.129.30
https://securemail.garicklaw.com/Get hashmaliciousBrowse
  • 104.20.129.30
Corona-virus-Map.com.exeGet hashmaliciousBrowse
  • 104.20.129.30
bsdial-trickbot.exeGet hashmaliciousBrowse
  • 104.20.129.30
Draft.Distribution.Notice056416.htmGet hashmaliciousBrowse
  • 104.20.129.30
filecoach[1].exeGet hashmaliciousBrowse
  • 104.20.129.30
http://www.intricate-solutions.com/pub/login.do?r=https%3A%2F%2Fwww.intricate-solutions.com%2FGet hashmaliciousBrowse
  • 104.20.129.30
https://thehappycloud.net/b/ZS?59905&mone=iss&hun=aaron.friot@communitybankna.comGet hashmaliciousBrowse
  • 104.20.129.30
https://vky1h.csb.appGet hashmaliciousBrowse
  • 104.20.129.30
Payment Swift Scan Copy.exeGet hashmaliciousBrowse
  • 104.20.129.30
Payment Swift Scan Copy.exeGet hashmaliciousBrowse
  • 104.20.129.30
http://cdn.discordapp.com/attachments/686765428957249540/686768191187452001/JUSTIFICANTE10-03.tarGet hashmaliciousBrowse
  • 104.20.129.30
filezilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
  • 104.20.129.30
#U266b-voice-ma#U03b9l-9493556283243-33383838558-857585.htmGet hashmaliciousBrowse
  • 104.20.129.30
https://xql1lt4n.r.eu-west-1.awstrack.me/L0/https:%2F%2Fwww.linkedn.co%2F%3Ft=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6IjE3ZDg3YTE3LWM3YTUtNGU2ZC1iODgyLTNlODljMzJkNDU2ZiIsImNlbGwiOiJodHRwczovL3Vib3p4eTh0cjkuZXhlY3V0ZS1hcGkuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiZDVlYmQ3M2EtYTU0Yi00N2RiLWFjOGItOTU2ZTkwYjcxODkwIiwidGVzdF90b2tlbiI6ZmFsc2UsImV4dGVybmFsX3RyYWluaW5nIjpmYWxzZSwiaWF0IjoxNTgzODU1NTcwLCJpc3MiOiJodHRwczovL2FwcC5waGlzaHRocmVhdC5jb20iLCJleHAiOjE1OTE2MzE1NzB9.sHivxL86aMSrXfpLtERQd0pb5PyKLY572jFF0NvYllk/3/01020170c52612aa-3124b8fc-3ee5-4e75-86fc-49a726183a92-000000/h9eYDwx6qlmrme93oaGmiOeLwjw=152Get hashmaliciousBrowse
  • 104.20.129.30

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\FRST\bin\sqlite3_x64.dllFRSTEnglish.exeGet hashmaliciousBrowse

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.