Edit tour
Windows
Analysis Report
mapMd1URzq.exe
Overview
General Information
| Sample name: | mapMd1URzq.exerenamed because original name is a hash value |
| Original sample name: | 17926b988b31296c26bf8fcc5be5595f8b290112949cd9314b3ddb51216a9fc6.exe |
| Analysis ID: | 1524831 |
| MD5: | ff0206612063b4d2b3e2ed6ee9d5eef0 |
| SHA1: | d33a31ecdbd673b93cb70f516a57643056931c8b |
| SHA256: | 17926b988b31296c26bf8fcc5be5595f8b290112949cd9314b3ddb51216a9fc6 |
| Tags: | AciraConsultingIncexeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
| Score: | 54 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected UAC Bypass using CMSTP
.NET source code contains very large strings
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Modifies the DNS server
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Queries sensitive system registry key value via command line tool
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses regedit.exe to modify the Windows registry
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Tap Installer Execution
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mapMd1URzq.exe (PID: 6064 cmdline: "C:\Users\ user\Deskt op\mapMd1U Rzq.exe" MD5: FF0206612063B4D2B3E2ED6EE9D5EEF0) - mapMd1URzq.tmp (PID: 5072 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-T79 UM.tmp\map Md1URzq.tm p" /SL5="$ 103C6,1059 7393,73574 4,C:\Users \user\Desk top\mapMd1 URzq.exe" MD5: 259E3EE4646FC251C3513EEF2683479F) 
cmd.exe (PID: 5368 cmdline: "C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\driver\ install_ta p.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
reg.exe (PID: 5172 cmdline: reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 5880 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 5712 cmdline:
C:\Windows \system32\ cmd.exe /c ver MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - tapinstall.exe (PID: 5776 cmdline:
tapinstall .exe remov e tap0901 MD5: E313336C82EB265542664CC7A360C5FF) - tapinstall.exe (PID: 3700 cmdline:
tapinstall .exe insta ll OemVist a.inf tap0 901 MD5: E313336C82EB265542664CC7A360C5FF) - cmd.exe (PID: 5648 cmdline:
"C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\sp\inst all_sp.bat "" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5192 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 340 cmdline:
sc stop fa stestvpndr iver MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 6944 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 6860 cmdline:
reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 5164 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - reg.exe (PID: 6292 cmdline:
reg QUERY "HKLM\SOFT WARE\Micro soft\Windo ws NT\Curr entVersion " MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 5820 cmdline:
find /i "W indows 7" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - xcopy.exe (PID: 5564 cmdline:
xcopy /y d river\wind ows8\amd64 \fastestvp ndriver.sy s C:\Windo ws\system3 2\drivers MD5: 39FBFD3AF58238C6F9D4D408C9251FF5) - nfregdrv.exe (PID: 3380 cmdline:
release\nf regdrv.exe -u fastes tvpndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - nfregdrv.exe (PID: 6036 cmdline:
release\nf regdrv.exe fastestvp ndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - sc.exe (PID: 6272 cmdline:
"C:\Window s\system32 \sc.exe" s top Fastes tVPNServic e MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 3796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 2988 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- uninstall MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) 
WerFault.exe (PID: 2616 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 988 -s 107 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - sc.exe (PID: 880 cmdline:
"C:\Window s\system32 \sc.exe" d elete Fast estVPNServ ice MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 6868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 6460 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- install MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) - subinacl.exe (PID: 6012 cmdline:
"C:\Progra m Files\Fa stestVPN\s ubinacl.ex e" /servic e FastestV PNService /GRANT=eve ryone=TO MD5: 4798226EE22C513302EE57D3AA94398B) - conhost.exe (PID: 6408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 5292 cmdline:
"C:\Window s\system32 \sc.exe" s tart Faste stVPNServi ce MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2724 cmdline:
"C:\Window s\system32 \cmd.exe" /c regedit /s "C:\Pr ogram File s\FastestV PN\Service \FastestVP N.WindowsS ervice.reg " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
regedit.exe (PID: 6224 cmdline: regedit /s "C:\Progr am Files\F astestVPN\ Service\Fa stestVPN.W indowsServ ice.reg" MD5: 999A30979F6195BF562068639FFC4426) - FastestVPN.exe (PID: 4816 cmdline:
"C:\Progra m Files\Fa stestVPN\F astestVPN. exe" MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1)
- svchost.exe (PID: 1812 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s DeviceIn stall MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - drvinst.exe (PID: 1008 cmdline:
DrvInst.ex e "4" "0" "C:\Users\ user\AppDa ta\Local\T emp\{7287f 939-a023-4 a42-8efe-c 3ab39b8505 a}\oemvist a.inf" "9" "4d14a44f f" "000000 0000000160 " "WinSta0 \Default" "000000000 0000100" " 208" "c:\p rogram fil es\fastest vpn\resour ces\driver \windows10 \amd64" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9) - drvinst.exe (PID: 3040 cmdline:
DrvInst.ex e "2" "211 " "ROOT\NE T\0000" "C :\Windows\ INF\oem4.i nf" "oem4. inf:3beb73 aff103cc24 :tap0901.n di:9.24.2. 601:tap090 1," "4d14a 44ff" "000 0000000000 160" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
- svchost.exe (PID: 1088 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s N etSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6820 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 1460 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 432 -p 29 88 -ip 298 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- FastestVPN.exe (PID: 3172 cmdline:
"C:\Progra m Files\Fa stestVPN\F astestVPN. exe" -auto run MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1) 
powershell.exe (PID: 6320 cmdline: "powershel l" -window style hidd en get-wmi object Win 32_Compute rSystemPro duct | Sel ect-Object -ExpandPr operty UUI D MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 1808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- FastestVPN.WindowsService.exe (PID: 1292 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" MD5: 22D4E4267DFE093E5E23C2F3D7741AA4)
- svchost.exe (PID: 5256 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- powershell.exe (PID: 1112 cmdline:
"C:\Window s\system32 \WindowsPo werShell\v 1.0\PowerS hell.exe" -WindowSty le Hidden -EncodedCo mmand UwB0 AGEAcgB0AC 0AUAByAG8A YwBlAHMAcw AgACcAbQBz AGgAdABhAC 4AZQB4AGUA JwAgAC0AQQ ByAGcAdQBt AGUAbgB0AE wAaQBzAHQA IAAnAGgAdA B0AHAAcwA6 AC8ALwBmAG EAcwB0AGUA cwB2AHAAbg AtAHMAMwAt AGUAdQAtAG 4AbwByAHQA aAAtADEALg AxADEAOQA4 ADIA MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113, Florian Roth (Nextron Systems): | ||
| Source: | Author: Daniil Yugoslavskiy, Ian Davis, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Exploits | |
|---|
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Window detected: | ||