Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vm-uw.exe

Overview

General Information

Sample name:vm-uw.exe
Analysis ID:1455404
MD5:78c6129bfd81f88cfb7171caf2d386a1
SHA1:f626224572dea0bc2983e3b3986bd1c1af5533ce
SHA256:aa1ad7c508d497292d1e017b946cc381be204bd641543bcf584da286eb6f685f
Tags:exetrojan
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Potentially malicious time measurement code found
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Modifies existing windows services
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Process Start Locations
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

  • System is w10x64
  • vm-uw.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\vm-uw.exe" MD5: 78C6129BFD81F88CFB7171CAF2D386A1)
    • cmd.exe (PID: 5308 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • mode.com (PID: 5272 cmdline: mode con: cols=16 lines=2 MD5: FB615848338231CEBC16E32A3035C3F8)
      • PING.EXE (PID: 5252 cmdline: ping 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • csrss.exe (PID: 2832 cmdline: C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe MD5: C43D1B84143FB2561F22E1A2C8FACF53)
      • PING.EXE (PID: 7068 cmdline: ping 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • reg.exe (PID: 6780 cmdline: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v Description /d "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play." /t reg_sz /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 616 cmdline: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v DisplayName /d "Windows Media Player Network Sharing Service." /t reg_sz /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 4868 cmdline: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5960 cmdline: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v AppDirectory /d "C:\Windows\Fonts\systkm32" /t reg_sz /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5712 cmdline: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • PING.EXE (PID: 4052 cmdline: ping 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • sc.exe (PID: 4040 cmdline: sc start WMPNetworkSxc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • PING.EXE (PID: 6808 cmdline: ping 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • regini.exe (PID: 6748 cmdline: regini 1.ini MD5: C99C3BB423097FCF4990539FC1ED60E3)
    • cmd.exe (PID: 2012 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 1404 cmdline: ping 127.0.0.1 -n 2 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • svchost.exe (PID: 5544 cmdline: C:\Windows\Fonts\systkm32\svchost.exe MD5: 4635935FC972C582632BF45C26BFCB0E)
  • svchost.exe (PID: 7060 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe, CommandLine: C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe, CommandLine|base64offset|contains: Xz(D, Image: C:\Windows\Fonts\systkm32\csrss.exe, NewProcessName: C:\Windows\Fonts\systkm32\csrss.exe, OriginalFileName: C:\Windows\Fonts\systkm32\csrss.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5308, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe, ProcessId: 2832, ProcessName: csrss.exe
Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\vm-uw.exe, ProcessId: 6688, TargetFilename: C:\Windows\Fonts\systkm32\csrss.exe
Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Windows\Fonts\systkm32\svchost.exe, CommandLine: C:\Windows\Fonts\systkm32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Fonts\systkm32\svchost.exe, NewProcessName: C:\Windows\Fonts\systkm32\svchost.exe, OriginalFileName: C:\Windows\Fonts\systkm32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\Fonts\systkm32\svchost.exe, ProcessId: 5544, ProcessName: svchost.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe, CommandLine: C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe, CommandLine|base64offset|contains: Xz(D, Image: C:\Windows\Fonts\systkm32\csrss.exe, NewProcessName: C:\Windows\Fonts\systkm32\csrss.exe, OriginalFileName: C:\Windows\Fonts\systkm32\csrss.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5308, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe, ProcessId: 2832, ProcessName: csrss.exe
Source: Process st