Edit tour
Windows
Analysis Report
CloudInstaller.zip
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Uses cmd line tools excessively to alter registry or file data
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64_ra
- rundll32.exe (PID: 7120 cmdline:
C:\Windows \System32\ rundll32.e xe C:\Wind ows\System 32\shell32 .dll,SHCre ateLocalSe rverRunDll {9aa46009 -3ce0-458a -a354-7156 10a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
- chrome.exe (PID: 3548 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6528 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2096 --fi eld-trial- handle=192 4,i,546131 8940390253 796,104204 6130582424 9308,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- firefox.exe (PID: 7388 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 7424 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 7644 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 2272 -pare ntBuildID 2023092723 2528 -pref sHandle 22 16 -prefMa pHandle 22 00 -prefsL en 25250 - prefMapSiz e 237879 - win32kLock edDown -ap pDir "C:\P rogram Fil es\Mozilla Firefox\b rowser" - {f03588b1- 8803-4163- b47f-4f3b0 52540ae} 7 424 "\\.\p ipe\gecko- crash-serv er-pipe.74 24" 212862 6d310 sock et MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 8096 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 4032 -pare ntBuildID 2023092723 2528 -pref sHandle 10 80 -prefMa pHandle 93 2 -prefsLe n 25481 -p refMapSize 237879 -a ppDir "C:\ Program Fi les\Mozill a Firefox\ browser" - {de6f62ae -43bf-4e39 -bd31-e84b 8959a79a} 7424 "\\.\ pipe\gecko -crash-ser ver-pipe.7 424" 21298 324b10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 716 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 5100 -pare ntBuildID 2023092723 2528 -sand boxingKind 0 -prefsH andle 3132 -prefMapH andle 3520 -prefsLen 33093 -pr efMapSize 237879 -wi n32kLocked Down -appD ir "C:\Pro gram Files \Mozilla F irefox\bro wser" - {6 41346cd-19 6c-4067-8c b2-9d86e99 bd6bf} 742 4 "\\.\pip e\gecko-cr ash-server -pipe.7424 " 212a3de6 710 utilit y MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- 7zG.exe (PID: 3564 cmdline:
"C:\Progra m Files\7- Zip\7zG.ex e" x -o"C: \Users\use r\Desktop\ " -an -ai# 7zMap1782: 84:7zEvent 10406 MD5: 50F289DF0C19484E970849AAC4E6F977)
- cmd.exe (PID: 2240 cmdline:
"C:\Window s\system32 \cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2228 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - CloudInstaller.exe (PID: 3344 cmdline:
CloudInsta ller.exe MD5: 4005A9E6D787D44E8AB8A44EE5A90ECA) - CloudInstaller.tmp (PID: 4836 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-B43 MR.tmp\Clo udInstalle r.tmp" /SL 5="$B001C, 9709404,14 0800,C:\Us ers\user\D esktop\Clo udInstalle r.exe" MD5: 9FB95EEDC0BD1CB80676A400FC19A295) - cmd.exe (PID: 4820 cmdline:
"C:\Window s\system32 \cmd.exe" cmd /c wmi c diskdriv e get mode l | FINDST R /I "Virt ual VBOX V Mware">ds. txt MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 5792 cmdline:
wmic diskd rive get m odel MD5: E2DE6500DE1148C7F6027AD50AC8B891) - findstr.exe (PID: 4044 cmdline:
FINDSTR /I "Virtual VBOX VMwar e" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7860 cmdline:
"C:\Window s\system32 \cmd.exe" cmd /c 455 4.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - attrib.exe (PID: 6616 cmdline:
attrib +s +h /D "C:\ Users\user \AppData\L ocal\Temp\ av\*.*" MD5: 0E938DD280E83B1596EC6AA48729C2B0) - cmd.exe (PID: 6140 cmdline:
cmd /c tar xf 85.zip MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - tar.exe (PID: 7204 cmdline:
tar xf 85. zip MD5: D7128869A4759CCBDC5D4BC55A40D4CC) - attrib.exe (PID: 5080 cmdline:
attrib +s +h /D "C:\ Users\user \AppData\L ocal\Temp\ av\*.*" MD5: 0E938DD280E83B1596EC6AA48729C2B0) - 215.exe (PID: 7348 cmdline:
".\215\215 .exe" MD5: 3F7D69D361F789D0CFB03302A7264093) - javaw.exe (PID: 5504 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\av\215 \jre\bin\j avaw.exe" -Dfile.enc oding=UTF- 8 -classpa th "lib\.; lib\..;lib \activatio n.jar;lib\ asm-all.ja r;lib\comm ons-email. jar;lib\dn -compiled- module.jar ;lib\dn-ph p-sdk.jar; lib\gson.j ar;lib\jfo enix.jar;l ib\jkeymas ter.jar;li b\jna.jar; lib\jphp-a pp-framewo rk.jar;lib \jphp-core .jar;lib\j php-deskto p-ext.jar; lib\jphp-d esktop-hot key-ext.ja r;lib\jphp -gui-ext.j ar;lib\jph p-gui-jfoe nix-ext.ja r;lib\jphp -json-ext. jar;lib\jp hp-jsoup-e xt.jar;lib \jphp-mail -ext.jar;l ib\jphp-ru ntime.jar; lib\jphp-s ystemtray- ext.jar;li b\jphp-xml -ext.jar;l ib\jphp-ze nd-ext.jar ;lib\jphp- zip-ext.ja r;lib\jsou p.jar;lib\ mail.jar;l ib\slf4j-a pi.jar;lib \slf4j-sim ple.jar;li b\zt-zip.j ar" org.de velnext.jp hp.ext.jav afx.FXLaun cher MD5: 48C96771106DBDD5D42BBA3772E4B414)
- cmd.exe (PID: 8160 cmdline:
"C:\Window s\system32 \cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - 2.exe (PID: 6816 cmdline:
2.exe MD5: FBAE5725BD0497576C5979A39988132C) - 215.exe (PID: 3948 cmdline:
215.exe MD5: 9FB95EEDC0BD1CB80676A400FC19A295)
- cmd.exe (PID: 6552 cmdline:
"C:\Window s\system32 \cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Timestamp: | 2024-07-22T18:44:41.511133+0200 |
SID: | 2839343 |
Source Port: | 54341 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Timestamp: | 2024-07-22T18:44:41.316825+0200 |
SID: | 2839343 |
Source Port: | 54341 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Timestamp: | 2024-07-22T18:43:48.785525+0200 |
SID: | 2839343 |
Source Port: | 54341 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Timestamp: | 2024-07-22T18:43:47.928534+0200 |
SID: | 2839343 |
Source Port: | 54340 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Timestamp: | 2024-07-22T18:43:48.986014+0200 |
SID: | 2839343 |
Source Port: | 54341 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Timestamp: | 2024-07-22T18:43:46.719974+0200 |
SID: | 2839343 |
Source Port: | 54339 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | Potentially Bad Traffic |
Click to jump to signature section
Show All Signature Results
Source: | Window detected: |