Loading ...

Play interactive tourEdit tour

Windows Analysis Report RYhdmjjr94

Overview

General Information

Sample Name:RYhdmjjr94 (renamed file extension from none to exe)
Analysis ID:483549
MD5:44696d252000850d3ea71d9ae238aedc
SHA1:1fb61a1df500f9025641526cb4013d555b129a84
SHA256:1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986
Tags:AfiaWaveEnterprisesOyexeFormbooksigned
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: System File Execution Location Anomaly
Maps a DLL or memory area into another process
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
.NET source code contains very large array initializations
Tries to detect virtualization through RDTSC time measurements
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops PE files with benign system names
Writes to foreign memory regions
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Powershell Defender Exclusion
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Launches processes in debugging mode, may be used to hinder debugging
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
Found potential string decryption / allocating functions
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • RYhdmjjr94.exe (PID: 4328 cmdline: 'C:\Users\user\Desktop\RYhdmjjr94.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
    • AdvancedRun.exe (PID: 5136 cmdline: 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 3228 cmdline: 'C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe' /SpecialRun 4101d8 5136 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6260 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6392 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6512 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6688 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6832 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 36C95A71.exe (PID: 7004 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
      • AdvancedRun.exe (PID: 3132 cmdline: 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • AdvancedRun.exe (PID: 6968 cmdline: 'C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe' /SpecialRun 4101d8 3132 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 3016 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5052 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6824 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • powershell.exe (PID: 7104 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5752 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • aspnet_compiler.exe (PID: 6608 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • powershell.exe (PID: 7148 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1140 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3688 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_compiler.exe (PID: 6548 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 6672 cmdline: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
          • AdvancedRun.exe (PID: 7032 cmdline: 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
            • AdvancedRun.exe (PID: 4968 cmdline: 'C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe' /SpecialRun 4101d8 7032 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
          • powershell.exe (PID: 6564 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • powershell.exe (PID: 5020 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • powershell.exe (PID: 4752 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • WerFault.exe (PID: 6376 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2188 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4824 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6172 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6212 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6284 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6456 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6604 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7156 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5496 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 36C95A71.exe (PID: 5628 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
    • AdvancedRun.exe (PID: 4888 cmdline: 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 7060 cmdline: 'C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe' /SpecialRun 4101d8 4888 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2564 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2072 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6244 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4908 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6560 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6468 cmdline: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' MD5: 44696D252000850D3EA71D9AE238AEDC)
    • AdvancedRun.exe (PID: 7052 cmdline: 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6368 cmdline: 'C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe' /SpecialRun 4101d8 7052 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4492 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5984 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\2FDD6624\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • svchost.exe (PID: 6068 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 3000 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4328 -ip 4328 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6508 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7004 -ip 7004 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 1008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xa088:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xa302:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x368a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x36b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15e25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x42645:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15911:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x42131:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15f27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x42747:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1609f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x428bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xad1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x3753a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x14b8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x413ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xba13:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x38233:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1bac7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x482e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1caca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000000.407421207.0000000003B13000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18ba9:$sqlite3step: 68 34 1C 7B E1
    • 0x18cbc:$sqlite3step: 68 34 1C 7B E1
    • 0x453c9:$sqlite3step: 68 34 1C 7B E1
    • 0x454dc:$sqlite3step: 68 34 1C 7B E1
    • 0x18bd8:$sqlite3text: 68 38 2A 90 C5
    • 0x18cfd:$sqlite3text: 68 38 2A 90 C5
    • 0x453f8:$sqlite3text: 68 38 2A 90 C5
    • 0x4551d:$sqlite3text: 68 38 2A 90 C5
    • 0x18beb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18d13:$sqlite3blob: 68 53 D8 7F 8C
    • 0x4540b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x45533:$sqlite3blob: 68 53 D8 7F 8C
    00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000025.00000000.601965893.00000000076C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 42 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.RYhdmjjr94.exe.373b3c0.23.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0.0.RYhdmjjr94.exe.373b3c0.23.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0.0.RYhdmjjr94.exe.38fe890.10.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            0.0.RYhdmjjr94.exe.38fe890.10.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0.0.RYhdmjjr94.exe.38fe890.26.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                Click to see the 31 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: System File Execution Location AnomalyShow sources
                Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\2FDD6624\svchost.exe, NewProcessName: C:\Users\Public\Documents\2FDD6624\svchost.exe, OriginalFileName: C:\Users\Public\Documents\2FDD6624\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , ProcessId: 6672
                Sigma detected: Execution from Suspicious FolderShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\2FDD6624\svchost.exe, NewProcessName: C:\Users\Public\Documents\2FDD6624\svchost.exe, OriginalFileName: C:\Users\Public\Documents\2FDD6624\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , ProcessId: 6672
                Sigma detected: Suspicious Svchost ProcessShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\2FDD6624\svchost.exe, NewProcessName: C:\Users\Public\Documents\2FDD6624\svchost.exe, OriginalFileName: C:\Users\Public\Documents\2FDD6624\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: 'C:\Users\Public\Documents\2FDD6624\svchost.exe' , ProcessId: 6672
                Sigma detected: Powershell Defender ExclusionShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\RYhdmjjr94.exe' , ParentImage: C:\Users\user\Desktop\RYhdmjjr94.exe, ParentProcessId: 4328, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RYhdmjjr94.exe' -Force, ProcessId: 6260
                Sigma detected: Conhost Parent Process ExecutionsShow sources
                Source: Process startedAuthor: omkar72: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6824, Proc