Edit tour
Windows
Analysis Report
https://download.brother.com/welcome/dlfp100270/cltw10100a.exe
Overview
General Information
| Sample URL: | https://download.brother.com/welcome/dlfp100270/cltw10100a.exe |
| Analysis ID: | 1415123 |
| Infos: |   |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Creates files in the recycle bin to hide itself
Drops executables to the windows directory (C:\Windows) and starts them
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Classification
- System is w10x64
cmd.exe (PID: 4836 cmdline: C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://do wnload.bro ther.com/w elcome/dlf p100270/cl tw10100a.e xe" > cmdl ine.out 2> &1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wget.exe (PID: 6776 cmdline: wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://dow nload.brot her.com/we lcome/dlfp 100270/clt w10100a.ex e" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
cltw10100a.exe (PID: 1576 cmdline: "C:\Users\ user\Deskt op\downloa d\cltw1010 0a.exe" MD5: 9541E83179ABDD1F0CEBCFEFF94BC9A2) 
InstallManager.exe (PID: 4124 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\pft15B 6.tmp\Inst allManager \InstallMa nager.exe" /L:MULT / Model:Cabl eLabelTool MD5: CDDFE6FF78C9EF7667321A1EBB9D8F33) 
AccessDatabaseEngine.exe (PID: 736 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\pft15B6 .tmp\Cable LabelTool\ ADE\US\Acc essDatabas eEngine.ex e /quiet / passive MD5: 77423E9942B09AFD564C307B26D1F4BA) 
msiexec.exe (PID: 2888 cmdline: msiexec.ex e /i "C:\U sers\user\ AppData\Lo cal\Temp\p ft15B6.tmp \CableLabe lTool\Cabl eLabel.msi " USERNAME ="hardz" C OMPANYNAME ="" INSTPA TH="C:\Pro gram Files (x86)\Bro ther" NOCO MPANYNAME= 0 SCDESKTO P=1 SCQUIC K=1 GGANA= 0 /noresta rt /qn MD5: 9D09DC1EDA745A5F87553048E57620CF)
- msiexec.exe (PID: 6448 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 2108 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng EB11130 A8E2D63B3F 747D232425 53FAB MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 5328 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng A62CD37 A4C11E58DF 0BCDEEDF19 19238 E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 4836 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 83F27F5 FB60DD41C7 AB11B9672B 294FA MD5: 9D09DC1EDA745A5F87553048E57620CF) - ISBEW64.exe (PID: 6152 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{30A7D0 B3-6AFB-4B 04-9B83-26 BDADDD6B2C }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{3AFEB4 23-0B54-4B 5C-AF4D-A7 16F5EC019D } MD5: B83D2774CDAF5016CD8765A630FA1150) - ISBEW64.exe (PID: 6256 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{88126F F3-5FB8-41 12-8A6E-8C C3757E4773 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{8B4315 35-90AA-40 F3-9655-44 5ADAB437CB } MD5: B83D2774CDAF5016CD8765A630FA1150) - ISBEW64.exe (PID: 5348 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{4D3AAF CB-F4A5-46 35-B876-40 288960575F }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{6BC22D 34-1C49-42 1D-9176-A3 AFA0E55D33 } MD5: B83D2774CDAF5016CD8765A630FA1150) - MSICA89.tmp (PID: 5556 cmdline:
"C:\Window s\Installe r\MSICA89. tmp" /Comm it MD5: E52FBF76B172E4BF99A5772D196E63A1) - msiexec.exe (PID: 5380 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng D4A9004 CD4BE2ECB6 5C741789AB 02FDC E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF) - ISBEW64.exe (PID: 6412 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{BEB427 44-6340-45 B8-9F53-1E 39881815F3 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{96E3FD 8A-3439-49 F5-85BF-47 61FA9EF6C3 } MD5: B83D2774CDAF5016CD8765A630FA1150) - ISBEW64.exe (PID: 3920 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{C94AAC C5-E97F-46 C2-A601-8B 973B2BC7F5 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{34B640 B0-E1C5-4E 02-93D5-01 A751615909 } MD5: B83D2774CDAF5016CD8765A630FA1150) - ISBEW64.exe (PID: 7100 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{17CEC8 23-4AB4-40 C3-B585-B7 2FBC1A1527 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{AE513F 01-59BA-44 95-8488-BB 8EA735A7AC } MD5: B83D2774CDAF5016CD8765A630FA1150)
- svchost.exe (PID: 6308 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- LogonUI.exe (PID: 368 cmdline:
"LogonUI.e xe" /flags :0x4 /stat e0:0xa3f98 855 /state 1:0x41c64e 6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
- LockApp.exe (PID: 4372 cmdline:
"C:\Window s\SystemAp ps\Microso ft.LockApp _cw5n1h2tx yewy\LockA pp.exe" -S erverName: WindowsDef aultLockSc reen.AppX7 y4nbzq37zn 4ks9k7amqj ywdat7d3j2 z.mca MD5: DD4966999D7DB48046CE6D12AF1F70F3)
- svchost.exe (PID: 1224 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s BthAvc tpSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
| Source: | Author: Perez Diego (@darkquassar), oscd.community: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: vburov: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Window detected: | ||