Edit tour
Windows
Analysis Report
MDE_File_Sample_99ed6135defff6e675d626f742389d6280abdb60.zip
Overview
General Information
| Sample name: | MDE_File_Sample_99ed6135defff6e675d626f742389d6280abdb60.zip |
| Analysis ID: | 1545555 |
| MD5: | 6495ac63020e01077c8ce9c7d8ce1fe0 |
| SHA1: | 43ff44053dcd864558925b8ae640019f01b6a48c |
| SHA256: | c6c899f37929885a6be469745baa3e60406cea7ae78c7ee56d1823c9a4fd47b0 |
| Infos: |  |
 | |
Detection
| Score: | 31 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 0% |
Signatures
Creates an undocumented autostart registry key
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sigma detected: Classes Autorun Keys Modification
Stores files to the Windows start menu directory
Classification
- System is w10x64_ra
rundll32.exe (PID: 7020 cmdline: C:\Windows \System32\ rundll32.e xe C:\Wind ows\System 32\shell32 .dll,SHCre ateLocalSe rverRunDll {9aa46009 -3ce0-458a -a354-7156 10a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 1392 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\Temp1_ MDE_File_S ample_99ed 6135defff6 e675d626f7 42389d6280 abdb60.zip \FileZilla _3.67.1_wi n64_sponso red2-setup .exe" MD5: B209DF2951E29AB5EAB4009579B10B8D) - FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 4540 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Temp1_ MDE_File_S ample_99ed 6135defff6 e675d626f7 42389d6280 abdb60.zip \FileZilla _3.67.1_wi n64_sponso red2-setup .exe" /UAC :50078 /NC RC MD5: B209DF2951E29AB5EAB4009579B10B8D)
- FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 2356 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Temp2_ MDE_File_S ample_99ed 6135defff6 e675d626f7 42389d6280 abdb60.zip \FileZilla _3.67.1_wi n64_sponso red2-setup .exe" MD5: B209DF2951E29AB5EAB4009579B10B8D) - FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 5072 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Temp2_ MDE_File_S ample_99ed 6135defff6 e675d626f7 42389d6280 abdb60.zip \FileZilla _3.67.1_wi n64_sponso red2-setup .exe" /UAC :402AA /NC RC MD5: B209DF2951E29AB5EAB4009579B10B8D) 
regsvr32.exe (PID: 1192 cmdline: "C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files\File Zilla FTP Client\fzs hellext_64 .dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - filezilla.exe (PID: 6568 cmdline:
"C:\Progra m Files\Fi leZilla FT P Client\f ilezilla.e xe" MD5: 71E87D8F4AB33DD57BFF41F76C339E64)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Binary or memory string: | memstr_669c5e2d-2 | |
| Source: | Window detected: | ||