Edit tour
Windows
Analysis Report
dropper.exe
Overview
General Information
| Sample name: | dropper.exe |
| Analysis ID: | 1586515 |
| MD5: | 8841148d7d1186d5e5087b672de0de05 |
| SHA1: | 6a41bb74c3f451c322c642f80f147ac78bf6d0cb |
| SHA256: | a39f3ede27a0b06104e10e50b42a526b83bb7131b21ca21f799c4629caeb131c |
| Infos: |  |
 | |
Detection
| Score: | 66 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found direct / indirect Syscall (likely to bypass EDR)
Injects code into the Windows Explorer (explorer.exe)
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Uncommon Svchost Parent Process
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64native
dropper.exe (PID: 8180 cmdline: "C:\Users\ user\Deskt op\dropper .exe" MD5: 8841148D7D1186D5E5087B672DE0DE05) 
conhost.exe (PID: 6712 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6692 cmdline:
"C:\Window s\System32 \cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
winlogon.exe (PID: 888 cmdline: winlogon.e xe MD5: A987B43E6A8E8F894B98A3DF022DB518) 
lsass.exe (PID: 952 cmdline: C:\Windows \system32\ lsass.exe MD5: 15A556DEF233F112D127025AB51AC2D3) - svchost.exe (PID: 8 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p MD5: F586835082F632DC8D9404D83BC16316) - fontdrvhost.exe (PID: 800 cmdline:
"fontdrvho st.exe" MD5: AB7AB4CF816D091EEE234C1D9BC4FD13) - fontdrvhost.exe (PID: 780 cmdline:
"fontdrvho st.exe" MD5: AB7AB4CF816D091EEE234C1D9BC4FD13) - svchost.exe (PID: 1072 cmdline:
C:\Windows \system32\ svchost.ex e -k RPCSS -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1120 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: F586835082F632DC8D9404D83BC16316) - dwm.exe (PID: 1184 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 1252 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1320 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1364 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1372 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s P rofSvc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1424 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: F586835082F632DC8D9404D83BC16316) - IntelCpHDCPSvc.exe (PID: 1448 cmdline:
C:\Windows \System32\ DriverStor e\FileRepo sitory\iig d_dch.inf_ amd64_3ea7 56ac68d34d 21\IntelCp HDCPSvc.ex e MD5: B6BAD2BD8596D9101874E9042B8E2D63) - svchost.exe (PID: 1488 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s EventS ystem MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1516 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s U serManager MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1584 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s EventLog MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1672 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S ENS MD5: F586835082F632DC8D9404D83BC16316) - IntelCpHeciSvc.exe (PID: 1772 cmdline:
C:\Windows \System32\ DriverStor e\FileRepo sitory\iig d_dch.inf_ amd64_3ea7 56ac68d34d 21\IntelCp HeciSvc.ex e MD5: 3B0DF35583675DE5A08E8D4C1271CEC0) - igfxCUIService.exe (PID: 1784 cmdline:
C:\Windows \System32\ DriverStor e\FileRepo sitory\cui _dch.inf_a md64_2e49f 48165b8de1 0\igfxCUIS ervice.exe MD5: 91038D45A86B5465E8B7E5CD63187150) - svchost.exe (PID: 1820 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNoN etwork -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1884 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s nsi MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1952 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s Dhcp MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2040 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s T hemes MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1860 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s AudioEndpo intBuilder MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 1512 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s FontCa che MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2108 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p -s NlaS vc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2240 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s netpro fm MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2344 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s DispBr okerDeskto pSvc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2404 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s WinHttpAu toProxySvc MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2464 cmdline:
C:\Windows \system32\ svchost.ex e -k Netwo rkService -p -s Dnsc ache MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2552 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2636 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2640 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2672 cmdline:
C:\Windows \system32\ svchost.ex e -k appmo del -p -s StateRepos itory MD5: F586835082F632DC8D9404D83BC16316) - svchost.exe (PID: 2712 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s S hellHWDete ction MD5: F586835082F632DC8D9404D83BC16316) 
spoolsv.exe (PID: 2824 cmdline: C:\Windows \System32\ spoolsv.ex e MD5: 001E4317FC877B5C0DB731694CCED48D)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Code function: | 0_2_00007FF71745B240 | |
| Source: | Code function: | 2_2_000002A38BE3E320 | |
| Source: | Code function: | 2_2_00007FFFE33DE320 | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||