Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:1540249
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Execution From GUID Like Folder Names
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • cmd.exe (PID: 6892 cmdline: cmd /C ""C:\Users\aullom\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Helper.exe" http:%2F%2Fsearch.easytelevisionaccess.com%2F%3Fuc=20200418%26uid=d805634c-a765-41aa-8b89-ace0e55d48c3%26i_id=tv_spt__1.30%26ap=appfocus686%26source=gdn_v1-bb9-iei-msn-su 21600 true" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: cmd /C ""C:\Users\aullom\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Helper.exe" http:%2F%2Fsearch.easytelevisionaccess.com%2F%3Fuc=20200418%26uid=d805634c-a765-41aa-8b89-ace0e55d48c3%26i_id=tv_spt__1.30%26ap=appfocus686%26source=gdn_v1-bb9-iei-msn-su 21600 true", CommandLine: cmd /C ""C:\Users\aullom\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Helper.exe" http:%2F%2Fsearch.easytelevisionaccess.com%2F%3Fuc=20200418%26uid=d805634c-a765-41aa-8b89-ace0e55d48c3%26i_id=tv_spt__1.30%26ap=appfocus686%26source=gdn_v1-bb9-iei-msn-su 21600 true", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4408, ProcessCommandLine: cmd /C ""C:\Users\aullom\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Helper.exe" http:%2F%2Fsearch.easytelevisionaccess.com%2F%3Fuc=20200418%26uid=d805634c-a765-41aa-8b89-ace0e55d48c3%26i_id=tv_spt__1.30%26ap=appfocus686%26source=gdn_v1-bb9-iei-msn-su 21600 true", ProcessId: 6892, ProcessName: cmd.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean2.win@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_03
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Users\aullom\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Helper.exe" http:%2F%2Fsearch.easytelevisionaccess.com%2F%3Fuc=20200418%26uid=d805634c-a765-41aa-8b89-ace0e55d48c3%26i_id=tv_spt__1.30%26ap=appfocus686%26source=gdn_v1-bb9-iei-msn-su 21600 true"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ""c:\users\aullom\appdata\roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\helper.exe" http:%2f%2fsearch.easytelevisionaccess.com%2f%3fuc=20200418%26uid=d805634c-a765-41aa-8b89-ace0e55d48c3%26i_id=tv_spt__1.30%26ap=appfocus686%26source=gdn_v1-bb9-iei-msn-su 21600 true"
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter
Path Interception1
Process Injection
1
Process Injection
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1540249 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 23/10/2024 Architecture: WINDOWS Score: 2 5 cmd.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1540249
Start date and time:2024-10-23 15:57:58 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowscmdlinecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.win@2/0@0/0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
No static file info
No network behavior found

Click to jump to process

Click to jump to process

Click to jump to process

Target ID:0
Start time:09:58:59
Start date:23/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /C ""C:\Users\aullom\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Helper.exe" http:%2F%2Fsearch.easytelevisionaccess.com%2F%3Fuc=20200418%26uid=d805634c-a765-41aa-8b89-ace0e55d48c3%26i_id=tv_spt__1.30%26ap=appfocus686%26source=gdn_v1-bb9-iei-msn-su 21600 true"
Imagebase:0x240000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:1
Start time:09:58:59
Start date:23/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

No disassembly