Edit tour
Windows
Analysis Report
https://staticcontent.cricut.com/a/software/win32-native/CricutDesignSpace-Install-v8.24.60.exe?Expires=1713405575&Signature=2WQC5y2N-HrvfbwCMSuJ2AepXckGrbtsXEdZfqTTcjsjIKwZ48XDUv2do7SKzLJZWbg3r4Qt-YcgcCEnlL4U8K~rZtlF1Sign5lBZQZ-qWq6nwQhfqOgI~2AzpwFlKa5Z0ZnNvk2QuBEm0NcoBXnTJbNIFUhXCXRo~PkpHmlp-Y848h
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Allocates memory in foreign processes
Query firmware table information (likely to detect VMs)
Writes to foreign memory regions
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables security privileges
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 6288 cmdline:
C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://st aticconten t.cricut.c om/a/softw are/win32- native/Cri cutDesignS pace-Insta ll-v8.24.6 0.exe?Expi res=171340 5575&Signa ture=2WQC5 y2N-Hrvfbw CMSuJ2AepX ckGrbtsXEd ZfqTTcjsjI KwZ48XDUv2 do7SKzLJZW bg3r4Qt-Yc gcCEnlL4U8 K~rZtlF1Si gn5lBZQZ-q Wq6nwQhfqO gI~2AzpwFl Ka5Z0ZnNvk 2QuBEm0Nco BXnTJbNIFU hXCXRo~Pkp Hmlp-Y848h U1zn-5iSX5 OQNww3WIYg 3K44DIbQxY vphEE2jdUy UTtrCWjluO BokHPH6E~R D6qKswmjzu LGyXmsEyq2 FGQou~BS4A MtEkggT4nG Qgr237R7z6 oZi4w27o~l PIOGwMp1OZ KYPzPyFXWT VDDIRSWrWS GeDI6ePgo8 Ifcsj4g__& Key-Pair-I d=K2W1AJ47 IQWIOI" > cmdline.ou t 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wget.exe (PID: 6672 cmdline:
wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://sta ticcontent .cricut.co m/a/softwa re/win32-n ative/Cric utDesignSp ace-Instal l-v8.24.60 .exe?Expir es=1713405 575&Signat ure=2WQC5y 2N-HrvfbwC MSuJ2AepXc kGrbtsXEdZ fqTTcjsjIK wZ48XDUv2d o7SKzLJZWb g3r4Qt-Ycg cCEnlL4U8K ~rZtlF1Sig n5lBZQZ-qW q6nwQhfqOg I~2AzpwFlK a5Z0ZnNvk2 QuBEm0NcoB XnTJbNIFUh XCXRo~PkpH mlp-Y848hU 1zn-5iSX5O QNww3WIYg3 K44DIbQxYv phEE2jdUyU TtrCWjluOB okHPH6E~RD 6qKswmjzuL GyXmsEyq2F GQou~BS4AM tEkggT4nGQ gr237R7z6o Zi4w27o~lP IOGwMp1OZK YPzPyFXWTV DDIRSWrWSG eDI6ePgo8I fcsj4g__&K ey-Pair-Id =K2W1AJ47I QWIOI" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
- CricutDesignSpace-Install-v8.24.60.exe@Expires=1713405575&Signature=2WQC5y2N-HrvfbwCMSuJ2AepXckGrbtsXEdZfqTTcjsjIKwZ48XDUv2do7SKzLJZWbg3r4Qt-YcgcCEnlL4U8K~rZtlF1Sign5lBZQZ-qWq6nwQhfqOgI~2AzpwFlKa5Z0ZnNvk2QuBE.exe (PID: 3916 cmdline:
"C:\Users\ user\Deskt op\downloa d\CricutDe signSpace- Install-v8 .24.60.exe @Expires=1 713405575& Signature= 2WQC5y2N-H rvfbwCMSuJ 2AepXckGrb tsXEdZfqTT cjsjIKwZ48 XDUv2do7SK zLJZWbg3r4 Qt-YcgcCEn lL4U8K~rZt lF1Sign5lB ZQZ-qWq6nw QhfqOgI~2A zpwFlKa5Z0 ZnNvk2QuBE .exe" MD5: D1DE89A112FE350F4BAF657026B0E02F)
- explorer.exe (PID: 2580 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 1700 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 580 -s 999 6 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 3696 cmdline:
explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 6812 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 696 -s 422 0 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 6952 cmdline:
explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 6760 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 952 -s 487 2 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 5928 cmdline:
explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 3164 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 5 928 -s 432 8 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 6596 cmdline:
explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 4220 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 596 -s 436 0 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 2300 cmdline:
explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 2720 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 300 -s 226 4 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 2996 cmdline:
explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 4392 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 996 -s 144 0 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 2060 cmdline:
explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 1460 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 060 -s 448 8 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 4988 cmdline:
explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 1612 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 4 988 -s 452 8 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- explorer.exe (PID: 4484 cmdline:
explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - WerFault.exe (PID: 5024 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 4 484 -s 435 2 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
ironshell_php | Semi-Auto-generated - file ironshell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls |
|
System Summary |
---|
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |