Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi

Overview

General Information

Sample URL:https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi
Analysis ID:1458488
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • cmd.exe (PID: 7504 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wget.exe (PID: 7584 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • OpenWith.exe (PID: 7992 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5524, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi" > cmdline.out 2>&1, ProcessId: 7504, ProcessName: cmd.exe
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msiAvira URL Cloud: detection malicious, Label: malware
Source: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi)Avira URL Cloud: Label: malware
Source: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msiCESSOR_Avira URL Cloud: Label: malware
Source: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msirAvira URL Cloud: Label: malware
Source: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msiNA-PCNAvira URL Cloud: Label: malware
Source: unknownHTTPS traffic detected: 3.160.156.148:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: OPNC-v1.1.25.0.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: OPNC-v1.1.25.0.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: OPNC-v1.1.25.0.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: OPNC-v1.1.25.0.msi.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: OPNC-v1.1.25.0.msi.2.dr
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /OPNC-v1.1.25.0.msi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: d226ryxb715ss0.cloudfront.netConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: d226ryxb715ss0.cloudfront.net
Source: wget.exe, 00000002.00000002.1354978885.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B76000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1354239916.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, OPNC-v1.1.25.0.msi.2.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: wget.exe, 00000002.00000002.1354978885.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B76000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1354239916.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, OPNC-v1.1.25.0.msi.2.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0(
Source: OPNC-v1.1.25.0.msi.2.drString found in binary or memory: http://d2q8odwdblz94i.cloudfront.net
Source: wget.exe, 00000002.00000002.1354978885.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B76000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1354239916.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, OPNC-v1.1.25.0.msi.2.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: wget.exe, 00000002.00000002.1354978885.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B76000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1354239916.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, OPNC-v1.1.25.0.msi.2.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: wget.exe, 00000002.00000002.1354978885.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B76000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1354239916.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, OPNC-v1.1.25.0.msi.2.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: wget.exe, 00000002.00000002.1354978885.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B76000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1354239916.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, OPNC-v1.1.25.0.msi.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: wget.exe, 00000002.00000002.1354826628.0000000001050000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1354178863.0000000002B4A000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drString found in binary or memory: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi
Source: wget.exe, 00000002.00000002.1354910157.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1354178863.0000000002B4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi)
Source: wget.exe, 00000002.00000002.1354826628.0000000001050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msiCESSOR_
Source: wget.exe, 00000002.00000002.1354826628.0000000001050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msiNA-PCN
Source: wget.exe, 00000002.00000002.1354826628.0000000001055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msir
Source: wget.exe, 00000002.00000002.1354978885.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B76000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1354239916.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1353195425.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, OPNC-v1.1.25.0.msi.2.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownHTTPS traffic detected: 3.160.156.148:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: classification engineClassification label: mal56.win@5/2@1/1
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi"
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://d226ryxb715ss0.cloudfront.net/OPNC-v1.1.25.0.msi" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: fwpuclnt.dll