Play interactive tourEdit tour
Windows Analysis Report Credit Card and ID.ppam
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Sigma detected: Suspicious MSHTA Process Patterns
Writes or reads registry keys via WMI
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Creates processes via WMI
Sigma detected: MSHTA Spawning Windows Shell
Creates autostart registry keys with suspicious values (likely registry only malware)
Sigma detected: Mshta Spawning Windows Shell
Writes registry values via WMI
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Stores large binary data to the registry
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Connects to a URL shortener service
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | Florian Roth |
| |
PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | Florian Roth |
| |
PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | Florian Roth |
| |
PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | Florian Roth |
| |
PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | Florian Roth |
| |
Click to see the 14 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Suspicious MSHTA Process Patterns | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Change PowerShell Policies to a Unsecure Level | Show sources |
Source: | Author: frack113: |
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |
Sigma detected: Mshta Spawning Windows Shell | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Antivirus detection for dropped file | Show sources |
Source: | Avira: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Uses dynamic DNS services | Show sources |
Source: | DNS query: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS query: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |