Edit tour
Windows
Analysis Report
GD8c7ARn8q.exe
Overview
General Information
| Sample name: | GD8c7ARn8q.exerenamed because original name is a hash value |
| Original sample name: | 3f9d0c297e903a2200b78f8a87904934e1e1f0cd5fbef2194b0b6435361ed2ef.exe |
| Analysis ID: | 1569978 |
| MD5: | 142c78e668b72f3962c176f81a941953 |
| SHA1: | fd8391201a9682aabde56251f0ac5bb467c06e3d |
| SHA256: | 3f9d0c297e903a2200b78f8a87904934e1e1f0cd5fbef2194b0b6435361ed2ef |
| Tags: | exeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
TrojanRansom
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected TrojanRansom
AI detected suspicious sample
Contains functionality to clear event logs
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
GD8c7ARn8q.exe (PID: 4584 cmdline: "C:\Users\ user\Deskt op\GD8c7AR n8q.exe" MD5: 142C78E668B72F3962C176F81A941953) 
conhost.exe (PID: 1364 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1656 cmdline:
C:\Windows \system32\ cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - tasklist.exe (PID: 1756 cmdline:
tasklist / v /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 6592 cmdline:
findstr /i "dcdcf" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 2648 cmdline:
C:\Windows \system32\ cmd.exe /c sc create SqlBakup binPath= " C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\Xinf ecter.exe" start=aut o MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - sc.exe (PID: 4884 cmdline:
sc create SqlBakup b inPath= "C :\Users\us er\AppData \Roaming\M icrosoft\W indows\Sta rt Menu\Pr ograms\Sta rtup\Xinfe cter.exe" start=auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - cmd.exe (PID: 5880 cmdline:
C:\Windows \system32\ cmd.exe /c sc create SqlBakup binPath= " C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\Xinf ecter.exe" start= au to MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - sc.exe (PID: 5900 cmdline:
sc create SqlBakup b inPath= "C :\Users\us er\AppData \Roaming\M icrosoft\W indows\Sta rt Menu\Pr ograms\Sta rtup\Xinfe cter.exe" start= aut o MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - cmd.exe (PID: 6336 cmdline:
C:\Windows \system32\ cmd.exe /c sc create SqlBakup binPath= " C:\Documen ts and Set tings\user \Start Men u\Programs \Startup\X infecter.e xe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - sc.exe (PID: 1468 cmdline:
sc create SqlBakup b inPath= "C :\Document s and Sett ings\user\ Start Menu \Programs\ Startup\Xi nfecter.ex e" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - cmd.exe (PID: 6468 cmdline:
C:\Windows \system32\ cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 5444 cmdline:
C:\Windows \system32\ cmd.exe /c cd "%Syst emDrive%\U sers\%user name%\AppD ata\"&S-21 53.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
wscript.exe (PID: 4068 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\S-8 459.vbs" MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 6740 cmdline:
C:\Windows \system32\ cmd.exe /C echo C:\U sers\user\ AppData\S- 6748.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6592 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\S-674 8.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5616 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 3568 cmdline:
tasklist / v MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 4496 cmdline:
find /I /c "dcdcf" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 5928 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 5064 cmdline:
tasklist / fi "ImageN ame eq GD8 c7ARn8q.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 2264 cmdline:
find /I "G D8c7ARn8q. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 5352 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 5056 cmdline:
tasklist / fi "ImageN ame eq GD8 c7ARn8q.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 6880 cmdline:
find /I "G D8c7ARn8q. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 1772 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 1656 cmdline:
tasklist / fi "ImageN ame eq GD8 c7ARn8q.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 3984 cmdline:
find /I "G D8c7ARn8q. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 2068 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 6960 cmdline:
tasklist / fi "ImageN ame eq GD8 c7ARn8q.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 6896 cmdline:
find /I "G D8c7ARn8q. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 6288 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 5916 cmdline:
tasklist / fi "ImageN ame eq GD8 c7ARn8q.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 5248 cmdline:
find /I "G D8c7ARn8q. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 4912 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - cmd.exe (PID: 5588 cmdline:
C:\Windows \system32\ cmd.exe /c schtasks /create /s c minute / mo 6 /tn " Microsoft_ Auto_Sched uler" /tr "'C:\Users \%username %\AppData\ S-2153.bat '" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - schtasks.exe (PID: 1496 cmdline:
schtasks / create /sc minute /m o 6 /tn "M icrosoft_A uto_Schedu ler" /tr " 'C:\Users\ user\AppDa ta\S-2153. bat'" /f MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 2644 cmdline:
C:\Windows \system32\ cmd.exe /c echo %dat e%-%time% MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 3688 cmdline:
C:\Windows \system32\ cmd.exe /c systeminf o|find /i "os name" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - systeminfo.exe (PID: 736 cmdline:
systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5) - find.exe (PID: 6992 cmdline:
find /i "o s name" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - cmd.exe (PID: 4692 cmdline:
C:\Windows \system32\ cmd.exe /c systeminf o|find /i "original" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - systeminfo.exe (PID: 4864 cmdline:
systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5) - find.exe (PID: 1060 cmdline:
find /i "o riginal" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - cmd.exe (PID: 6036 cmdline:
C:\Windows \system32\ cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
- cmd.exe (PID: 348 cmdline:
C:\Windows \SYSTEM32\ cmd.exe /c ""C:\User s\user\App Data\S-215 3.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 5272 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\S-8 459.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 5848 cmdline:
C:\Windows \system32\ cmd.exe /C echo C:\U sers\user\ AppData\S- 6748.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5912 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\S-674 8.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 5832 cmdline:
tasklist / v MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - find.exe (PID: 736 cmdline:
find /I /c "dcdcf" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
- Xinfecter.exe (PID: 6916 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\Xin fecter.exe " MD5: 142C78E668B72F3962C176F81A941953) - conhost.exe (PID: 1496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TrojanRansom | Yara detected TrojanRansom | Joe Security | ||
| JoeSecurity_TrojanRansom | Yara detected TrojanRansom | Joe Security |
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-06T13:39:27.608174+0100 | 2045821 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49706 | 185.147.34.53 | 3586 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_008C49B0 | |
| Source: | Code function: | 0_2_008C4F70 | |
| Source: | Code function: | 0_2_008C5080 | |
| Source: | Code function: | 0_2_008C4B10 | |
| Source: | Code function: | 0_2_008C4EA0 | |
| Source: | Code function: | 0_2_008C4EE0 | |
| Source: | Code function: | 43_2_00F249B0 | |
| Source: | Code function: | 43_2_00F24F70 | |
| Source: | Code function: | 43_2_00F25080 | |
| Source: | Code function: | 43_2_00F24B10 | |
| Source: | Code function: | 43_2_00F24EE0 | |
| Source: | Code function: | 43_2_00F24EA0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | |||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00874CC0 | |
| Source: | Code function: | 43_2_00ED4CC0 | |
| Source: | Code function: | 0_2_0092C1DB | |
| Source: | Code function: | 0_2_00878A30 | |
| Source: | Code function: | 0_2_00878B70 | |
| Source: | Code function: | 0_2_0087A2AA | |
| Source: | Code function: | 0_2_0087B6D0 | |
| Source: | Code function: | 43_2_00F8C1DB | |
| Source: | Code function: | 43_2_00EDA2AA | |
| Source: | Code function: | 43_2_00ED8A30 | |
| Source: | Code function: | 43_2_00ED8B70 | |
| Source: | Code function: | 43_2_00EDB6D0 | |
| Source: | Code function: | 0_2_0087E0D0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00868D10 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_008847A9 | |
| Source: | Code function: | 0_2_0088C8D0 | |
| Source: | Code function: | 0_2_0088D7EF | |
| Source: | Code function: | 43_2_00EE47A9 | |
| Source: | Code function: | 43_2_00EEC8D0 | |
| Source: | Code function: | 43_2_00EED7EF | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||