Loading ...

Play interactive tourEdit tour

Windows Analysis Report VknMvPoCXZ

Overview

General Information

Sample Name:VknMvPoCXZ (renamed file extension from none to exe)
Analysis ID:483863
MD5:0cecfa83ee6ea6dd1de38462bbedf15c
SHA1:de4dde34707658d98f50de8cf2a182bf7ded2a45
SHA256:a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
Tags:AfiaWaveEnterprisesOyAgentTeslaexesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Drops PE files with benign system names
Creates an autostart registry key pointing to binary in C:\Windows
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Powershell Defender Exclusion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory
Found potential string decryption / allocating functions
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • VknMvPoCXZ.exe (PID: 2244 cmdline: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 3336 cmdline: 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5908 cmdline: 'C:\Users\user\AppData\Local\Temp\f83f9cf5-aecc-448e-9e82-875f5c76499f\AdvancedRun.exe' /SpecialRun 4101d8 3336 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2968 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2196 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5456 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1036 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6288 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 481F404B.exe (PID: 6392 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
      • AdvancedRun.exe (PID: 6644 cmdline: 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
        • AdvancedRun.exe (PID: 6204 cmdline: 'C:\Users\user\AppData\Local\Temp\d3617b11-5ec7-4976-90b8-7ee0bce6869f\AdvancedRun.exe' /SpecialRun 4101d8 6644 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • powershell.exe (PID: 6784 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 7008 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6812 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4308 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4988 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6748 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6804 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6828 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_compiler.exe (PID: 6872 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • WerFault.exe (PID: 3880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2328 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 3756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4132 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5888 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6048 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4928 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4736 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 736 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5264 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 481F404B.exe (PID: 6852 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 6512 cmdline: 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 3152 cmdline: 'C:\Users\user\AppData\Local\Temp\0c0a829c-b011-4032-9ed5-9caa96b4c6d3\AdvancedRun.exe' /SpecialRun 4101d8 6512 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6992 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5952 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4776 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2256 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5004 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6952 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 2036 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2244 -ip 2244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5900 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2244 -ip 2244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5532 cmdline: 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 6820 cmdline: 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Local\Temp\ce8a02e5-a5a2-4145-9112-744934cbc98c\AdvancedRun.exe' /SpecialRun 4101d8 6820 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 7112 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2896 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6152 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7132 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6496 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4496 cmdline: 'C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe' MD5: 0CECFA83EE6EA6DD1DE38462BBEDF15C)
    • AdvancedRun.exe (PID: 6932 cmdline: 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\b4116074-3d60-4dc8-8710-9dcf62ffe1cd\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • svchost.exe (PID: 6876 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5892 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000001.00000002.588060641.00000000038A1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 53 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.0.VknMvPoCXZ.exe.38d97c0.25.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.0.VknMvPoCXZ.exe.39197e0.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.0.VknMvPoCXZ.exe.39197e0.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.0.VknMvPoCXZ.exe.38d97c0.25.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 99 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' , ParentImage: C:\Users\user\Desktop\VknMvPoCXZ.exe, ParentProcessId: 2244, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, ProcessId: 2968
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' , ParentImage: C:\Users\user\Desktop\VknMvPoCXZ.exe, ParentProcessId: 2244, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VknMvPoCXZ.exe' -Force, ProcessId: 2968
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762180470220038.2968.DefaultAppDomain.powershell

                      Malware Analysis System Evasion:

                      barindex
                      Sigma detected: Powershell adding suspicious path to exclusion listShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VknMvPoCXZ.exe' , ParentImage: C:\Users\user\Desktop\VknMvPoCXZ.exe, ParentProcessId: 2244, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe' -Force, ProcessId: 5456

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: VknMvPoCXZ.exeVirustotal: Detection: 47%Perma Link
                      Source: VknMvPoCXZ.exeReversingLabs: Detection: 44%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exeReversingLabs: Detection: 44%
                      Source: C:\Windows\Resources\Themes\aero\shell\4B6A7152\svchost.exeReversingLabs: Detection: 44%

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.VknMvPoCXZ.exe.3ba8c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3ef0098.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.481F404B.exe.4430a90.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.37d17e0.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.7380000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.VknMvPoCXZ.exe.6bd0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.VknMvPoCXZ.exe.37d17e0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.3.svchost.exe.3d58c40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.svchost.exe.3fa14c0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.505833995.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.384861016.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.430706914.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.373977104.00000000043BA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.593102084.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.380174976.0000000003CE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583413395.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.263705038.0000000003B32000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.587807203.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.432260240.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.505699283.0000000006BD0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.373601058.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.583823180.0000000003FA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.588230224.0000000007380000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VknMvPoCXZ.exe PID: 2244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 481F404B.exe PID: 6392, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4496, type: MEMORYSTR