Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1585487
MD5:9bb6b2817ef5a1367529506eaf619f0f
SHA1:69cb6c8bad09624b19f4c77513b915473f6ab1f6
SHA256:87bd876ce006ac681bdc03bb01449c6444f93f8ddf147c6af6b8e1275e3949e9
Tags:exeuser-jstrosch
Infos:

Detection

DarkVision Rat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file contains section with special chars
Searches for specific processes (likely to inject)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses dynamic DNS services
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • file.exe (PID: 1268 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9BB6B2817EF5A1367529506EAF619F0F)
    • cmd.exe (PID: 3088 cmdline: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4132 cmdline: powershell.exe Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • windows.exe (PID: 1032 cmdline: "C:\ProgramData\windows\windows.exe" {D8E15931-E2AD-40B5-A4D1-41BD1741249E} MD5: 9BB6B2817EF5A1367529506EAF619F0F)
      • cmd.exe (PID: 6540 cmdline: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 4616 cmdline: powershell.exe Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • WmiPrvSE.exe (PID: 2800 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • explorer.exe (PID: 7020 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cmd.exe (PID: 4132 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProgramData\{A6378F27-E3E4-43B5-A4A9-3CD42AEFDEDB}\{01CD18C6-8DB4-4D19-901B-142FFEF41E7A}.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3816 cmdline: cmd /c start "" "C:\ProgramData\windows\windows.exe" {5EED0EA3-A73E-442A-9D20-84320F1AFCBA} MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • windows.exe (PID: 1364 cmdline: "C:\ProgramData\windows\windows.exe" {5EED0EA3-A73E-442A-9D20-84320F1AFCBA} MD5: 9BB6B2817EF5A1367529506EAF619F0F)
  • cleanup
{"C2": "acuweld.ddns.net", "Port": 3440}
SourceRuleDescriptionAuthorStrings
00000000.00000002.2226501706.00000000007C1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
    00000000.00000002.2226501706.00000000007C1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000009.00000002.4672905942.0000000000EF8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
        00000009.00000002.4672905942.0000000000EF8000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000005.00000002.4673836366.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
            Click to see the 13 entries
            SourceRuleDescriptionAuthorStrings
            5.2.windows.exe.cadf20.1.raw.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
              5.2.windows.exe.cadf20.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                5.2.windows.exe.cadf20.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x36ce8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x36c18:$s1: CoGetObject
                • 0x36cb0:$s2: Elevation:Administrator!new:
                5.2.windows.exe.cadf20.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  5.2.windows.exe.cadf20.1.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x360e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x36018:$s1: CoGetObject
                  • 0x360b0:$s2: Elevation:Administrator!new:
                  Click to see the 12 entries

                  System Summary

                  barindex
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 1268, ParentProcessName: file.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows', ProcessId: 3088, ProcessName: cmd.exe