Edit tour
Windows
Analysis Report
PandoraFMS_One_Agent_Windows-lts.x86_64.exe
Overview
General Information
| Sample name: | PandoraFMS_One_Agent_Windows-lts.x86_64.exe |
| Analysis ID: | 1543756 |
| MD5: | 850a59f9c158b9d953ee6a75f55f7f8a |
| SHA1: | 00112195c957667f320fa4565966827a8570c168 |
| SHA256: | 324f914c6e630516c2d2565cbd0b63e33eb6dc171f26aeaadf4f920636b16dc0 |
| Infos: |  |
 | |
Detection
| Score: | 32 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 40% |
Compliance
| Score: | 34 |
| Range: | 0 - 100 |
Signatures
Multi AV Scanner detection for dropped file
Disables security and backup related services
Found API chain indicative of debugger detection
Potential context-aware VBS script found (checks for environment specific values)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
EXE planting / hijacking vulnerabilities found
Found dropped PE file which has not been started or loaded
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Classification
- System is w10x64
PandoraFMS_One_Agent_Windows-lts.x86_64.exe (PID: 7308 cmdline: "C:\Users\ user\Deskt op\Pandora FMS_One_Ag ent_Window s-lts.x86_ 64.exe" MD5: 850A59F9C158B9D953EE6A75F55F7F8A) 
cmd.exe (PID: 7460 cmdline: cmd.exe /c net stop pandoraFMS agent MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7468 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7700 cmdline:
cmd.exe /c PandoraAg ent.exe -- install MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
PandoraAgent.exe (PID: 7764 cmdline: PandoraAge nt.exe --i nstall MD5: D885123606524EA6542E5AC351FB3529) - schtasks.exe (PID: 7820 cmdline:
schtasks / Create /TN pandora_a gent_resta rt /TR "\" C:\Program Files\pan dora_agent \scripts\r estart_pan dora_agent .bat\"" /S C DAILY /S T 00:00:00 /F /RU SY STEM MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7916 cmdline:
schtasks / Change /TN pandora_a gent_resta rt /TR "\" C:\Program Files\pan dora_agent \scripts\r estart_pan dora_agent .bat\"" MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7924 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ShortElev.exe (PID: 7984 cmdline:
"C:\Progra m Files\pa ndora_agen t\util\Sho rtElev.exe " "C:\Prog ramData\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Pand oraFMS_Age nt_v7.0NG. 777.1\Edit Config Fi le.lnk" MD5: 0137DF9F792F635269E6FFF74F238C95) - conhost.exe (PID: 7992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ShortElev.exe (PID: 8036 cmdline:
"C:\Progra m Files\pa ndora_agen t\util\Sho rtElev.exe " "C:\Prog ramData\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Pand oraFMS_Age nt_v7.0NG. 777.1\Pand oraFMS_Age nt_start.l nk" MD5: 0137DF9F792F635269E6FFF74F238C95) - conhost.exe (PID: 8044 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ShortElev.exe (PID: 8088 cmdline:
"C:\Progra m Files\pa ndora_agen t\util\Sho rtElev.exe " "C:\Prog ramData\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Pand oraFMS_Age nt_v7.0NG. 777.1\Pand oraFMS_Age nt_stop.ln k" MD5: 0137DF9F792F635269E6FFF74F238C95) - conhost.exe (PID: 8096 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cmd.exe (PID: 8140 cmdline:
C:\Windows \SYSTEM32\ cmd.exe /c ""C:\Prog ram Files\ pandora_ag ent\script s\restart_ pandora_ag ent.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- PandoraAgent.exe (PID: 3620 cmdline:
"C:\Progra m Files\pa ndora_agen t\PandoraA gent.exe" MD5: D885123606524EA6542E5AC351FB3529)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Source: | Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Binary or memory string: | memstr_17e0a04a-e | |
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
Compliance | |
|---|
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Window detected: | ||