Edit tour
Windows
Analysis Report
7.5RabbitFix_V9.exe
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code contains very large strings
Machine Learning detection for sample
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- 7.5RabbitFix_V9.exe (PID: 6256 cmdline:
"C:\Users\ user\Deskt op\7.5Rabb itFix_V9.e xe" MD5: 7EC9E3FC3F9F3CCE7C965E09152726A4) - conhost.exe (PID: 760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | String found in binary or memory: |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
System Summary |
---|
Source: | Long String: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Base64 encoded string: |