Windows
Analysis Report
YPzNsfg4nR.exe
Overview
General Information
Sample name: | YPzNsfg4nR.exerenamed because original name is a hash value |
Original sample name: | 691c8281d68680d1f8966d657bfbcf4d100c7a70d6894493946793cc320623a6.exe |
Analysis ID: | 1585127 |
MD5: | 47f35ed89ba0b7756cc4d268e7516f55 |
SHA1: | 714b90afdccaee669f5e2edd1b8680c4631cffa0 |
SHA256: | 691c8281d68680d1f8966d657bfbcf4d100c7a70d6894493946793cc320623a6 |
Tags: | exeuser-zhuzhu0009 |
Infos: | |
Detection
XWorm
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
YPzNsfg4nR.exe (PID: 7332 cmdline:
"C:\Users\ user\Deskt op\YPzNsfg 4nR.exe" MD5: 47F35ED89BA0B7756CC4D268E7516F55) conhost.exe (PID: 7340 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 24572628.exe (PID: 7544 cmdline:
"C:\Users\ user\Deskt op\2457262 8.exe" MD5: FFD51738DC3483954A7BCDFAF713DB10) powershell.exe (PID: 7704 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nPath 'C:\ Users\user \Desktop\2 4572628.ex e' MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 7712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 8008 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nProcess ' 24572628.e xe' MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 8016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 2504 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nPath 'C:\ ProgramDat a\coding' MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 3628 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 4308 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nProcess ' coding' MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 4288 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) schtasks.exe (PID: 7536 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /f /RL HIGHEST /s c minute / mo 1 /tn " coding" /t r "C:\Prog ramData\co ding" MD5: 76CD6626DD8834BD4A42E6A565104DC2) conhost.exe (PID: 7336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
coding (PID: 5384 cmdline:
C:\Program Data\codin g MD5: FFD51738DC3483954A7BCDFAF713DB10)
OpenWith.exe (PID: 7752 cmdline:
C:\Windows \system32\ OpenWith.e xe -Embedd ing MD5: E4A834784FA08C17D47A1E72429C5109)
svchost.exe (PID: 7736 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
OpenWith.exe (PID: 3536 cmdline:
C:\Windows \system32\ OpenWith.e xe -Embedd ing MD5: E4A834784FA08C17D47A1E72429C5109)
coding (PID: 8084 cmdline:
C:\Program Data\codin g MD5: FFD51738DC3483954A7BCDFAF713DB10)
- cleanup