Edit tour
Windows
Analysis Report
installcriptocns.exe
Overview
General Information
Detection
Score: | 30 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 0% |
Signatures
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64_ra
- installcriptocns.exe (PID: 6684 cmdline:
"C:\Users\ user\Deskt op\install criptocns. exe" MD5: 100BEA48A4B460D6ECE41E5D2E4606FF)
- installcriptocns.exe (PID: 5476 cmdline:
"C:\Users\ user\Deskt op\install criptocns. exe" --rer unningWith outUAC MD5: 100BEA48A4B460D6ECE41E5D2E4606FF) - Update.exe (PID: 6908 cmdline:
"C:\Users\ user\AppDa ta\Local\S quirrelTem p\Update.e xe" --inst all . --re runningWit houtUAC MD5: A560BAD9E373EA5223792D60BEDE2B13) - squirrel.exe (PID: 7016 cmdline:
"C:\Users\ user\AppDa ta\Local\C riptoCNS\a pp-1.1.1\S quirrel.ex e" --updat eSelf=C:\U sers\user\ AppData\Lo cal\Squirr elTemp\Upd ate.exe MD5: 6FCBE10724D6C767002A845C0BBE1139) - criptocns.exe (PID: 6580 cmdline:
"C:\Users\ user\AppDa ta\Local\C riptoCNS\a pp-1.1.1\c riptocns.e xe" --squi rrel-insta ll 1.1.1 MD5: EAB112A35B65CA5236B6CFD227875F1F) - criptocns.exe (PID: 6196 cmdline:
"C:\Users\ user\AppDa ta\Local\C riptoCNS\a pp-1.1.1\c riptocns.e xe" --squi rrel-first run MD5: EAB112A35B65CA5236B6CFD227875F1F) - criptocns.exe (PID: 6972 cmdline:
"C:\Users\ user\AppDa ta\Local\C riptoCNS\a pp-1.1.1\c riptocns.e xe" --type =gpu-proce ss --user- data-dir=" C:\Users\u ser\AppDat a\Roaming\ criptocns" --gpu-pre ferences=U AAAAAAAAAD gAAAYAAAAA AAAAAAAAAA AAABgAAAAA AAwAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAEgAAAA AAAAASAAAA AAAAAAYAAA AAgAAABAAA AAAAAAAGAA AAAAAAAAQA AAAAAAAAAA AAAAOAAAAE AAAAAAAAAA BAAAADgAAA AgAAAAAAAA ACAAAAAAAA AA= --mojo -platform- channel-ha ndle=1568 --field-tr ial-handle =1656,i,17 8983783167 54652978,5 2901150648 8449579,13 1072 --dis able-featu res=SpareR endererFor SitePerPro cess,WinRe trieveSugg estionsOnl yOnDemand /prefetch: 2 MD5: EAB112A35B65CA5236B6CFD227875F1F) - criptocns.exe (PID: 1940 cmdline:
C:\Users\u ser\AppDat a\Local\Cr iptoCNS\ap p-1.1.1\cr iptocns.ex e C:\Users \user\AppD ata\Local\ CriptoCNS\ app-1.1.1\ resources\ app\appser vice/servi ce.js "--l og={\"path \":\"C:\\U sers\\user \\.criptoc ns\",\"fna me\":\"cri ptocns-n.l og\",\"max Size\":204 8,\"rotate \":5,\"lev el\":1}" " --server={ \"port\":9 171,\"maxA ge\":1800, \"trustedO rigins\":{ \"warning\ ":true,\"o rigins\":[ ]}}" --ser vice=Cript oCNS MD5: EAB112A35B65CA5236B6CFD227875F1F) - cmd.exe (PID: 2128 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ha sh kdialog 2>/dev/nu ll" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2408 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "os ascript -e 'id of ap plication "kdialog"' 2>&1>/dev /null" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2628 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere kdialo g" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 6256 cmdline:
where kdia log MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 4200 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere kdialo g.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 4368 cmdline:
where kdia log.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 4404 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere.exe kd ialog" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 2916 cmdline:
where.exe kdialog MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 5088 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere.exe kd ialog.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 5124 cmdline:
where.exe kdialog.ex e MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 4016 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ha sh zenity 2>/dev/nul l" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4824 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 980 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "os ascript -e 'id of ap plication "zenity"' 2>&1>/dev/ null" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5652 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere zenity " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6556 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 400 cmdline:
where zeni ty MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 5996 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere zenity .exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5444 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 6700 cmdline:
where zeni ty.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 7120 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere.exe ze nity" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 4892 cmdline:
where.exe zenity MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 408 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere.exe ze nity.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 7124 cmdline:
where.exe zenity.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 4696 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ha sh yad 2>/ dev/null" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4880 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6468 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "os ascript -e 'id of ap plication "yad"' 2>& 1>/dev/nul l" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6740 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 444 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere yad" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 2400 cmdline:
where yad MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 3436 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere yad.ex e" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 2036 cmdline:
where yad. exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 1468 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere.exe ya d" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 5488 cmdline:
where.exe yad MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - cmd.exe (PID: 6232 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "wh ere.exe ya d.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6940 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 4364 cmdline:
where.exe yad.exe MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - criptocns.exe (PID: 1272 cmdline:
"C:\Users\ user\AppDa ta\Local\C riptoCNS\a pp-1.1.1\c riptocns.e xe" --type =utility - -utility-s ub-type=ne twork.mojo m.NetworkS ervice --l ang=en-GB --service- sandbox-ty pe=none -- user-data- dir="C:\Us ers\user\A ppData\Roa ming\cript ocns" --mo jo-platfor m-channel- handle=201 2 --field- trial-hand le=1656,i, 1789837831 6754652978 ,529011506 488449579, 131072 --d isable-fea tures=Spar eRendererF orSitePerP rocess,Win RetrieveSu ggestionsO nlyOnDeman d /prefetc h:8 MD5: EAB112A35B65CA5236B6CFD227875F1F) - explorer.exe (PID: 4380 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - criptocns.exe (PID: 5692 cmdline:
"C:\Users\ user\AppDa ta\Local\C riptoCNS\a pp-1.1.1\c riptocns.e xe" --type =renderer --user-dat a-dir="C:\ Users\user \AppData\R oaming\cri ptocns" -- app-user-m odel-id=co m.squirrel .CriptoCNS .criptocns --app-pat h="C:\User s\user\App Data\Local \CriptoCNS \app-1.1.1 \resources \app" --no -sandbox - -no-zygote --lang=en -GB --devi ce-scale-f actor=1 -- num-raster -threads=2 --enable- main-frame -before-ac tivation - -renderer- client-id= 4 --launch -time-tick s=45648694 68 --mojo- platform-c hannel-han dle=2308 - -field-tri al-handle= 1656,i,178 9837831675 4652978,52 9011506488 449579,131 072 --disa ble-featur es=SpareRe ndererForS itePerProc ess,WinRet rieveSugge stionsOnly OnDemand / prefetch:1 MD5: EAB112A35B65CA5236B6CFD227875F1F)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | IP Address: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |