Edit tour
Windows
Analysis Report
dropper.exe
Overview
General Information
| Sample name: | dropper.exe |
| Analysis ID: | 1586515 |
| MD5: | 8841148d7d1186d5e5087b672de0de05 |
| SHA1: | 6a41bb74c3f451c322c642f80f147ac78bf6d0cb |
| SHA256: | a39f3ede27a0b06104e10e50b42a526b83bb7131b21ca21f799c4629caeb131c |
| Infos: |  |
 | |
Detection
| Score: | 66 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found direct / indirect Syscall (likely to bypass EDR)
Injects code into the Windows Explorer (explorer.exe)
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Uncommon Svchost Parent Process
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64native
dropper.exe (PID: 8528 cmdline: "C:\Users\ user\Deskt op\dropper .exe" MD5: 8841148D7D1186D5E5087B672DE0DE05) 
conhost.exe (PID: 8540 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 8632 cmdline:
"C:\Window s\System32 \cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
winlogon.exe (PID: 888 cmdline: winlogon.e xe MD5: A987B43E6A8E8F894B98A3DF022DB518) 
lsass.exe (PID: 944 cmdline: C:\Windows \system32\ lsass.exe MD5: 15A556DEF233F112D127025AB51AC2D3) - svchost.exe (PID: 568 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p MD5: F586835082F632DC8D9404D83BC16316) - fontdrvhost.exe (PID: 556 cmdline:
"fontdrvho st.exe" MD5: AB7AB4CF816D091EEE234C1D9BC4FD13) - fontdrvhost.exe (PID: 680 cmdline:
"fontdrvho st.exe" MD5: AB7AB4CF816D091EEE234C1D9BC4FD13) - svchost.exe (PID: 1064 cmdline:
C:\Windows \system32\ svchost.ex e -k RPCSS -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1112 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: F586835082F632DC8D9404D83BC16316) - dwm.exe (PID: 1180 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 1256 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1300 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s lmhosts MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1340 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1348 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1416 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: F586835082F632DC8D9404D83BC16316) - IntelCpHDCPSvc.exe (PID: 1456 cmdline:
C:\Windows \System32\ DriverStor e\FileRepo sitory\iig d_dch.inf_ amd64_3ea7 56ac68d34d 21\IntelCp HDCPSvc.ex e MD5: B6BAD2BD8596D9101874E9042B8E2D63) - svchost.exe (PID: 1464 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s EventS ystem MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1520 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s P rofSvc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1556 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s EventLog MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1652 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S ENS MD5: F586835082F632DC8D9404D83BC16316) - igfxCUIService.exe (PID: 1724 cmdline:
C:\Windows \System32\ DriverStor e\FileRepo sitory\cui _dch.inf_a md64_2e49f 48165b8de1 0\igfxCUIS ervice.exe MD5: 91038D45A86B5465E8B7E5CD63187150) - IntelCpHeciSvc.exe (PID: 1732 cmdline:
C:\Windows \System32\ DriverStor e\FileRepo sitory\iig d_dch.inf_ amd64_3ea7 56ac68d34d 21\IntelCp HeciSvc.ex e MD5: 3B0DF35583675DE5A08E8D4C1271CEC0) - svchost.exe (PID: 1780 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s U serManager MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1856 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNoN etwork -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1872 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s nsi MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1968 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s Dhcp MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2024 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s T hemes MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2052 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s AudioEndpo intBuilder MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2064 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s FontCa che MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2128 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p -s NlaS vc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2276 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s netpro fm MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2368 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s DispBr okerDeskto pSvc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2420 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s WinHttpAu toProxySvc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2492 cmdline:
C:\Windows \system32\ svchost.ex e -k Netwo rkService -p -s Dnsc ache MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2568 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2656 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2664 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2688 cmdline:
C:\Windows \system32\ svchost.ex e -k appmo del -p -s StateRepos itory MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2728 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s S hellHWDete ction MD5: F586835082F632DC8D9404D83BC16316)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Code function: | 0_2_00007FF66CB5B240 | |
| Source: | Code function: | 2_2_0000018DB557E320 | |
| Source: | Code function: | 2_2_00007FFD3580E320 | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||