Loading ...

Play interactive tourEdit tour

Windows Analysis Report

Overview

General Information

Analysis ID:488262
Infos:

Most interesting Screenshot:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Obfuscated command line found
Sample execution stops while process was sleeping (likely an evasion)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7128 cmdline: cmd /C 'cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No Instance>NUL&&timeout\' /t 5 /nobreak>NUL)&sc delete %s>NUL)'' MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 1380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2908 cmdline: cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No Instance MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_01
Source: classification engineClassification label: sus22.win@4/0@0/0
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C 'cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No Instance>NUL&&timeout\' /t 5 /nobreak>NUL)&sc delete %s>NUL)''
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No Instance
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No InstanceJump to behavior

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C 'cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No Instance>NUL&&timeout\' /t 5 /nobreak>NUL)&sc delete %s>NUL)''
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No Instance
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No InstanceJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C 'cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No Instance>NUL&&timeout\' /t 5 /nobreak>NUL)&sc delete %s>NUL)''
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No Instance
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No InstanceJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /S /V:ON /C \'echo off&set d=C:\\Program\' Files\\MySQL\\MySQL Server 8.0\'&FOR /f skip=1 %s in ('wmic service where ^'pathname like %!d:\\=\\\\!%^' get name ^| findstr /r ^.$') do ((for /L %k IN (1,1,20) do wmic service where 'name=%s and started=true' call stopservice | FIND /v \'No InstanceJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter11Path InterceptionProcess Injection11Process Injection11OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488262 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 22/09/2021 Architecture: WINDOWS Score: 22 13 Obfuscated command line found 2->13 6 cmd.exe 1 2->6         started        process3 signatures4 15 Obfuscated command line found 6->15 9 conhost.exe 6->9         started        11 cmd.exe 1 6->11         started        process5

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.