Edit tour
Windows
Analysis Report
lEUy79aLAW.exe
Overview
General Information
| Sample name: | lEUy79aLAW.exerenamed because original name is a hash value |
| Original sample name: | 11ce7e8787a5177ad0f12ce96fc9ca848f463c4608d935f97d940240453ff00d.exe |
| Analysis ID: | 1569983 |
| MD5: | 682db93e884f81383ce078df1353ff1b |
| SHA1: | 5ff824a3fa5c45e5de5853e643aa1da058c9878d |
| SHA256: | 11ce7e8787a5177ad0f12ce96fc9ca848f463c4608d935f97d940240453ff00d |
| Tags: | exeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
TrojanRansom
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected TrojanRansom
AI detected suspicious sample
Contains functionality to clear event logs
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
lEUy79aLAW.exe (PID: 3332 cmdline: "C:\Users\ user\Deskt op\lEUy79a LAW.exe" MD5: 682DB93E884F81383CE078DF1353FF1B) 
conhost.exe (PID: 6656 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6192 cmdline:
C:\Windows \system32\ cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - tasklist.exe (PID: 5960 cmdline:
tasklist / v /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7092 cmdline:
findstr /i "dcdcf" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 1412 cmdline:
C:\Windows \system32\ cmd.exe /c sc create SqlBakup binPath= " C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\Xinf ecter.exe" start=aut o MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - sc.exe (PID: 7104 cmdline:
sc create SqlBakup b inPath= "C :\Users\us er\AppData \Roaming\M icrosoft\W indows\Sta rt Menu\Pr ograms\Sta rtup\Xinfe cter.exe" start=auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - cmd.exe (PID: 3228 cmdline:
C:\Windows \system32\ cmd.exe /c sc create SqlBakup binPath= " C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\Xinf ecter.exe" start= au to MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - sc.exe (PID: 6128 cmdline:
sc create SqlBakup b inPath= "C :\Users\us er\AppData \Roaming\M icrosoft\W indows\Sta rt Menu\Pr ograms\Sta rtup\Xinfe cter.exe" start= aut o MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - cmd.exe (PID: 5968 cmdline:
C:\Windows \system32\ cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 3364 cmdline:
C:\Windows \system32\ cmd.exe /c cd "%Syst emDrive%\U sers\%user name%\AppD ata\"&S-21 53.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
wscript.exe (PID: 2964 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\S-8 459.vbs" MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 2284 cmdline:
C:\Windows \system32\ cmd.exe /C echo C:\U sers\user\ AppData\S- 6748.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3116 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1248 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\S-674 8.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 6660 cmdline:
tasklist / v MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 2072 cmdline:
find /I /c "dcdcf" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 7192 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 7644 cmdline:
tasklist / fi "ImageN ame eq lEU y79aLAW.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 7652 cmdline:
find /I "l EUy79aLAW. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 7696 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 7772 cmdline:
tasklist / fi "ImageN ame eq lEU y79aLAW.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 7780 cmdline:
find /I "l EUy79aLAW. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 7820 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 7912 cmdline:
tasklist / fi "ImageN ame eq lEU y79aLAW.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 7920 cmdline:
find /I "l EUy79aLAW. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 7956 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 8032 cmdline:
tasklist / fi "ImageN ame eq lEU y79aLAW.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 8040 cmdline:
find /I "l EUy79aLAW. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 8076 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 8152 cmdline:
tasklist / fi "ImageN ame eq lEU y79aLAW.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 8160 cmdline:
find /I "l EUy79aLAW. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - timeout.exe (PID: 1784 cmdline:
timeout /t 15 /nobre ak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - tasklist.exe (PID: 4676 cmdline:
tasklist / fi "ImageN ame eq lEU y79aLAW.ex e" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 4852 cmdline:
find /I "l EUy79aLAW. exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - cmd.exe (PID: 6660 cmdline:
