Edit tour
Windows
Analysis Report
SFXcreator.cmd
Overview
General Information
| Sample name: | SFXcreator.cmd |
| Analysis ID: | 1646140 |
| MD5: | 0584cab244b5e4b0661d05076de08ad4 |
| SHA1: | 6a4749ae0a4299adfd9a74caf9d3f76c413b06fe |
| SHA256: | 26f5e5b85b372f980d05d8bf1accdeb75ad34fbfbf574122f55112e38d636671 |
| Tags: | cmduser-smica83 |
| Infos: |  |
 | |
Detection
| Score: | 60 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Joe Sandbox ML detected suspicious sample
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suspicious powershell command line found
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 7860 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\SFXcr eator.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7912 cmdline: POWERSHELL -nop -c " $w=Add-Typ e -Name WA PI -PassTh ru -Member Definition '[DllImpo rt(\"user3 2.dll\")]p ublic stat ic extern void SetPr ocessDPIAw are();[Dll Import(\"s hcore.dll\ ")]public static ext ern void S etProcessD piAwarenes s(int valu e);[DllImp ort(\"kern el32.dll\" )]public s tatic exte rn IntPtr GetConsole Window();[ DllImport( \"user32.d ll\")]publ ic static extern voi d GetWindo wRect(IntP tr hwnd, i nt[] rect) ;[DllImpor t(\"user32 .dll\")]pu blic stati c extern v oid GetCli entRect(In tPtr hwnd, int[] rec t);[DllImp ort(\"user 32.dll\")] public sta tic extern void GetM onitorInfo W(IntPtr h Monitor, i nt[] lpmi) ;[DllImpor t(\"user32 .dll\")]pu blic stati c extern I ntPtr Moni torFromWin dow(IntPtr hwnd, int dwFlags); [DllImport (\"user32. dll\")]pub lic static extern in t SetWindo wPos(IntPt r hwnd, In tPtr hwndA fterZ, int x, int y, int w, in t h, int f lags);';$P ROCESS_PER _MONITOR_D PI_AWARE=2 ;try {$w:: SetProcess DpiAwarene ss($PROCES S_PER_MONI TOR_DPI_AW ARE)} catc h {$w::Set ProcessDPI Aware()}$h wnd=$w::Ge tConsoleWi ndow();$mo ninf=[int[ ]]::new(10 );$moninf[ 0]=40;$MON ITOR_DEFAU LTTONEARES T=2;$w::Ge tMonitorIn foW($w::Mo nitorFromW indow($hwn d, $MONITO R_DEFAULTT ONEAREST), $moninf); $monwidth= $moninf[7] - $moninf [5];$monhe ight=$moni nf[8] - $m oninf[6];$ wrect=[int []]::new(4 );$w::GetW indowRect( $hwnd, $wr ect);$winw idth=$wrec t[2] - $wr ect[0];$wi nheight=$w rect[3] - $wrect[1]; $x=[int][m ath]::Roun d($moninf[ 5] + $monw idth / 2 - $winwidth / 2);$y=[ int][math] ::Round($m oninf[6] + $monheigh t / 2 - $w inheight / 2);$SWP_N OSIZE=0x00 01;$SWP_NO ZORDER=0x0 004;exit [ int]($w::S etWindowPo s($hwnd, [ IntPtr]::Z ero, $x, $ y, 0, 0, $ SWP_NOSIZE -bOr $SWP _NOZORDER) -eq 0)" MD5: 04029E121A0CFA5991749937DD22A1D9) 
csc.exe (PID: 8052 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\jnrkdc ai\jnrkdca i.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 8068 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESF423.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\jnr kdcai\CSC8 A807EDE25C F4C3FB02DE 82201240FA .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - chcp.com (PID: 7228 cmdline:
chcp 850 MD5: 33395C4732A49065EA72590B14B64F32) - powershell.exe (PID: 7344 cmdline:
powershell -nop -c i ex ([io.fi le]::ReadA llText($en v:0)); MD5: 04029E121A0CFA5991749937DD22A1D9) - csc.exe (PID: 5832 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\5osvvx pn\5osvvxp n.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 7404 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES336.tmp " "c:\User s\user\App Data\Local \Temp\5osv vxpn\CSC63 9C51AEC00E 4DEDBBC5EC 84F8AEBA1B .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - timeout.exe (PID: 4772 cmdline:
"C:\Window s\system32 \timeout.e xe" -1 MD5: 100065E21CFBBDE57CBA2838921F84D6)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||