Edit tour
Windows
Analysis Report
Iyto7FYCJO.exe
Overview
General Information
Sample name: | Iyto7FYCJO.exerenamed because original name is a hash value |
Original sample name: | e12627a292cf6a7d32adb932adbd2b3b.exe |
Analysis ID: | 1538236 |
MD5: | e12627a292cf6a7d32adb932adbd2b3b |
SHA1: | 2f6bf97cd38104937b7f47be38a00f0cea9a6f4a |
SHA256: | eeca777e359e475f4bf1d137bd60dc0194e9520c0047a388ef28d383dc04250e |
Tags: | 64exetrojan |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Accesses win32k, likely to find offsets for exploits
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
- Iyto7FYCJO.exe (PID: 1308 cmdline:
"C:\Users\ user\Deskt op\Iyto7FY CJO.exe" MD5: E12627A292CF6A7D32ADB932ADBD2B3B) - conhost.exe (PID: 6616 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1892 cmdline:
C:\Windows \system32\ cmd.exe /c cd C:\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 5260 cmdline:
C:\Windows \system32\ cmd.exe /c start C:\ Windows\Vu lnerabilit y.exe C:\W indows\dri ver.sys MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - Vulnerability.exe (PID: 5460 cmdline:
C:\Windows \Vulnerabi lity.exe C :\Windows\ driver.sys MD5: 8619AFEC8BD66B2C589FC987D7D0B194) - conhost.exe (PID: 6520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6128 cmdline:
C:\Windows \system32\ cmd.exe /c certutil -hashfile "C:\Users\ user\Deskt op\Iyto7FY CJO.exe" M D5 | find /i /v "md5 " | find / i /v "cert util" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - certutil.exe (PID: 940 cmdline:
certutil - hashfile " C:\Users\u ser\Deskto p\Iyto7FYC JO.exe" MD 5 MD5: F17616EC0522FC5633151F7CAA278CAA) - find.exe (PID: 6656 cmdline:
find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - find.exe (PID: 5060 cmdline:
find /i /v "certutil " MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 4092 cmdline:
C:\Windows \system32\ cmd.exe /c start cmd /C "color b && titl e Error && echo SSL connect er ror && tim eout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 7044 cmdline:
cmd /C "co lor b && t itle Error && echo S SL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4228 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 2284 cmdline:
timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6) - WerFault.exe (PID: 1812 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 1 308 -s 170 8 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Binary or memory string: | memstr_d1808002-5 |
Exploits |
---|
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 5_2_00007FF7738F3B60 |
Source: | HTTP traffic detected: |