Loading ...

Play interactive tourEdit tour

Windows Analysis Report wid3i48Egy

Overview

General Information

Sample Name:wid3i48Egy (renamed file extension from none to exe)
Analysis ID:483859
MD5:13deb1f9e3779ecdc3025f0252e22176
SHA1:fd7d53357ad66545b97a9333ad48186fb8ab41c8
SHA256:7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8
Tags:AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Suspect Svchost Activity
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: System File Execution Location Anomaly
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Drops PE files with benign system names
.NET source code references suspicious native API functions
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Sigma detected: Powershell Defender Exclusion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory
Found potential string decryption / allocating functions
Enables debug privileges
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries disk information (often used to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • wid3i48Egy.exe (PID: 4808 cmdline: 'C:\Users\user\Desktop\wid3i48Egy.exe' MD5: 13DEB1F9E3779ECDC3025F0252E22176)
    • AdvancedRun.exe (PID: 6616 cmdline: 'C:\Users\user\AppData\Local\Temp\bb4197c2-3ca2-421e-81c6-d61dd7f23509\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\bb4197c2-3ca2-421e-81c6-d61dd7f23509\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 3216 cmdline: 'C:\Users\user\AppData\Local\Temp\bb4197c2-3ca2-421e-81c6-d61dd7f23509\AdvancedRun.exe' /SpecialRun 4101d8 6616 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6640 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • AdvancedRun.exe (PID: 6660 cmdline: 'C:\Users\user\AppData\Local\Temp\a9800ad9-c2cc-4c67-8ff4-d2bc72b8dec6\AdvancedRun.exe' /SpecialRun 4101d8 6628 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6356 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6908 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5244 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7028 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 7B71FC14.exe (PID: 5476 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' MD5: 13DEB1F9E3779ECDC3025F0252E22176)
      • AdvancedRun.exe (PID: 6792 cmdline: 'C:\Users\user\AppData\Local\Temp\ea0fb9e7-7fff-4d3b-8736-3e1f935afa8e\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ea0fb9e7-7fff-4d3b-8736-3e1f935afa8e\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • AdvancedRun.exe (PID: 3500 cmdline: 'C:\Users\user\AppData\Local\Temp\ea0fb9e7-7fff-4d3b-8736-3e1f935afa8e\AdvancedRun.exe' /SpecialRun 4101d8 6792 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 6912 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 676 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 660 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6720 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4892 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3512 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5428 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6352 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wid3i48Egy.exe (PID: 5036 cmdline: C:\Users\user\Desktop\wid3i48Egy.exe MD5: 13DEB1F9E3779ECDC3025F0252E22176)
    • WerFault.exe (PID: 384 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 2192 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • 7B71FC14.exe (PID: 4592 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' MD5: 13DEB1F9E3779ECDC3025F0252E22176)
    • AdvancedRun.exe (PID: 160 cmdline: 'C:\Users\user\AppData\Local\Temp\9d867b4e-5195-4596-afb6-59f3900a9b34\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\9d867b4e-5195-4596-afb6-59f3900a9b34\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 7124 cmdline: 'C:\Users\user\AppData\Local\Temp\9d867b4e-5195-4596-afb6-59f3900a9b34\AdvancedRun.exe' /SpecialRun 4101d8 160 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 3144 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6588 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 340 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5556 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6972 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 7B71FC14.exe (PID: 6476 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe MD5: 13DEB1F9E3779ECDC3025F0252E22176)
  • svchost.exe (PID: 4516 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5208 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4808 -ip 4808 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3496 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4592 -ip 4592 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6224 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7036 -ip 7036 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 7036 cmdline: 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' MD5: 13DEB1F9E3779ECDC3025F0252E22176)
    • AdvancedRun.exe (PID: 6628 cmdline: 'C:\Users\user\AppData\Local\Temp\a9800ad9-c2cc-4c67-8ff4-d2bc72b8dec6\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\a9800ad9-c2cc-4c67-8ff4-d2bc72b8dec6\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6728 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6364 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6852 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7060 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 400 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • svchost.exe (PID: 6248 cmdline: C:\Program Files\Common Files\System\7957F23F\svchost.exe MD5: 13DEB1F9E3779ECDC3025F0252E22176)
  • svchost.exe (PID: 1288 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6884 cmdline: 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' MD5: 13DEB1F9E3779ECDC3025F0252E22176)
    • AdvancedRun.exe (PID: 6168 cmdline: 'C:\Users\user\AppData\Local\Temp\1e4f62ac-bca5-4600-b04a-d7891f7e2c9c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1e4f62ac-bca5-4600-b04a-d7891f7e2c9c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 1432 cmdline: 'C:\Users\user\AppData\Local\Temp\1e4f62ac-bca5-4600-b04a-d7891f7e2c9c\AdvancedRun.exe' /SpecialRun 4101d8 6168 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • svchost.exe (PID: 6920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2904 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.484145401.0000000004726000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.484145401.0000000004726000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.485161899.000000000479E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.485161899.000000000479E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000001E.00000003.555361080.0000000004C44000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.wid3i48Egy.exe.406fd50.5.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              1.2.wid3i48Egy.exe.406fd50.5.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                1.2.wid3i48Egy.exe.473eb18.13.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.wid3i48Egy.exe.473eb18.13.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.wid3i48Egy.exe.475eb38.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 27 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspect Svchost ActivityShow sources
                      Source: Process startedAuthor: David Burkett: Data: Command: C:\Program Files\Common Files\System\7957F23F\svchost.exe, CommandLine: C:\Program Files\Common Files\System\7957F23F\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Program Files\Common Files\system\7957F23F\svchost.exe, NewProcessName: C:\Program Files\Common Files\system\7957F23F\svchost.exe, OriginalFileName: C:\Program Files\Common Files\system\7957F23F\svchost.exe, ParentCommandLine: 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' , ParentImage: C:\Program Files\Common Files\system\7957F23F\svchost.exe, ParentProcessId: 7036, ProcessCommandLine: C:\Program Files\Common Files\System\7957F23F\svchost.exe, ProcessId: 6248
                      Sigma detected: System File Execution Location AnomalyShow sources
                      Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Program Files\Common Files\System\7957F23F\svchost.exe, CommandLine: C:\Program Files\Common Files\System\7957F23F\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Program Files\Common Files\system\7957F23F\svchost.exe, NewProcessName: C:\Program Files\Common Files\system\7957F23F\svchost.exe, OriginalFileName: C:\Program Files\Common Files\system\7957F23F\svchost.exe, ParentCommandLine: 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' , ParentImage: C:\Program Files\Common Files\system\7957F23F\svchost.exe, ParentProcessId: 7036, ProcessCommandLine: C:\Program Files\Common Files\System\7957F23F\svchost.exe, ProcessId: 6248
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\wid3i48Egy.exe' , ParentImage: C:\Users\user\Desktop\wid3i48Egy.exe, ParentProcessId: 4808, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force, ProcessId: 6640
                      Sigma detected: Conhost Parent Process ExecutionsShow sources
                      Source: Process startedAuthor: omkar72: Data: Command: 'C:\Users\user\AppData\Local\Temp\a9800ad9-c2cc-4c67-8ff4-d2bc72b8dec6\AdvancedRun.exe' /SpecialRun 4101d8 6628, CommandLine: 'C:\Users\user\AppData\Local\Temp\a9800ad9-c2cc-4c67-8ff4-d2bc72b8dec6\AdvancedRun.exe' /SpecialRun 4101d8 6628, CommandLine|base64offset|contains: *^r&F, Image: C:\Users\user\AppData\Local\Temp\a9800ad9-c2cc-4c67-8ff4-d2bc72b8dec6\AdvancedRun.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\a9800ad9-c2cc-4c67-8ff4-d2bc72b8dec6\AdvancedRun.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\a9800ad9-c2cc-4c67-8ff4-d2bc72b8dec6\AdvancedRun.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6628, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\a9800ad9-c2cc-4c67-8ff4-d2bc72b8dec6\AdvancedRun.exe' /SpecialRun 4101d8 6628, ProcessId: 6660
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\wid3i48Egy.exe' , ParentImage: C:\Users\user\Desktop\wid3i48Egy.exe, ParentProcessId: 4808, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wid3i48Egy.exe' -Force, ProcessId: 6640
                      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                      Source: Process startedAuthor: vburov: Data: Command: C:\Program Files\Common Files\System\7957F23F\svchost.exe, CommandLine: C:\Program Files\Common Files\System\7957F23F\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Program Files\Common Files\system\7957F23F\svchost.exe, NewProcessName: C:\Program Files\Common Files\system\7957F23F\svchost.exe, OriginalFileName: C:\Program Files\Common Files\system\7957F23F\svchost.exe, ParentCommandLine: 'C:\Program Files\Common Files\System\7957F23F\svchost.exe' , ParentImage: C:\Program Files\Common Files\system\7957F23F\svchost.exe, ParentProcessId: 7036, ProcessCommandLine: C:\Program Files\Common Files\System\7957F23F\svchost.exe, ProcessId: 6248
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762178273791528.6640.DefaultAppDomain.powershell

