Edit tour
Windows
Analysis Report
mnFHs2DuKg.exe
Overview
General Information
| Sample name: | mnFHs2DuKg.exerenamed because original name is a hash value |
| Original sample name: | 39551715b734f4a331dd0b39a953a79567f642dc38bfa173f9849a4dbdd7d34e.exe |
| Analysis ID: | 1524829 |
| MD5: | 9b5f9e0459cf54039a5bd005835daf7a |
| SHA1: | 19bf1f1e7c133ab6f3b4d69ec0d69dce25ab272f |
| SHA256: | 39551715b734f4a331dd0b39a953a79567f642dc38bfa173f9849a4dbdd7d34e |
| Tags: | AciraConsultingIncexeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected UAC Bypass using CMSTP
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Modifies the DNS server
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Queries sensitive system registry key value via command line tool
Reads the Security eventlog
Reads the System eventlog
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses regedit.exe to modify the Windows registry
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Tap Installer Execution
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match
Classification
- System is w10x64
mnFHs2DuKg.exe (PID: 4080 cmdline: "C:\Users\ user\Deskt op\mnFHs2D uKg.exe" MD5: 9B5F9E0459CF54039A5BD005835DAF7A) - mnFHs2DuKg.tmp (PID: 4536 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-NV9 79.tmp\mnF Hs2DuKg.tm p" /SL5="$ 10460,1223 3551,73574 4,C:\Users \user\Desk top\mnFHs2 DuKg.exe" MD5: 319E022A72BA671928D266B7D372414E) 
cmd.exe (PID: 2332 cmdline: "C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\driver\ install_ta p.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
reg.exe (PID: 3648 cmdline: reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 2512 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 3148 cmdline:
C:\Windows \system32\ cmd.exe /c ver MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - tapinstall.exe (PID: 5308 cmdline:
tapinstall .exe remov e tap0901 MD5: E313336C82EB265542664CC7A360C5FF) - tapinstall.exe (PID: 2984 cmdline:
tapinstall .exe insta ll OemVist a.inf tap0 901 MD5: E313336C82EB265542664CC7A360C5FF) - cmd.exe (PID: 1160 cmdline:
"C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\sp\inst all_sp.bat "" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6844 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 5856 cmdline:
sc stop fa stestvpndr iver MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 1888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 796 cmdline:
reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 3920 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - reg.exe (PID: 5204 cmdline:
reg QUERY "HKLM\SOFT WARE\Micro soft\Windo ws NT\Curr entVersion " MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 6352 cmdline:
find /i "W indows 7" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - xcopy.exe (PID: 1368 cmdline:
xcopy /y d river\wind ows8\amd64 \fastestvp ndriver.sy s C:\Windo ws\system3 2\drivers MD5: 39FBFD3AF58238C6F9D4D408C9251FF5) - nfregdrv.exe (PID: 1000 cmdline:
release\nf regdrv.exe -u fastes tvpndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - nfregdrv.exe (PID: 4908 cmdline:
release\nf regdrv.exe fastestvp ndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - sc.exe (PID: 4520 cmdline:
"C:\Window s\system32 \sc.exe" s top Fastes tVPNServic e MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 4464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 5616 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- uninstall MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) 
WerFault.exe (PID: 2672 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 616 -s 107 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - sc.exe (PID: 1656 cmdline:
"C:\Window s\system32 \sc.exe" d elete Fast estVPNServ ice MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 4520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 5308 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- install MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) - subinacl.exe (PID: 2976 cmdline:
"C:\Progra m Files\Fa stestVPN\s ubinacl.ex e" /servic e FastestV PNService /GRANT=eve ryone=TO MD5: 4798226EE22C513302EE57D3AA94398B) - conhost.exe (PID: 5576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 6816 cmdline:
"C:\Window s\system32 \sc.exe" s tart Faste stVPNServi ce MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 2952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5648 cmdline:
"C:\Window s\system32 \cmd.exe" /c regedit /s "C:\Pr ogram File s\FastestV PN\Service \FastestVP N.WindowsS ervice.reg " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
regedit.exe (PID: 1660 cmdline: regedit /s "C:\Progr am Files\F astestVPN\ Service\Fa stestVPN.W indowsServ ice.reg" MD5: 999A30979F6195BF562068639FFC4426)
- svchost.exe (PID: 6988 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s DeviceIn stall MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - drvinst.exe (PID: 7096 cmdline:
DrvInst.ex e "4" "0" "C:\Users\ user\AppDa ta\Local\T emp\{10e48 137-304b-b 342-bb2b-4 260fc9493d 4}\oemvist a.inf" "9" "4d14a44f f" "000000 0000000154 " "WinSta0 \Default" "000000000 000016C" " 208" "c:\p rogram fil es\fastest vpn\resour ces\driver \windows10 \amd64" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9) - drvinst.exe (PID: 5792 cmdline:
DrvInst.ex e "2" "211 " "ROOT\NE T\0000" "C :\Windows\ INF\oem4.i nf" "oem4. inf:3beb73 aff103cc24 :tap0901.n di:9.24.2. 601:tap090 1," "4d14a 44ff" "000 0000000000 154" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
- svchost.exe (PID: 7060 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s N etSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- FastestVPN.exe (PID: 6916 cmdline:
"C:\Progra m Files\Fa stestVPN\F astestVPN. exe" -auto run MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1) 
powershell.exe (PID: 5636 cmdline: "powershel l" -window style hidd en get-wmi object Win 32_Compute rSystemPro duct | Sel ect-Object -ExpandPr operty UUI D MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 7080 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6040 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 1712 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 444 -p 56 16 -ip 561 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- svchost.exe (PID: 6352 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s w lidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- FastestVPN.WindowsService.exe (PID: 2948 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" MD5: 22D4E4267DFE093E5E23C2F3D7741AA4)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: frack113, Florian Roth (Nextron Systems): | ||
| Source: | Author: Daniil Yugoslavskiy, Ian Davis, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Exploits | |
|---|
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Window detected: | ||