Edit tour
Windows
Analysis Report
OqAVRCkQ3T.exe
Overview
General Information
| Sample name: | OqAVRCkQ3T.exerenamed because original name is a hash value |
| Original sample name: | 649ec4858e572e0145e35a9faa712708949b7bb1bce1594154cda580d80a0ca9.exe |
| Analysis ID: | 1524835 |
| MD5: | 6d6a207d5513fa5ac6ead647f5d66a6a |
| SHA1: | 913e0d1aadbc1593b76f6442bb89070bc4a5e224 |
| SHA256: | 649ec4858e572e0145e35a9faa712708949b7bb1bce1594154cda580d80a0ca9 |
| Tags: | AciraConsultingIncexeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
| Score: | 44 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected UAC Bypass using CMSTP
.NET source code contains very large strings
Found direct / indirect Syscall (likely to bypass EDR)
Modifies the DNS server
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Queries sensitive system registry key value via command line tool
Reads the Security eventlog
Reads the System eventlog
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Tap Installer Execution
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
OqAVRCkQ3T.exe (PID: 5912 cmdline: "C:\Users\ user\Deskt op\OqAVRCk Q3T.exe" MD5: 6D6A207D5513FA5AC6EAD647F5D66A6A) - OqAVRCkQ3T.tmp (PID: 4828 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-2QE V6.tmp\OqA VRCkQ3T.tm p" /SL5="$ 203F6,2983 2184,73574 4,C:\Users \user\Desk top\OqAVRC kQ3T.exe" MD5: 259E3EE4646FC251C3513EEF2683479F) - ComDebug.exe (PID: 5956 cmdline:
"C:\Progra m Files\Fa stestVPN\R esources\C omDebug.ex e" MD5: F892887D8532D19F74884CDC48B1AC8B) 
more.com (PID: 4068 cmdline: C:\Windows \SysWOW64\ more.com MD5: 03805AE7E8CBC07840108F5C80CF4973) 
conhost.exe (PID: 2220 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5720 cmdline:
"C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\driver\ install_ta p.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7160 cmdline:
reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 3560 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 2720 cmdline:
C:\Windows \system32\ cmd.exe /c ver MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - tapinstall.exe (PID: 6628 cmdline:
tapinstall .exe remov e tap0901 MD5: E313336C82EB265542664CC7A360C5FF) - tapinstall.exe (PID: 6192 cmdline:
tapinstall .exe insta ll OemVist a.inf tap0 901 MD5: E313336C82EB265542664CC7A360C5FF) - cmd.exe (PID: 6852 cmdline:
"C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\sp\inst all_sp.bat "" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6912 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 6924 cmdline:
sc stop fa stestvpndr iver MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5920 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 2688 cmdline:
reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 6896 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - reg.exe (PID: 5200 cmdline:
reg QUERY "HKLM\SOFT WARE\Micro soft\Windo ws NT\Curr entVersion " MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 3476 cmdline:
find /i "W indows 7" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - xcopy.exe (PID: 4132 cmdline:
xcopy /y d river\wind ows8\amd64 \fastestvp ndriver.sy s C:\Windo ws\system3 2\drivers MD5: 39FBFD3AF58238C6F9D4D408C9251FF5) - nfregdrv.exe (PID: 6468 cmdline:
release\nf regdrv.exe -u fastes tvpndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - nfregdrv.exe (PID: 6360 cmdline:
release\nf regdrv.exe fastestvp ndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - sc.exe (PID: 2884 cmdline:
"C:\Window s\system32 \sc.exe" s top Fastes tVPNServic e MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 1456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 2540 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- uninstall MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) 
WerFault.exe (PID: 6272 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 540 -s 107 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - sc.exe (PID: 1616 cmdline:
"C:\Window s\system32 \sc.exe" d elete Fast estVPNServ ice MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 1656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 6776 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- install MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) - subinacl.exe (PID: 7080 cmdline:
"C:\Progra m Files\Fa stestVPN\s ubinacl.ex e" /servic e FastestV PNService /GRANT=eve ryone=TO MD5: 4798226EE22C513302EE57D3AA94398B) - conhost.exe (PID: 2884 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 1284 cmdline:
"C:\Window s\system32 \sc.exe" s tart Faste stVPNServi ce MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 2096 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.exe (PID: 2616 cmdline:
"C:\Progra m Files\Fa stestVPN\F astestVPN. exe" MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1)
- svchost.exe (PID: 6916 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s DeviceIn stall MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - drvinst.exe (PID: 1464 cmdline:
DrvInst.ex e "4" "0" "C:\Users\ user\AppDa ta\Local\T emp\{4cb0e b0d-a103-7 c4c-aedf-5 caef9610c0 c}\oemvist a.inf" "9" "4d14a44f f" "000000 0000000154 " "WinSta0 \Default" "000000000 0000168" " 208" "c:\p rogram fil es\fastest vpn\resour ces\driver \windows10 \amd64" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9) - drvinst.exe (PID: 1916 cmdline:
DrvInst.ex e "2" "211 " "ROOT\NE T\0000" "C :\Windows\ INF\oem4.i nf" "oem4. inf:3beb73 aff103cc24 :tap0901.n di:9.24.2. 601:tap090 1," "4d14a 44ff" "000 0000000000 154" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
- svchost.exe (PID: 5940 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s N etSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- FastestVPN.exe (PID: 3192 cmdline:
"C:\Progra m Files\Fa stestVPN\F astestVPN. exe" -auto run MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1) 
powershell.exe (PID: 424 cmdline: "powershel l" -window style hidd en get-wmi object Win 32_Compute rSystemPro duct | Sel ect-Object -ExpandPr operty UUI D MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 3780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 6032 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6348 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 1664 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 432 -p 25 40 -ip 254 0 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- FastestVPN.WindowsService.exe (PID: 3632 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" MD5: 22D4E4267DFE093E5E23C2F3D7741AA4)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security |
System Summary |   |
|---|
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Daniil Yugoslavskiy, Ian Davis, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Exploits | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Window detected: | ||