Edit tour
Windows
Analysis Report
ps11.0.0.129pro.exe
Overview
General Information
Detection
Score: | 34 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Signatures
.NET source code contains very large array initializations
Hides threads from debuggers
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Office Autorun Keys Modification
Sigma detected: Potential Persistence Via Visual Studio Tools for Office
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- ps11.0.0.129pro.exe (PID: 5316 cmdline:
"C:\Users\ user\Deskt op\ps11.0. 0.129pro.e xe" MD5: FC13BC8B09702EC0CA1A48F7E9157380) - ps11.0.0.129pro.tmp (PID: 6252 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-HJD MM.tmp\ps1 1.0.0.129p ro.tmp" /S L5="$20410 ,54471570, 58368,C:\U sers\user\ Desktop\ps 11.0.0.129 pro.exe" MD5: 5ED68C2D50F4232A83D39C41722BC908) - _setup64.tmp (PID: 5260 cmdline:
helper 105 0x3E4 MD5: E4211D6D009757C078A9FAC7FF4F03D4) - conhost.exe (PID: 6016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PlanSwift.exe (PID: 416 cmdline:
"C:\Progra m Files (x 86)\PlanSw ift11\Plan Swift.exe" /regserve r MD5: B157207600DF34B69CA9AA91F1659383) - PlanSwift.exe (PID: 3140 cmdline:
"C:\Progra m Files (x 86)\PlanSw ift11\Plan Swift.exe" /init MD5: B157207600DF34B69CA9AA91F1659383) - PlanSwift.exe (PID: 5888 cmdline:
"C:\Progra m Files (x 86)\PlanSw ift11\Plan Swift.exe" -o "Sampl e Plan" MD5: B157207600DF34B69CA9AA91F1659383) - splwow64.exe (PID: 2656 cmdline:
C:\Windows \splwow64. exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Bhabesh Raj: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Registry value created: |
Source: | Static PE information: |
Source: | Window detected: |