Edit tour
Windows
Analysis Report
XDA_CDS v6.8.54_SE.exe
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Compliance
Score: | 51 |
Range: | 0 - 100 |
Signatures
Suricata IDS alerts for network traffic
.NET source code contains potential unpacker
Installs new ROOT certificates
Reads the Security eventlog
Reads the System eventlog
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Creates processes with suspicious names
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64_ra
- XDA_CDS v6.8.54_SE.exe (PID: 6464 cmdline:
"C:\Users\ user\Deskt op\XDA_CDS v6.8.54_S E.exe" MD5: 5F0A52B6484CD9D70421A3AC1389F220) - XDA_CDS v6.8.54.exe (PID: 6528 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\DSC\XD A_CDS v6.8 .54.exe" MD5: F58898CE6418ADC6C7B52E6EB409A2DD) - Xerox Device Agent Partner Edition (XDA PE) v6.8.54.exe (PID: 2712 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\DSC\Xe rox Device Agent Par tner Editi on (XDA PE ) v6.8.54. exe" /L103 3 /v"XMLLo cation=\"C :\Users\us er\AppData \Local\Tem p\DSC\xrs. val\"" SKI PLC=false MD5: FBCAE8A69E9363EAEECE61DBF97D066D) - Setup.exe (PID: 2868 cmdline:
/prereqche ck /L1033 LOG="C:\Pr ogramData\ Xerox\Inst allLogs\Xe rox_XDA_6. 8.54_08_10 _2024_1728 410229.txt " /bootstr apped MD5: 740220BE9C7EB7266701109C1A762F66) - Setup.exe (PID: 424 cmdline:
/v"XMLLo cation=\"C :\Users\us er\AppData \Local\Tem p\DSC\xrs. val\"" SKI PLC=false /L1033 LOG ="C:\Progr amData\Xer ox\Install Logs\Xerox _XDA_6.8.5 4_08_10_20 24_1728410 229.txt" / bootstrapp ed MD5: 740220BE9C7EB7266701109C1A762F66) - dbVersionDetect.exe (PID: 3312 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\bfcc5x tj.2w0\lq2 brwcq.eam\ dbVersionD etect.exe" SQLCE MD5: 1120ED381A9D0F6E818E3C8762501CAA) - conhost.exe (PID: 780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- msiexec.exe (PID: 7140 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 6896 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 398AEE3 9D053096B8 B7CCBB4A05 1E035 MD5: 9D09DC1EDA745A5F87553048E57620CF) - rundll32.exe (PID: 6056 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI38 7B.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6830312 2 CustomA ction!Cust omActionsS hared.Exec uteSequenc e.ExecuteI nitialize MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3840 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI48 B8.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6834390 8 CustomA ction!Cust omActionsS hared.Exec uteSequenc e.ExecuteB egin MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2424 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI55 F9.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6837765 14 Custom Action!Cus tomActions Shared.Exe cuteSequen ce.SilentE xecuteVali dations MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3408 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI90 D1.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6852843 20 Custom Action!Cus tomActions Shared.Exe cuteSequen ce.Install ExecuteSeq MD5: 889B99C52A60DD49227C5E485A016679) - DbCreate.exe (PID: 3252 cmdline:
"C:\Progra m Files (x 86)\CDS\XD A_CDS\Inst allerSuppo rt\databas e\DBCreate .exe" SQLC E MD5: ADE887FAF60C4EAB240D15A4A40BAAF0) - conhost.exe (PID: 3724 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-08T18:05:57.637846+0200 | 2009897 | 1 | A Network Trojan was detected | 13.14.0.17 | 443 | 192.168.2.16 | 49714 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-08T18:05:57.549001+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.16 | 49714 | 13.14.0.17 | 443 | TCP |
2024-10-08T18:06:29.825255+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.16 | 49716 | 13.14.0.17 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
Compliance |
---|
Source: | Static PE information: |
Source: | Window detected: |