Windows Analysis Report
1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe

Overview

General Information

Sample name: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe
Analysis ID: 1525934
MD5: b5a7911c3e2c9b1c2dc810bd3355ea34
SHA1: a6cb0cb7e7979d99293117f36485ee95207b3d40
SHA256: 8b403bd306d2b5deb77a14627273dd08f2717da9091de9477cf206a42cdbbb6c
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected UAC Bypass using CMSTP
Yara signature match

Classification

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe, type: SAMPLE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe, type: SAMPLE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Yara signature match
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal56.expl.winEXE@0/0@0/0
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe String found in binary or memory: id-cmc-addExtensions
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe String found in binary or memory: set-addPolicy
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe String found in binary or memory: #G $G*SeDebugPrivilegentdll.dllNtQuerySystemInformationNtQueryObjectNtQuerySectionkernel32.dllNtWow64QueryInformationProcess64NtWow64ReadVirtualMemory64A:\SystemRoot\??\UnmapViewOfFile [-] Can't kill whitelist process (%s - pid:%i), file: %s[*] Killing blocking process (%s - pid:%i), file: %sRstrtmgr.dll [-] Restart manager not loaded! Code %lu.ntdllNtSetInformationProcessNtQueryInformationProcess [-] Unlock file failed: %s. Code %lu. [-] RmStartSession failed. Error = %i. Code %lu. [-] RmRegisterResources failed. Error = %i. Code %lu. [-] RmGetList failed. Error = %i. Code %lu.[*] Killing blocking process: %s (%s - pid:%i) [-] Failed to kill process pid:%i. Code %lu.[*] Service: %sSYSTEM\CurrentControlSet\Services\Start [-] Failed to disable service: %s! Code %lu.[*] Process: %sspoolsv.exesihost.exefontdrvhost.execmd.exedwm.exeLogonUI.exelsass.execsrss.exesmss.exewinlogon.exeservices.execonhost.exeeverything.exe[+] Success run: %s (pid:%i)[+] Failed to run: %s! Code %lu.abcdefghijklmnopqrstuvwxyzLocal_ABCDEF0123456789XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXWhosYourBunny[*] CLONE INFO: I'm a clone![*] CLONE INFO: I'm original process!"%1" %*Software\Classes\exefile\shell\open\command[+] Auto-elevation success.\AppData\ [-] Auto-elevation failed! Code %lu.[+] Re-launch success. [-] Re-launch failed! Code %lu.[+] Command execution completed.\*[+] OK Copy: %s => %s [-] Failed! Copy: %s =
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe String found in binary or memory: %s. Code %lu.*.exe*.iniSOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINEHKEY_CURRENT_USER[+] Autorun added success => %s\%s [-] Failed to write autorun value. Code %lu. [-] Failed to create autorun key. Code %lu.ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "%s" & cd /d "%s" & Del /f /q /a *.exe *.batcmd.exe /d /c "ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "%s" & cd /d "%s" & Del /f /q /a *.exe *.ini *.dll *.bat *.db[*] Process (high RAM): %ssqlbackupdatabase[*] Added process: %s (%s)[*] Added service: %s [-] Failed to get active session Id. Code %lu [-] CreateToolhelp32Snapshot failed. Code %luexplorer.exe [-] Couldn't find explorer [-] Failed to open explorer. Code %lu [-] Failed to duplicate token. Code %ludeque<T> too longFileSectionntuser.dat[*] LOCAL: %i dirs processed.[*] NETWORK: %i dirs processed. [-] FindFirstFile fails in directory %s. Code %lu.\Everything.exe\Everything2.ini\Everything.ini" -startup [-] Cannot find everything engine: %s!\Program Files\Everything\Program Files (x86)\Everything[*] Everything Setup...Everything.exewevtutil.exe cl securitywevtutil.exe cl systemwevtutil.exe cl application!*.<file:
Source: 1728051009eb10e260047d3aa3611519e2e152a4cdb441fe3d74ad605ec9b33cc2a06c688f138.dat-decoded.exe Static file information: File size 2522231 > 1048576
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1525934 Sample: 1728051009eb10e260047d3aa36... Startdate: 04/10/2024 Architecture: WINDOWS Score: 56 5 Malicious sample detected (through community Yara rule) 2->5 7 Yara detected UAC Bypass using CMSTP 2->7
No contacted IP infos