Windows Analysis Report

Overview

General Information

Analysis ID: 1523772
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Sigma detected: Dot net compiler compiles file from suspicious location
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Classification

Source: classification engine Classification label: sus22.expl.win@4/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline" Jump to behavior
No contacted IP infos