Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PXUVmodpCYqRIPQ.exe

Overview

General Information

Sample name:PXUVmodpCYqRIPQ.exe
Analysis ID:1606870
MD5:b12869ee25cc50e4ebb7c66fd75b7b35
SHA1:765488b8536cd89a7bd8ef0100ef97e9d7014c34
SHA256:5a283f2f193bd78816d21cc62d0bb67a5570bc631f5c3752444abc28515e542c
Tags:exeuser-malrpt
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • PXUVmodpCYqRIPQ.exe (PID: 6792 cmdline: "C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe" MD5: B12869EE25CC50E4EBB7C66FD75B7B35)
    • powershell.exe (PID: 1216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xcsUjVN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5356 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xcsUjVN" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PXUVmodpCYqRIPQ.exe (PID: 7184 cmdline: "C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe" MD5: B12869EE25CC50E4EBB7C66FD75B7B35)
    • PXUVmodpCYqRIPQ.exe (PID: 7204 cmdline: "C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe" MD5: B12869EE25CC50E4EBB7C66FD75B7B35)
      • cmd.exe (PID: 7504 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskshell" /tr '"C:\Users\user\AppData\Roaming\Taskshell.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7604 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Taskshell" /tr '"C:\Users\user\AppData\Roaming\Taskshell.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 7520 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4AB4.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 7624 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)