Edit tour
Windows
Analysis Report
https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.190-1/virtio-win-guest-tools.exe
Overview
General Information
| Sample URL: | https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.190-1/virtio-win-guest-tools.exe |
| Analysis ID: | 1567958 |
| Infos: |  |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Creates files in the system32 config directory
Sample is not signed and drops a device driver
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 2944 cmdline: C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://fe dorapeople .org/group s/virt/vir tio-win/di rect-downl oads/archi ve-virtio/ virtio-win -0.1.190-1 /virtio-wi n-guest-to ols.exe" > cmdline.o ut 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wget.exe (PID: 3552 cmdline: wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://fed orapeople. org/groups /virt/virt io-win/dir ect-downlo ads/archiv e-virtio/v irtio-win- 0.1.190-1/ virtio-win -guest-too ls.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
virtio-win-guest-tools.exe (PID: 6160 cmdline: "C:\Users\ user\Deskt op\downloa d\virtio-w in-guest-t ools.exe" MD5: 1A9FFB4B1EF2D9DC7306F9A89A843E30) - virtio-win-guest-tools.exe (PID: 2296 cmdline:
"C:\Window s\Temp\{2F FEF396-119 4-4813-974 A-F9DCF9F6 57BD}\.cr\ virtio-win -guest-too ls.exe" -b urn.clean. room="C:\U sers\user\ Desktop\do wnload\vir tio-win-gu est-tools. exe" -burn .filehandl e.attached =692 -burn .filehandl e.self=696 MD5: 54DD7840D30EA3987CA058C3A6EC9EFB) - virtio-win-guest-tools.exe (PID: 6364 cmdline:
"C:\Window s\Temp\{AC B7D9B0-8B9 2-4A8E-8C0 7-6DBE5F72 C3E6}\.be\ virtio-win -guest-too ls.exe" -q -burn.ele vated Burn Pipe.{AD92 5B29-332B- 48DA-94C6- 0FCBDEB46E 9F} {26D68 9B6-77FE-4 7DA-8C68-1 5F59553EE9 F} 2296 MD5: 54DD7840D30EA3987CA058C3A6EC9EFB)
- SrTasks.exe (PID: 1972 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB) - conhost.exe (PID: 6020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
msiexec.exe (PID: 5296 cmdline: C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 1600 cmdline:
C:\Windows \System32\ MsiExec.ex e -Embeddi ng B738355 633D81DF29 79CEF66669 D5A66 MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 2140 cmdline:
C:\Windows \System32\ MsiExec.ex e -Embeddi ng 39E6011 BFEDB699D6 B1CF7CFC68 D0506 E Gl obal\MSI00 00 MD5: E5DA170027542E25EDE42FC54C929077)
- drvinst.exe (PID: 3556 cmdline:
DrvInst.ex e "4" "1" "C:\Progra m Files\Vi rtio-Win\B alloon\bal loon.inf" "9" "4fbca 703f" "000 0000000000 158" "WinS ta0\Defaul t" "000000 000000016C " "208" "C :\Program Files\Virt io-Win\Bal loon" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9) 
rundll32.exe (PID: 2764 cmdline: rundll32.e xe C:\Wind ows\system 32\pnpui.d ll,Install SecurityPr omptRunDll W 20 Globa l\{3ced9da 7-7c27-ae4 f-88bb-bc2 320dc78b8} Global\{8 95dede3-19 2d-8147-9a d8-e964167 07c08} C:\ Windows\Sy stem32\Dri verStore\T emp\{3f982 870-ee04-2 244-a5af-0 37f6753605 7}\balloon .inf C:\Wi ndows\Syst em32\Drive rStore\Tem p\{3f98287 0-ee04-224 4-a5af-037 f67536057} \Balloon.c at MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Window detected: | ||