Edit tour
Windows
Analysis Report
1feP5qTCl0.exe
Overview
General Information
Sample name: | 1feP5qTCl0.exerenamed because original name is a hash value |
Original sample name: | 64aaffe3b4d705b9ddbce60e8fd8b9829c20438b8c68ae254e185c0f466e0265.exe |
Analysis ID: | 1499701 |
MD5: | a499c507987982c951093e21df0c0d96 |
SHA1: | fa1a7050198570e016fc4bf3ddd69160e05a8a38 |
SHA256: | 64aaffe3b4d705b9ddbce60e8fd8b9829c20438b8c68ae254e185c0f466e0265 |
Tags: | 45-125-66-18exe |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
- 1feP5qTCl0.exe (PID: 6120 cmdline:
"C:\Users\ user\Deskt op\1feP5qT Cl0.exe" MD5: A499C507987982C951093E21DF0C0D96) - powershell.exe (PID: 6024 cmdline:
powershell -WindowSt yle Hidden -Command "Add-MpPre ference -E xclusionPa th 'C:\Use rs'" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5772 cmdline:
powershell -WindowSt yle Hidden -Command "Add-MpPre ference -E xclusionPa th 'C:\Win dows'" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6776 cmdline:
powershell -WindowSt yle Hidden -Command "Add-MpPre ference -E xclusionPa th 'C:\Pro gram Files '" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 480 cmdline:
powershell -WindowSt yle Hidden -Command "Add-MpPre ference -E xclusionPa th 'C:\Pro gram Files (x86)'" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4144 cmdline:
powershell -WindowSt yle Hidden -Command "Add-MpPre ference -E xclusionPa th 'C:\Rec overy'" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1308 cmdline:
powershell -WindowSt yle Hidden -Command "Add-MpPre ference -E xclusionPa th 'C:\Rek a'" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4996 cmdline:
powershell -WindowSt yle Hidden -Command "Add-MpPre ference -E xclusionPa th '%USERP ROFILE%\De sktop'" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rapnewsa.exe (PID: 6044 cmdline:
C:\Reka\ra pnewsa.exe MD5: 2D4E723C184D9403B078E53F2DE74A23) - WerFault.exe (PID: 3992 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 044 -s 564 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 19_2_00A41000 | |
Source: | Code function: | 19_2_00A41C40 |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Code function: | 19_2_00A48D40 |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Binary or memory string: |
Source: | Code function: | 19_2_00A41470 | |
Source: | Code function: | 19_2_00A43D50 | |
Source: | Code function: | 19_2_00A41610 |
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | System information queried: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | String found in binary or memory: |