Edit tour
Windows
Analysis Report
7.5RabbitFix_V9.exe
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code contains very large strings
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Uses 32bit PE files
Uses taskkill to terminate processes
Classification
- System is w10x64_ra
- 7.5RabbitFix_V9.exe (PID: 7164 cmdline:
"C:\Users\ user\Deskt op\7.5Rabb itFix_V9.e xe" MD5: 7EC9E3FC3F9F3CCE7C965E09152726A4) - conhost.exe (PID: 2080 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 1992 cmdline:
"C:\Window s\system32 \taskkill. exe" /im e rlsrv.exe /f /t MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - taskkill.exe (PID: 1388 cmdline:
"C:\Window s\system32 \taskkill. exe" /im e pmd.exe /f /t MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - taskkill.exe (PID: 3596 cmdline:
"C:\Window s\system32 \taskkill. exe" /im e rl.exe /f /t MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - taskkill.exe (PID: 1544 cmdline:
"C:\Window s\system32 \taskkill. exe" /im n ginx.exe / f /t MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
- rundll32.exe (PID: 2664 cmdline:
C:\Windows \System32\ rundll32.e xe C:\Wind ows\System 32\shell32 .dll,SHCre ateLocalSe rverRunDll {9aa46009 -3ce0-458a -a354-7156 10a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
⊘No yara matches
System Summary |
---|
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Static PE information: |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
System Summary |
---|
Source: | Long String: |
Source: | Static PE information: |
Source: | Base64 encoded string: |