Edit tour
Windows
Analysis Report
LisectAVT_2403002A_282.exe
Overview
General Information
| Sample name: | LisectAVT_2403002A_282.exe |
| Analysis ID: | 1482372 |
| MD5: | 6d1fd0af6dd71b3ca81ecefb1d9f9324 |
| SHA1: | 7dce009fae200ad379a332bc4f2cc5dc8c88df52 |
| SHA256: | 43c1d24d64d652dba7a789b4eb06870d5ba199060f0069b906a7b0f9ecbd4d70 |
| Tags: | exe |
| Infos: |   |
 | |
Detection
XRed
| Score: | 54 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected XRed
AI detected suspicious sample
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
- System is w10x64
LisectAVT_2403002A_282.exe (PID: 636 cmdline: "C:\Users\ user\Deskt op\LisectA VT_2403002 A_282.exe" MD5: 6D1FD0AF6DD71B3CA81ECEFB1D9F9324) 
._cache_LisectAVT_2403002A_282.exe (PID: 1492 cmdline: "C:\Users\ user\Deskt op\._cache _LisectAVT _2403002A_ 282.exe" MD5: 1BD671CE0DEAAA901841AE87D92B3606) - ._cache_LisectAVT_2403002A_282.exe (PID: 5648 cmdline:
"C:\Users\ user\Deskt op\._cache _LisectAVT _2403002A_ 282.exe" - burn.unele vated Burn Pipe.{E4E5 1F82-7E66- 4DF5-9657- 3D7E13E424 32} {55F88 1B6-C3A9-4 52A-8EED-5 3F844AA8C2 1} 1492 MD5: 1BD671CE0DEAAA901841AE87D92B3606) - Synaptics.exe (PID: 6988 cmdline:
"C:\Progra mData\Syna ptics\Syna ptics.exe" InjUpdate MD5: B753207B14C635F29B2ABF64F603570A) 
WerFault.exe (PID: 7252 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 988 -s 134 72 MD5: C31336C1EFC2CCB44B4326EA793040F2)
EXCEL.EXE (PID: 3660 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\EXCEL .EXE" /aut omation -E mbedding MD5: 4A871771235598812032C822E6F68F19)
- Synaptics.exe (PID: 356 cmdline:
"C:\Progra mData\Syna ptics\Syna ptics.exe" MD5: B753207B14C635F29B2ABF64F603570A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
| JoeSecurity_XRed | Yara detected XRed | Joe Security |
System Summary |   |
|---|
| Source: | Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: | ||
| Source: | Author: X__Junior (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
⊘No Snort rule has matched
| Timestamp: | 2024-07-25T21:55:06.468416+0200 |
| SID: | 2044887 |
| Source Port: | 49757 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:54:58.745265+0200 |
| SID: | 2044887 |
| Source Port: | 49710 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:05.639090+0200 |
| SID: | 2044887 |
| Source Port: | 49749 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:43.894772+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49922 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:00.934345+0200 |
| SID: | 2044887 |
| Source Port: | 49721 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:02.021755+0200 |
| SID: | 2044887 |
| Source Port: | 49726 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:04.563511+0200 |
| SID: | 2044887 |
| Source Port: | 49746 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:54:59.078552+0200 |
| SID: | 2832617 |
| Source Port: | 49714 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T21:54:59.855534+0200 |
| SID: | 2044887 |
| Source Port: | 49718 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:03.521326+0200 |
| SID: | 2044887 |
| Source Port: | 49738 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:04.561722+0200 |
| SID: | 2044887 |
| Source Port: | 49743 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:08.570376+0200 |
| SID: | 2044887 |
| Source Port: | 49769 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:06.468261+0200 |
| SID: | 2044887 |
| Source Port: | 49758 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:08.575770+0200 |
| SID: | 2044887 |
| Source Port: | 49768 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:54:59.779737+0200 |
| SID: | 2044887 |
| Source Port: | 49715 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:07.503380+0200 |
| SID: | 2044887 |
| Source Port: | 49766 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:01.867178+0200 |
| SID: | 2044887 |
| Source Port: | 49725 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:00.768886+0200 |
| SID: | 2044887 |
| Source Port: | 49720 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:03.487469+0200 |
| SID: | 2044887 |
| Source Port: | 49737 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:07.518831+0200 |
| SID: | 2044887 |
| Source Port: | 49765 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:05.660763+0200 |
| SID: | 2044887 |
| Source Port: | 49748 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:09.598529+0200 |
| SID: | 2044887 |
| Source Port: | 49772 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:54:58.796256+0200 |
| SID: | 2044887 |
| Source Port: | 49709 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T21:55:06.253373+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49754 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 2_2_00A38281 | |
| Source: | Code function: | 2_2_00A57C27 | |
| Source: | Code function: | 2_2_00A38558 | |
| Source: | Code function: | 2_2_00A386D9 | |
| Source: | Static PE information: | ||
| Source: | Window detected: | ||