Windows Analysis Report
http://Gertec_Certificates_Installer_1.2.0.0.exe

Overview

General Information

Sample URL: http://Gertec_Certificates_Installer_1.2.0.0.exe
Analysis ID: 1427910
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: gertec_certificates_installer_1.2.0.0.exe replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: gertec_certificates_installer_1.2.0.0.exe
Source: wget.exe, 00000002.00000002.2081491966.0000000000B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://Gertec_Certificates_Installer_1.2.0.0.exe
Source: wget.exe, 00000002.00000002.2081544894.0000000001130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://Gertec_Certificates_Installer_1.2.0.0.exea
Source: wget.exe, 00000002.00000002.2081544894.0000000001130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://Gertec_Certificates_Installer_1.2.0.0.exeng
Source: wget.exe, 00000002.00000002.2081544894.0000000001135000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.2081398214.00000000009CD000.00000004.00000010.00020000.00000000.sdmp, cmdline.out.0.dr String found in binary or memory: http://gertec_certificates_installer_1.2.0.0.exe/
Source: wget.exe, 00000002.00000002.2081544894.0000000001135000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gertec_certificates_installer_1.2.0.0.exe/a
Source: wget.exe, 00000002.00000002.2081544894.0000000001135000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gertec_certificates_installer_1.2.0.0.exe/t
Source: classification engine Classification label: clean2.win@4/1@1/0
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://Gertec_Certificates_Installer_1.2.0.0.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://Gertec_Certificates_Installer_1.2.0.0.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://Gertec_Certificates_Installer_1.2.0.0.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: rasadhlp.dll Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: wget.exe, 00000002.00000002.2081436352.0000000000A58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://gertec_certificates_installer_1.2.0.0.exe" > cmdline.out 2>&1

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427910 URL: http://Gertec_Certificates_... Startdate: 18/04/2024 Architecture: WINDOWS Score: 2 12 gertec_certificates_installer_1.2.0.0.exe 2->12 6 cmd.exe 2 2->6         started        process3 process4 8 conhost.exe 6->8         started        10 wget.exe 1 6->10         started       
No contacted IP infos

Contacted Domains

Name IP Active
gertec_certificates_installer_1.2.0.0.exe unknown unknown