C:\Windows \system32\ cmd.exe /c schtasks /create /s c minute / mo 6 /tn " Microsoft_ Auto_Sched uler" /tr "'C:\Users \%username %\AppData\ S-2153.bat '" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - schtasks.exe (PID: 1564 cmdline:
schtasks / create /sc minute /m o 6 /tn "M icrosoft_A uto_Schedu ler" /tr " 'C:\Users\ user\AppDa ta\S-2153. bat'" /f MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 1784 cmdline:
C:\Windows \system32\ cmd.exe /c echo %dat e%-%time% MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 432 cmdline:
C:\Windows \system32\ cmd.exe /c systeminf o|find /i "os name" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - systeminfo.exe (PID: 6188 cmdline:
systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5) - find.exe (PID: 6192 cmdline:
find /i "o s name" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - cmd.exe (PID: 6648 cmdline:
C:\Windows \system32\ cmd.exe /c systeminf o|find /i "original" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - systeminfo.exe (PID: 3292 cmdline:
systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5) - find.exe (PID: 3536 cmdline:
find /i "o riginal" MD5: 15B158BC998EEF74CFDD27C44978AEA0) - cmd.exe (PID: 6576 cmdline:
C:\Windows \system32\ cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
- cmd.exe (PID: 5808 cmdline:
C:\Windows \system32\ cmd.exe /c sc create SqlBakup binPath= " C:\Documen ts and Set tings\user \Start Men u\Programs \Startup\X infecter.e xe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
- cmd.exe (PID: 7104 cmdline:
C:\Windows \SYSTEM32\ cmd.exe /c ""C:\User s\user\App Data\S-215 3.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 6576 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\S-8 459.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 7216 cmdline:
C:\Windows \system32\ cmd.exe /C echo C:\U sers\user\ AppData\S- 6748.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7224 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7316 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\S-674 8.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7324 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7368 cmdline:
tasklist / v MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - find.exe (PID: 7376 cmdline:
find /I /c "dcdcf" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
- Xinfecter.exe (PID: 7452 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\Xin fecter.exe " MD5: 682DB93E884F81383CE078DF1353FF1B) - conhost.exe (PID: 7460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TrojanRansom | Yara detected TrojanRansom | Joe Security | ||
| JoeSecurity_TrojanRansom | Yara detected TrojanRansom | Joe Security |
System Summary |   |
|---|
| Source: | Author: @SBousseaden (detection), Thomas Patzke (rule): | ||
| Source: | Author: Perez Diego (@darkquassar), oscd.community: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-06T13:42:01.978932+0100 | 2045821 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49705 | 185.147.34.53 | 3586 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_00A24230 | |
| Source: | Code function: | 0_2_00A247F0 | |
| Source: | Code function: | 0_2_00A24900 | |
| Source: | Code function: | 0_2_00A24390 | |
| Source: | Code function: | 0_2_00A24720 | |
| Source: | Code function: | 0_2_00A24760 | |
| Source: | Code function: | 42_2_00C34230 | |
| Source: | Code function: | 42_2_00C347F0 | |
| Source: | Code function: | 42_2_00C34900 | |
| Source: | Code function: | 42_2_00C34390 | |
| Source: | Code function: | 42_2_00C34760 | |
| Source: | Code function: | 42_2_00C34720 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | |||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_009D4500 | |
| Source: | Code function: | 42_2_00BE4500 | |
| Source: | Code function: | 0_2_009D8240 | |
| Source: | Code function: | 0_2_009D8380 | |
| Source: | Code function: | 0_2_009DAF50 | |
| Source: | Code function: | 0_2_009D9ABA | |
| Source: | Code function: | 0_2_00A8BA6B | |
| Source: | Code function: | 42_2_00BE8240 | |
| Source: | Code function: | 42_2_00BE8380 | |
| Source: | Code function: | 42_2_00BEAF50 | |
| Source: | Code function: | 42_2_00BEAF50 | |
| Source: | Code function: | 42_2_00BEAF50 | |
| Source: | Code function: | 42_2_00BE9ABA | |
| Source: | Code function: | 42_2_00C9BA6B | |
| Source: | Code function: | 0_2_009DD950 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_009D6808 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_009E4049 | |
| Source: | Code function: | 0_2_009EC170 | |
| Source: | Code function: | 0_2_009ED08F | |
| Source: | Code function: | 42_2_00BF4049 | |
| Source: | Code function: | 42_2_00BFBD00 | |
| Source: | Code function: | 42_2_00BFD08F | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||