Edit tour
Windows
Analysis Report
NebulardGame (1).exe
Overview
General Information
| Sample name: | NebulardGame (1).exe |
| Analysis ID: | 1561556 |
| MD5: | 535765b4776df6913634be23e077da00 |
| SHA1: | 52a11245136c85443527275cca6cd602f8d03330 |
| SHA256: | a9165466ad09f37a2c76b8e144025f0bd9fc739b3f0f16a837e31e278914585d |
| Tags: | exeinstallerloaderstealeruser-Pekomposo19999 |
| Infos: |  |
 | |
Detection
| Score: | 32 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 0% |
Signatures
Drops large PE files
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Console CodePage Lookup Via CHCP
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
NebulardGame (1).exe (PID: 7396 cmdline: "C:\Users\ user\Deskt op\Nebular dGame (1). exe" MD5: 535765B4776DF6913634BE23E077DA00) 
cmd.exe (PID: 7432 cmdline: cmd /c tas klist /FI "USERNAME eq %USERNA ME%" /FI " IMAGENAME eq Nebular d.exe" | % SYSTEMROOT %\System32 \find.exe "Nebulard. exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7440 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 7480 cmdline: tasklist / FI "USERNA ME eq user " /FI "IMA GENAME eq Nebulard.e xe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 7488 cmdline:
C:\Windows \System32\ find.exe " Nebulard.e xe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
Nebulard.exe (PID: 7980 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Ne bulard\Neb ulard.exe" MD5: EAEBA21839FF630BC887C53BD20EBB60) "C:\Users\ user\AppDa ta\Local\P rograms\Ne bulard\Neb ulard.exe" --type=gp u-process --user-dat a-dir="C:\ Users\user \AppData\R oaming\Neb ulard" --g pu-prefere nces=UAAAA AAAAADgAAA YAAAAAAAAA AAAAAAAAAB gAAAAAAAwA AAAAAAAAAA AAAAQAAAAA AAAAAAAAAA AAAAAAAAAA EgAAAAAAAA ASAAAAAAAA AAYAAAAAgA AABAAAAAAA AAAGAAAAAA AAAAQAAAAA AAAAAAAAAA OAAAAEAAAA AAAAAABAAA ADgAAAAgAA AAAAAAACAA AAAAAAAA= --mojo-pla tform-chan nel-handle =1556 --fi eld-trial- handle=176 8,i,768147 3182926348 413,129394 5828812709 5386,13107 2 --disabl e-features =SpareRend ererForSit ePerProces s,WinRetri eveSuggest ionsOnlyOn Demand /pr efetch:2 MD5: EAEBA21839FF630BC887C53BD20EBB60) 
explorer.exe (PID: 2580 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) "C:\Users\ user\AppDa ta\Local\P rograms\Ne bulard\Neb ulard.exe" --type=ut ility --ut ility-sub- type=netwo rk.mojom.N etworkServ ice --lang =en-GB --s ervice-san dbox-type= none --use r-data-dir ="C:\Users \user\AppD ata\Roamin g\Nebulard " --mojo-p latform-ch annel-hand le=1932 -- field-tria l-handle=1 768,i,7681 4731829263 48413,1293 9458288127 095386,131 072 --disa ble-featur es=SpareRe ndererForS itePerProc ess,WinRet rieveSugge stionsOnly OnDemand / prefetch:8 MD5: EAEBA21839FF630BC887C53BD20EBB60) "C:\Users\ user\AppDa ta\Local\P rograms\Ne bulard\Neb ulard.exe" --type=re nderer --u ser-data-d ir="C:\Use rs\user\Ap pData\Roam ing\Nebula rd" --app- path="C:\U sers\user\ AppData\Lo cal\Progra ms\Nebular d\resource s\app.asar " --no-san dbox --no- zygote --f irst-rende rer-proces s --lang=e n-GB --dev ice-scale- factor=1 - -num-raste r-threads= 2 --enable -main-fram e-before-a ctivation --renderer -client-id =4 --time- ticks-at-u nix-epoch= -173237895 8099987 -- launch-tim e-ticks=62 62912249 - -mojo-plat form-chann el-handle= 2072 --fie ld-trial-h andle=1768 ,i,7681473 1829263484 13,1293945 8288127095 386,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:1 MD5: EAEBA21839FF630BC887C53BD20EBB60) - cmd.exe (PID: 7488 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ch cp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 4476 cmdline:
chcp MD5: 33395C4732A49065EA72590B14B64F32) "C:\Users\ user\AppDa ta\Local\P rograms\Ne bulard\Neb ulard.exe" --type=gp u-process --disable- gpu-sandbo x --use-gl =disabled --gpu-vend or-id=5140 --gpu-dev ice-id=140 --gpu-sub -system-id =0 --gpu-r evision=0 --gpu-driv er-version =10.0.1904 1.546 --us er-data-di r="C:\User s\user\App Data\Roami ng\Nebular d" --gpu-p references =UAAAAAAAA ADoAAAYAAA AAAAAAAAAA AAAAABgAAA AAAAwAAAAA AAAAAAAAAC QAAAAAAAAA AAAAAAAAAA AAAAAAEgAA AAAAAAASAA AAAAAAAAYA AAAAgAAABA AAAAAAAAAG AAAAAAAAAA QAAAAAAAAA AAAAAAOAAA AEAAAAAAAA AABAAAADgA AAAgAAAAAA AAACAAAAAA AAAA= --mo jo-platfor m-channel- handle=346 4 --field- trial-hand le=1768,i, 7681473182 926348413, 1293945828 8127095386 ,131072 -- disable-fe atures=Spa reRenderer ForSitePer Process,Wi nRetrieveS uggestions OnlyOnDema nd /prefet ch:2 MD5: EAEBA21839FF630BC887C53BD20EBB60)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: _pete_0, TheDFIRReport: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Static PE information: | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_004059CC | |
| Source: | Code function: | 0_2_004065FD | |
| Source: | Code function: | 0_2_00402868 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||