Edit tour
Windows
Analysis Report
setup-lightshot 1.exe
Overview
General Information
Detection
Score: | 10 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 0% |
Signatures
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Classification
- System is w10x64
- setup-lightshot 1.exe (PID: 7000 cmdline:
"C:\Users\ user\Deskt op\setup-l ightshot 1 .exe" MD5: A1F6923E771B4FF0DF9FEC9555F97C65) - setup-lightshot 1.tmp (PID: 7044 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-UOU 5D.tmp\set up-lightsh ot 1.tmp" /SL5="$104 12,2148280 ,486912,C: \Users\use r\Desktop\ setup-ligh tshot 1.ex e" MD5: C6BFFD4DA620B07CB214F1BD8E7F21D2) - taskkill.exe (PID: 2696 cmdline:
"C:\Window s\System32 \taskkill. exe" /f /i m lightsho t.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 5628 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 1312 cmdline:
"taskkill. exe" /F /I M lightsho t.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 1456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Lightshot.exe (PID: 4460 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\ligh tshot\Ligh tshot.exe" MD5: 62EB961457DF016FA3949E9601A1A845) - Lightshot.exe (PID: 3852 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\ligh tshot\5.5. 0.7\Lights hot.exe" MD5: 1E1C83B9680029AD4A9F8D3B3AC93197) - setupupdater.exe (PID: 1804 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-P7E 8S.tmp\set upupdater. exe" /very silent MD5: 843D23F6AAB075A3C032B06D30CE9C5D) - setupupdater.tmp (PID: 4900 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-F1J 96.tmp\set upupdater. tmp" /SL5= "$80080,49 0430,12083 2,C:\Users \user\AppD ata\Local\ Temp\is-P7 E8S.tmp\se tupupdater .exe" /ver ysilent MD5: 3613E29D2A7B90C1012EC676819CC1CD) - net.exe (PID: 7136 cmdline:
"C:\Window s\system32 \net.exe" START SCHE DULE MD5: 31890A7DE89936F922D44D677F681A7F) - conhost.exe (PID: 4408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 6224 cmdline:
C:\Windows \system32\ net1 START SCHEDULE MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - Updater.exe (PID: 1608 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\1.8.0. 0\Updater. exe" -runm ode=addsys task MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1) - Updater.exe (PID: 2208 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\Update r.exe" -ru nmode=addp roduct -in fo="C:\Pro gram Files (x86)\Ski llbrains\U pdater\inf o.xml" MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4) - Updater.exe (PID: 4432 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\1.8.0. 0\Updater. exe" -runm ode=addpro duct -info ="C:\Progr am Files ( x86)\Skill brains\Upd ater\info. xml" MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1) - Updater.exe (PID: 736 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\Update r.exe" -ru nmode=ping -url="htt p://update r.prntscr. com/getver /updater?p ing=true" MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4) - Updater.exe (PID: 792 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\1.8.0. 0\Updater. exe" -runm ode=ping - url="http: //updater. prntscr.co m/getver/u pdater?pin g=true" MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1) - Updater.exe (PID: 4476 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\update r.exe" -ru nmode=addt ask MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4) - Updater.exe (PID: 7136 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\1.8.0. 0\updater. exe" -runm ode=addtas k MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1) - Updater.exe (PID: 4408 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\update r.exe" -ru nmode=addp roduct -in fo="C:\Pro gram Files (x86)\Ski llbrains\l ightshot\i nfo.xml" MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4) - Updater.exe (PID: 5232 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\1.8.0. 0\updater. exe" -runm ode=addpro duct -info ="C:\Progr am Files ( x86)\Skill brains\lig htshot\inf o.xml" MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1) - chrome.exe (PID: 5544 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://a pp.prntscr .com/thank you_deskto p.html#ins tall_sourc e=default MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 1860 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2100 --fi eld-trial- handle=188 8,i,716752 5600281717 774,474393 7817464806 075,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- Updater.exe (PID: 2076 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\Update r.exe" -ru nmode=chec kupdate MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4) - Updater.exe (PID: 4324 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\1.8.0. 0\Updater. exe" -runm ode=checku pdate MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1)
- Updater.exe (PID: 1312 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\Update r.exe" -ru nmode=chec kupdate MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4) - Updater.exe (PID: 980 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\Upda ter\1.8.0. 0\Updater. exe" -runm ode=checku pdate MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1)
- Lightshot.exe (PID: 4628 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\ligh tshot\Ligh tshot.exe" MD5: 62EB961457DF016FA3949E9601A1A845) - Lightshot.exe (PID: 1244 cmdline:
"C:\Progra m Files (x 86)\Skillb rains\ligh tshot\5.5. 0.7\Lights hot.exe" MD5: 1E1C83B9680029AD4A9F8D3B3AC93197)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | Code function: | 8_2_00F8B820 | |
Source: | Code function: | 8_2_00FB96F0 | |
Source: | Code function: | 8_2_00F8E6C0 | |
Source: | Code function: | 8_2_00F8E640 | |
Source: | Code function: | 8_2_00FB9710 | |
Source: | Code function: | 8_2_00F8EC90 | |
Source: | Code function: | 8_2_00F8ED80 | |
Source: | Code function: | 8_2_00F8EFD0 | |
Source: | Code function: | 8_2_6CF26FD0 | |
Source: | Code function: | 8_2_6CF24F20 | |
Source: | Code function: | 8_2_6CF279F0 | |
Source: | Code function: | 8_2_6CF459D0 | |
Source: | Code function: | 8_2_6CF459B0 | |
Source: | Code function: | 8_2_6CF276B0 | |
Source: | Code function: | 8_2_6CF277A0 | |
Source: | Code function: | 8_2_6CF27050 | |
Source: | Code function: | 16_2_008FED80 | |
Source: | Code function: | 16_2_008FEE10 | |
Source: | Code function: | 20_2_008FED80 | |
Source: | Code function: | 20_2_008FEE10 |
Source: | Static PE information: |
Source: | Window detected: |