Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1547305 |
| MD5: | 54f4ebce5c56bf86c5948d89ba8c875f |
| SHA1: | 8da1e1b95cbba3e9a50ba999d3d1ea64cc2b358e |
| SHA256: | b4a622d3535bbc64dab4626bf93482a2983a63f77acd0ae9b6386f51f736376c |
| Tags: | exeuser-Bitsight |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Drops large PE files
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
file.exe (PID: 7484 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 54F4EBCE5C56BF86C5948D89BA8C875F) 
powershell.exe (PID: 7652 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAFU AcwBlAHIAc wBcAGoAbwB uAGUAcwBcA EQAZQBzAGs AdABvAHAAX ABmAGkAbAB lAC4AZQB4A GUAOwAgAEE AZABkAC0AT QBwAFAAcgB lAGYAZQByA GUAbgBjAGU AIAAtAEUAe ABjAGwAdQB zAGkAbwBuA FAAcgBvAGM AZQBzAHMAI ABDADoAXAB VAHMAZQByA HMAXABqAG8 AbgBlAHMAX ABEAGUAcwB rAHQAbwBwA FwAZgBpAGw AZQAuAGUAe ABlADsAQQB kAGQALQBNA HAAUAByAGU AZgBlAHIAZ QBuAGMAZQA gAC0ARQB4A GMAbAB1AHM AaQBvAG4AU ABhAHQAaAA gAEMAOgBcA FUAcwBlAHI AcwBcAGoAb wBuAGUAcwB cAEEAcABwA EQAYQB0AGE AXABSAG8AY QBtAGkAbgB nAFwARABpA GEAZwBUAHI AYQBjAGsAL gBlAHgAZQA 7ACAAQQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB yAG8AYwBlA HMAcwAgAEM AOgBcAFUAc wBlAHIAcwB cAGoAbwBuA GUAcwBcAEE AcABwAEQAY QB0AGEAXAB SAG8AYQBtA GkAbgBnAFw ARABpAGEAZ wBUAHIAYQB jAGsALgBlA HgAZQA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 7660 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 7804 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) 
MSBuild.exe (PID: 8012 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) 
WerFault.exe (PID: 8132 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 8 012 -s 114 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||