Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Joe Sandbox ML: detected |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
Source: |
Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_00406555 FindFirstFileW,FindClose, |
0_2_00406555 |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_0040287E FindFirstFileW, |
0_2_0040287E |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405A03 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl.globalsign.com/root.crl0G |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_004054B0 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameAsOpenFile.exeL vs REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040344A |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_004068DA |
0_2_004068DA |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_00404CED |
0_2_00404CED |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Process Stats: CPU usage > 98% |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040344A |
Source: classification engine |
Classification label: mal64.troj.evad.winEXE@1/4@0/0 |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_00404771 |
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
Source: |
Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr |
Source: Yara match |
File source: 00000000.00000002.830514930.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.830075184.0000000000694000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_10001B18 |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
File created: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
File created: C:\Users\user\AppData\Local\Temp\nsgC6C9.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
RDTSC instruction interceptor: First address: 00000000030F165F second address: 00000000030F165F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FEAF0D8C00Fh 0x00000006 cmp bh, dh 0x00000008 cmp ecx, 95C3E464h 0x0000000e inc ebp 0x0000000f cld 0x00000010 inc ebx 0x00000011 cmp dl, al 0x00000013 rdtsc |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_00406555 FindFirstFileW,FindClose, |
0_2_00406555 |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_0040287E FindFirstFileW, |
0_2_0040287E |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405A03 |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_10001B18 |
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe |
Code function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040344A |