Edit tour
Windows
Analysis Report
starwindconverter.exe
Overview
General Information
| Sample name: | starwindconverter.exe |
| Analysis ID: | 1432220 |
| MD5: | f9545db50cc40988b62b49ffce2874be |
| SHA1: | 12af954da045061b75c15322fa6f761bab09a787 |
| SHA256: | 3018ec56677e92e472fad392c390b606b9e8c93927766a900ab808e9e791882a |
| Infos: |  |
 | |
Detection
| Score: | 11 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 0% |
Compliance
| Score: | 53 |
| Range: | 0 - 100 |
Signatures
Checks for available system drives (often done to infect USB drives)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
Analysis Advice
| Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
| Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
| Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook |
| Sample may be VM or Sandbox-aware, try analysis on a native machine |
| Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
| Sample searches for specific file, try point organization specific fake files to the analysis machine |
- System is w10x64
starwindconverter.exe (PID: 6880 cmdline: "C:\Users\ user\Deskt op\starwin dconverter .exe" MD5: F9545DB50CC40988B62B49FFCE2874BE) - starwindconverter.tmp (PID: 5944 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-DTP 8T.tmp\sta rwindconve rter.tmp" /SL5="$104 46,4001562 9,338944,C :\Users\us er\Desktop \starwindc onverter.e xe" MD5: 2356F5F81D797DFA2A9C35E973358693) 
cmd.exe (PID: 6804 cmdline: "C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\StarWind Software\ StarWind V 2V Convert er\lib\vst or2install .bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WMIC.exe (PID: 2844 cmdline: wmic OS ge t OSArchit ecture MD5: C37F2F4F4B3CD128BDABCAEB2266A785) 
findstr.exe (PID: 6644 cmdline: findstr 64 MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - sc.exe (PID: 2516 cmdline:
sc query v stor2-mnta pi20-share d MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 692 cmdline:
sc create vstor2-mnt api20-shar ed type= k ernel star t= auto er ror= norma l binpath= System32\ drivers\vs tor2-mntap i20-shared .sys Displ ayName= "V stor2 MntA pi 2.0 Dri ver (share d)" group= System MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - sc.exe (PID: 2300 cmdline:
sc start v stor2-mnta pi20-share d MD5: 3FB5CF71F7E7EB49790CB0E663434D80) 
vc_redist.x64.130.exe (PID: 4116 cmdline: "C:\Progra m Files\St arWind Sof tware\Star Wind V2V C onverter\v c\vc_redis t.x64.130. exe" /quie t MD5: 96B61B8E069832E6B809F24EA74567BA) - vc_redist.x64.130.exe (PID: 5808 cmdline:
"C:\Progra m Files\St arWind Sof tware\Star Wind V2V C onverter\v c\vc_redis t.x64.130. exe" /quie t -burn.un elevated B urnPipe.{D 7692551-F3 D1-4F96-B9 8C-6EA8EBC E2C29} {99 F278BD-B40 2-4D45-B36 7-3A71E4C7 8909} 4116 MD5: 96B61B8E069832E6B809F24EA74567BA) - vc_redist.x64.140.exe (PID: 3452 cmdline:
"C:\Progra m Files\St arWind Sof tware\Star Wind V2V C onverter\v c\vc_redis t.x64.140. exe" /quie t MD5: 27B141AACC2777A82BB3FA9F6E5E5C1C) - vc_redist.x64.140.exe (PID: 2536 cmdline:
"C:\Progra m Files\St arWind Sof tware\Star Wind V2V C onverter\v c\vc_redis t.x64.140. exe" /quie t -burn.un elevated B urnPipe.{6 21695C5-B5 2A-43D6-BA AE-CEAD8A9 F5342} {3E 01C30D-E9A 5-4BF9-AFE 0-A4D60C44 3091} 3452 MD5: 27B141AACC2777A82BB3FA9F6E5E5C1C)
- svchost.exe (PID: 3756 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- VSSVC.exe (PID: 5292 cmdline:
C:\Windows \system32\ vssvc.exe MD5: 875046AD4755396636A68F4A9EDB22A4)
- svchost.exe (PID: 5824 cmdline:
C:\Windows \System32\ svchost.ex e -k swprv MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- SrTasks.exe (PID: 3624 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB) - conhost.exe (PID: 3484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
msiexec.exe (PID: 4820 cmdline: C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077)
chrome.exe (PID: 6416 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6204 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2220 --fi eld-trial- handle=190 4,i,726046 8871230898 073,339895 2734327397 412,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- svchost.exe (PID: 6964 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- vcredist_x64.exe (PID: 8 cmdline:
"C:\Progra mData\Pack age Cache\ {050d4fc8- 5d48-4b8f- 8972-47c82 c46020f}\v credist_x6 4.exe" /bu rn.runonce MD5: E16E6D68CE1949C9721656390F47CE07) - vcredist_x64.exe (PID: 1992 cmdline:
"C:\Progra mData\Pack age Cache\ {050d4fc8- 5d48-4b8f- 8972-47c82 c46020f}\v credist_x6 4.exe" MD5: E16E6D68CE1949C9721656390F47CE07)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Source: | Author: frack113: | ||
| Source: | Author: vburov: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Code function: | 14_2_007F7378 | |
| Source: | Code function: | 14_2_007D8101 | |
| Source: | Code function: | 14_2_007D8386 | |
| Source: | Code function: | 14_2_007D7E2A | |
| Source: | Code function: | 26_2_00A88386 | |
| Source: | Code function: | 26_2_00A88101 | |
| Source: | Code function: | 26_2_00AA7378 | |
| Source: | Code function: | 26_2_00A87E2A | |
| Source: | Code function: | 28_2_00DC8281 | |
| Source: | Code function: | 28_2_00DE7C27 | |
| Source: | Code function: | 28_2_00DC8558 | |
| Source: | Code function: | 28_2_00DC86D9 | |
Compliance |   |
|---|
| Source: | Static PE information: | ||
| Source: | Window detected: | ||