                      Malware Analysis System Evasion:

                      barindex
                      Sigma detected: Powershell adding suspicious path to exclusion listShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\wid3i48Egy.exe' , ParentImage: C:\Users\user\Desktop\wid3i48Egy.exe, ParentProcessId: 4808, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe' -Force, ProcessId: 6908

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: wid3i48Egy.exeVirustotal: Detection: 57%Perma Link
                      Source: wid3i48Egy.exeMetadefender: Detection: 25%Perma Link
                      Source: wid3i48Egy.exeReversingLabs: Detection: 57%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Program Files\Common Files\system\7957F23F\svchost.exeVirustotal: Detection: 57%Perma Link
                      Source: C:\Program Files\Common Files\system\7957F23F\svchost.exeMetadefender: Detection: 25%Perma Link
                      Source: C:\Program Files\Common Files\system\7957F23F\svchost.exeReversingLabs: Detection: 57%
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exeMetadefender: Detection: 25%Perma Link
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exeReversingLabs: Detection: 57%

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 1.2.wid3i48Egy.exe.406fd50.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.wid3i48Egy.exe.459c6b0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.wid3i48Egy.exe.5730000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.wid3i48Egy.exe.459c6b0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.3.svchost.exe.4c44bf0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.wid3i48Egy.exe.461c6d0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.wid3i48Egy.exe.455c690.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.wid3i48Egy.exe.461c6d0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.wid3i48Egy.exe.406fd50.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.wid3i48Egy.exe.5730000.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.3.svchost.exe.4c44bf0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001E.00000003.555361080.0000000004C44000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.472144141.0000000004008000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.493279375.0000000005730000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.470096350.0000000005250000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.481882560.000000000461C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.478555038.00000000044F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wid3i48Egy.exe PID: 4808, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 384, type: MEMORYSTR