Edit tour
Windows
Analysis Report
Recorder_System_v1.10.0048.exe
Overview
General Information
Detection
Score: | 36 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Signatures
Antivirus detection for URL or domain
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Sample searches for specific file, try point organization specific fake files to the analysis machine |
- System is w10x64
- Recorder_System_v1.10.0048.exe (PID: 6640 cmdline:
"C:\Users\ user\Deskt op\Recorde r_System_v 1.10.0048. exe" MD5: A9042018E74F1FC91EBFC730A295C9B4) - Recorder_System_v1.10.0048.tmp (PID: 6712 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-UNU I8.tmp\Rec order_Syst em_v1.10.0 048.tmp" / SL5="$402A 6,10247394 5,718848,C :\Users\us er\Desktop \Recorder_ System_v1. 10.0048.ex e" MD5: 1F06960E3F2EEB78A46C85642496CA37) - powershell.exe (PID: 5684 cmdline:
"powershel l" Set-Exe cutionpoli cy remotes igned -For ce MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3896 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Recorder System.exe (PID: 5676 cmdline:
"C:\Progra m Files (x 86)\Record er System\ Recorder S ystem.exe" MD5: BE6CC65866AA027B96D3859D32095508) - QtWebEngineProcess.exe (PID: 2500 cmdline:
"C:\Progra m Files (x 86)\Record er System\ QtWebEngin eProcess.e xe" --type =renderer --disable- gpu-memory -buffer-vi deo-frames --enable- threaded-c ompositing --use-gl= angle --en able-featu res=AllowC ontentInit iatedDataU rlNavigati ons,Tracin gServiceIn Process -- disable-fe atures=Bac kgroundFet ch,BlinkGe nPropertyT rees,MojoV ideoCaptur e,NetworkS erviceNotS upported,O riginTrial s,SmsRecei ver,UsePdf Compositor ServiceFor Print,UseS urfaceLaye rForVideo, VizDisplay Compositor ,WebAuthen tication,W ebAuthenti cationCabl e,WebPayme nts,WebUSB --lang=en -CH --webe ngine-sche mes=qrc:sL V --device -scale-fac tor=1 --nu m-raster-t hreads=2 - -enable-ma in-frame-b efore-acti vation --s ervice-req uest-chann el-token=1 1831953104 643474927 --renderer -client-id =3 --mojo- platform-c hannel-han dle=3536 / prefetch:1 MD5: 3288E9408352FFB05063B27028456E1B) - powershell.exe (PID: 5680 cmdline:
powershell -file C:/ Users/user /AppData/L ocal/offic ial-record er/temp/gp u.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 6624 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- WmiApSrv.exe (PID: 7088 cmdline:
C:\Windows \system32\ wbem\WmiAp Srv.exe MD5: 9A48D32D7DBA794A40BF030DA500603B)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | URL Reputation: |
Source: | Static PE information: |
Source: | Window detected: |