Windows
Analysis Report
file.zip
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Connects to many ports of the same IP (likely port scanning)
Sample is not signed and drops a device driver
Uses known network protocols on non-standard ports
Suspicious powershell command line found
Drops large PE files
May check the online IP address of the machine
DLL side loading technique detected
Creates autostart registry keys with suspicious names
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Queries the installation date of Windows
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates driver files
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64_ra
file.exe (PID: 5020 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Temp1_ file.zip\f ile.exe" MD5: 8CA18F31DB0E5051F432050162F94CFE) ypkwfDriverDetectMastertvDriverRepairPro.exe (PID: 948 cmdline:
"C:\Progra mData\ypki ExpertDriv erToolkit\ ypkwfDrive rDetectMas tertvDrive rRepairPro .exe" MD5: 4F2321A7D7EC44F7A6EF21D43CF4D470) cmd.exe (PID: 4164 cmdline:
cmd.exe /C powershel l.exe -Com mand ""Set -ItemPrope rty -Path HKLM:\Soft ware\Micro soft\Windo ws\Current Version\Ru n -Name AM DDefaultVa lueCPUK.N0 P/24#$YA - Value 'C:\ ProgramDat a\ypkiExpe rtDriverTo olkit\ypkw fDriverDet ectMastert vDriverRep airPro.exe /runas'"" MD5: 4943BA1A9B41D69643F69685E35B2943) conhost.exe (PID: 5220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) powershell.exe (PID: 5028 cmdline:
powershell .exe -Comm and ""Set- ItemProper ty -Path H KLM:\Softw are\Micros oft\Window s\CurrentV ersion\Run -Name AMD DefaultVal ueCPUK.N0P /24#$YA -V alue 'C:\P rogramData \ypkiExper tDriverToo lkit\ypkwf DriverDete ctMastertv DriverRepa irPro.exe /runas'"" MD5: BCC5A6493E0641AA1E60CBF69469E579) cmd.exe (PID: 5240 cmdline:
cmd.exe /C powershel l.exe -Com mand ""Set -ItemPrope rty -Path HKCU:\Soft ware\Micro soft\Windo ws\Current Version\Ru n -Name AM DDefaultVa lueCPUK.N0 P/24#$YA - Value 'C:\ ProgramDat a\ypkiExpe rtDriverTo olkit\ypkw fDriverDet ectMastert vDriverRep airPro.exe '"" MD5: 4943BA1A9B41D69643F69685E35B2943) conhost.exe (PID: 1228 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) powershell.exe (PID: 2608 cmdline:
powershell .exe -Comm and ""Set- ItemProper ty -Path H KCU:\Softw are\Micros oft\Window s\CurrentV ersion\Run -Name AMD DefaultVal ueCPUK.N0P /24#$YA -V alue 'C:\P rogramData \ypkiExper tDriverToo lkit\ypkwf DriverDete ctMastertv DriverRepa irPro.exe' "" MD5: BCC5A6493E0641AA1E60CBF69469E579) powershell.exe (PID: 2856 cmdline:
powershell .exe -Comm and "Set-I temPropert y -Path HK LM:\Softwa re\Microso ft\Windows \CurrentVe rsion\Run -Name AMDD efaultValu eCPUK.N0P/ 24#$YA -Va lue 'C:\Pr ogramData\ ypkiExpert DriverTool kit\ypkwfD riverDetec tMastertvD riverRepai rPro.exe / runas'" MD5: BCC5A6493E0641AA1E60CBF69469E579) conhost.exe (PID: 2824 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) powershell.exe (PID: 4648 cmdline:
powershell .exe -Comm and "Set-I temPropert y -Path HK CU:\Softwa re\Microso ft\Windows \CurrentVe rsion\Run -Name AMDD efaultValu eCPUK.N0P/ 24#$YA -Va lue 'C:\Pr ogramData\ ypkiExpert DriverTool kit\ypkwfD riverDetec tMastertvD riverRepai rPro.exe'" MD5: BCC5A6493E0641AA1E60CBF69469E579) conhost.exe (PID: 4284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
- cleanup
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Networking |
---|
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |