Edit tour
Windows
Analysis Report
peugeot_update.exe
Overview
General Information
Detection
Score: | 16 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 0% |
Compliance
Score: | 35 |
Range: | 0 - 100 |
Signatures
Drops large PE files
Contains functionality for read data from the clipboard
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Sample searches for specific file, try point organization specific fake files to the analysis machine |
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook |
- System is w10x64
- peugeot_update.exe (PID: 5348 cmdline:
"C:\Users\ user\Deskt op\peugeot _update.ex e" MD5: 58271966B64E708CB94BB2F7000F6C90) - cmd.exe (PID: 5712 cmdline:
cmd /c tas klist /FI "USERNAME eq %USERNA ME%" /FI " IMAGENAME eq Peugeot Update.ex e" | %SYST EMROOT%\Sy stem32\fin d.exe "Peu geot Updat e.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 4368 cmdline:
tasklist / FI "USERNA ME eq user " /FI "IMA GENAME eq Peugeot Up date.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 4028 cmdline:
C:\Windows \System32\ find.exe " Peugeot Up date.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
- Peugeot Update.exe (PID: 2968 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Pe ugeot Upda te\Peugeot Update.ex e" MD5: 8C54EEF72F2EBAD61510A70E178E3777) - Peugeot Update.exe (PID: 6132 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Pe ugeot Upda te\Peugeot Update.ex e" --type= gpu-proces s --user-d ata-dir="C :\Users\us er\AppData \Roaming\P eugeot Upd ate" --gpu -preferenc es=UAAAAAA AAADgAAAYA AAAAAAAAAA AAAAAAABgA AAAAAAwAAA AAAAAAAAAA AAQAAAAAAA AAAAAAAAAA AAAAAAAAEg AAAAAAAAAS AAAAAAAAAA YAAAAAgAAA BAAAAAAAAA AGAAAAAAAA AAQAAAAAAA AAAAAAAAOA AAAEAAAAAA AAAABAAAAD gAAAAgAAAA AAAAACAAAA AAAAAA= -- use-gl=ang le --use-a ngle=swift shader-web gl --mojo- platform-c hannel-han dle=1676 - -field-tri al-handle= 1852,i,572 6485589807 08836,1813 2477583015 397966,131 072 --disa ble-featur es=SpareRe ndererForS itePerProc ess,WinRet rieveSugge stionsOnly OnDemand / prefetch:2 MD5: 8C54EEF72F2EBAD61510A70E178E3777) - explorer.exe (PID: 1028 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - Peugeot Update.exe (PID: 4844 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Pe ugeot Upda te\Peugeot Update.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --u ser-data-d ir="C:\Use rs\user\Ap pData\Roam ing\Peugeo t Update" --mojo-pla tform-chan nel-handle =2008 --fi eld-trial- handle=185 2,i,572648 5589807088 36,1813247 7583015397 966,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:8 MD5: 8C54EEF72F2EBAD61510A70E178E3777) - Peugeot Update.exe (PID: 2820 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Pe ugeot Upda te\Peugeot Update.ex e" --type= renderer - -user-data -dir="C:\U sers\user\ AppData\Ro aming\Peug eot Update " --app-pa th="C:\Use rs\user\Ap pData\Loca l\Programs \Peugeot U pdate\reso urces\app. asar" --no -sandbox - -no-zygote --first-r enderer-pr ocess --di sable-gpu- compositin g --lang=e n-GB --dev ice-scale- factor=1 - -num-raste r-threads= 2 --enable -main-fram e-before-a ctivation --renderer -client-id =4 --time- ticks-at-u nix-epoch= -171161565 3132558 -- launch-tim e-ticks=45 13447125 - -mojo-plat form-chann el-handle= 2216 --fie ld-trial-h andle=1852 ,i,5726485 5898070883 6,18132477 5830153979 66,131072 --disable- features=S pareRender erForSiteP erProcess, WinRetriev eSuggestio nsOnlyOnDe mand /pref etch:1 MD5: 8C54EEF72F2EBAD61510A70E178E3777)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Binary or memory string: | memstr_fc5f398d-0 |
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior |
Compliance |
---|
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00405F27 | |
Source: | Code function: | 0_2_00406DFF | |
Source: | Code function: | 0_2_00402C8A |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | IP Address: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |