Edit tour
Windows
Analysis Report
https://github.com/bambulab/BambuStudio/releases/download/v01.08.04.51/Bambu_Studio_win_public-v01.08.04.51-20240117164301.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Drops large PE files
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Writes many files with high entropy
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- cmd.exe (PID: 2800 cmdline:
C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://gi thub.com/b ambulab/Ba mbuStudio/ releases/d ownload/v0 1.08.04.51 /Bambu_Stu dio_win_pu blic-v01.0 8.04.51-20 2401171643 01.exe" > cmdline.ou t 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wget.exe (PID: 4112 cmdline:
wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://git hub.com/ba mbulab/Bam buStudio/r eleases/do wnload/v01 .08.04.51/ Bambu_Stud io_win_pub lic-v01.08 .04.51-202 4011716430 1.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
- Bambu_Studio_win_public-v01.08.04.51-20240117164301.exe (PID: 1436 cmdline:
"C:\Users\ user\Deskt op\downloa d\Bambu_St udio_win_p ublic-v01. 08.04.51-2 0240117164 301.exe" MD5: DFD4A19DE50A68477EDAC8DBB25FAF9A) - MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 5952 cmdline:
"C:\Progra m Files\Ba mbu Studio \plugin\Mi crosoftEdg eWebView2R untimeInst allerX64.e xe" /silen t /install MD5: 8D32A91401F3C062EE93502BD79D28D8) - MicrosoftEdgeUpdate.exe (PID: 6108 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Temp\E UE0BF.tmp\ MicrosoftE dgeUpdate. exe" /sile nt /instal l "appguid ={F3017226 -FE2A-4295 -8BDF-00C3 A9A7E4C5}& appname=Mi crosoft%20 Edge%20Web View2%20Ru ntime&need sadmin=Tru e" MD5: 0F11E6717C1FE6DD20AE2D12F63AF3F7) - MicrosoftEdgeUpdate.exe (PID: 4276 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeUp date\Micro softEdgeUp date.exe" /regsvc MD5: 0F11E6717C1FE6DD20AE2D12F63AF3F7) - MicrosoftEdgeUpdate.exe (PID: 3856 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeUp date\Micro softEdgeUp date.exe" /regserver MD5: 0F11E6717C1FE6DD20AE2D12F63AF3F7) - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2952 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeUp date\1.3.1 53.47\Micr osoftEdgeU pdateComRe gisterShel l64.exe" MD5: 3DACF7CC11DE65C60616DC29C41397BE) - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1216 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeUp date\1.3.1 53.47\Micr osoftEdgeU pdateComRe gisterShel l64.exe" MD5: 3DACF7CC11DE65C60616DC29C41397BE) - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6224 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeUp date\1.3.1 53.47\Micr osoftEdgeU pdateComRe gisterShel l64.exe" MD5: 3DACF7CC11DE65C60616DC29C41397BE) - MicrosoftEdgeUpdate.exe (PID: 6848 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeUp date\Micro softEdgeUp date.exe" /ping PD94 bWwgdmVyc2 lvbj0iMS4w IiBlbmNvZG luZz0iVVRG LTgiPz48cm VxdWVzdCBw cm90b2NvbD 0iMy4wIiB1 cGRhdGVyPS JPbWFoYSIg dXBkYXRlcn ZlcnNpb249 IjEuMy4xNT MuNDciIHNo ZWxsX3Zlcn Npb249IjEu My4xNTMuND ciIGlzbWFj aGluZT0iMS Igc2Vzc2lv bmlkPSJ7ME FFNDg4MjEt NDIxRC00ME YwLTlCOTMt OUZEMjhFQz hBRTREfSIg dXNlcmlkPS J7MEVBMkNG RkQtMUMyRS 00NEUyLTgz MjAtNTI5Nz Q5QkU3NDE1 fSIgaW5zdG FsbHNvdXJj ZT0ib3RoZX JpbnN0YWxs Y21kIiByZX F1ZXN0aWQ9 Ins0RjU1MD U0RC04NzAw LTREMjAtQU ZDMS1DODVE QTU4MzFDRj d9IiBkZWR1 cD0iY3IiIG RvbWFpbmpv aW5lZD0iMC I-PGh3IGxv Z2ljYWxfY3 B1cz0iNCIg cGh5c21lbW 9yeT0iOCIg ZGlza190eX BlPSIyIiBz c2U9IjEiIH NzZTI9IjEi IHNzZTM9Ij EiIHNzc2Uz PSIxIiBzc2 U0MT0iMSIg c3NlNDI9Ij EiIGF2eD0i MSIvPjxvcy BwbGF0Zm9y bT0id2luIi B2ZXJzaW9u PSIxMC4wLj E5MDQ1LjIw MDYiIHNwPS IiIGFyY2g9 Ing2NCIvPj xvZW0gcHJv ZHVjdF9tYW 51ZmFjdHVy ZXI9Imp3dG FpaywgSW5j LiIgcHJvZH VjdF9uYW1l PSJqd3RhaW syMCwxIi8- PGV4cCBldG FnPSImcXVv dDtxV0pTel d3UGZkY0xS K1hHSXY2eH JaZmlZT3ho UFUyczFOV2 1qV2NhRlBn PSZxdW90Oy IvPjxhcHAg YXBwaWQ9In tGM0M0RkUw MC1FRkQ1LT QwM0ItOTU2 OS0zOThBMj BGMUJBNEF9 IiB2ZXJzaW 9uPSIxLjMu MTc3LjExIi BuZXh0dmVy c2lvbj0iMS 4zLjE1My40 NyIgbGFuZz 0iIiBicmFu ZD0iIiBjbG llbnQ9IiI- PGV2ZW50IG V2ZW50dHlw ZT0iMiIgZX ZlbnRyZXN1 bHQ9IjEiIG Vycm9yY29k ZT0iMCIgZX h0cmFjb2Rl MT0iMCIgaW 5zdGFsbF90 aW1lX21zPS IxOTY5Ii8- PC9hcHA-PC 9yZXF1ZXN0 Pg MD5: 0F11E6717C1FE6DD20AE2D12F63AF3F7) - MicrosoftEdgeUpdate.exe (PID: 1600 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeUp date\Micro softEdgeUp date.exe" /handoff " appguid={F 3017226-FE 2A-4295-8B DF-00C3A9A 7E4C5}&app name=Micro soft%20Edg e%20WebVie w2%20Runti me&needsad min=True" /installso urce offli ne /sessio nid "{0AE4 8821-421D- 40F0-9B93- 9FD28EC8AE 4D}" /sile nt /offlin edir "{FAF 4F54B-74F8 -4FCD-81CD -4DFC19E93 F21}" MD5: 0F11E6717C1FE6DD20AE2D12F63AF3F7)
- MicrosoftEdgeUpdate.exe (PID: 5748 cmdline:
"C:\Progra m Files (x 86)\Micros oft\EdgeUp date\Micro softEdgeUp date.exe" /svc MD5: 0F11E6717C1FE6DD20AE2D12F63AF3F7)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Window detected: |