Loading ...

Play interactive tourEdit tour

Windows Analysis Report #NEW ORDER FOR JANUARY 2022.exe

Overview

General Information

Sample Name:#NEW ORDER FOR JANUARY 2022.exe
Analysis ID:553020
MD5:8b974d65bf7e334d75f57027821ac628
SHA1:f3ccc2d15a771715e6653d470f955f7095e3cd17
SHA256:c2628acd6b807facd37a0b0db1068f80fa2c87702d6a687445a9ec1dc3bc2421
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Adds a new user with administrator rights
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Sigma detected: Hurricane Panda Activity
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Sigma detected: Net.exe User Account Creation
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • #NEW ORDER FOR JANUARY 2022.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • net.exe (PID: 3604 cmdline: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 5692 cmdline: C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add MD5: B5A26C2BF17222E86B91D26F1247AF3E)
        • conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • net.exe (PID: 5664 cmdline: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 5344 cmdline: C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add MD5: B5A26C2BF17222E86B91D26F1247AF3E)
    • net.exe (PID: 6868 cmdline: "C:\Windows\system32\net.exe" localgroup users "user" /add MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 4864 cmdline: C:\Windows\system32\net1 localgroup users "user" /add MD5: B5A26C2BF17222E86B91D26F1247AF3E)
    • net.exe (PID: 6908 cmdline: "C:\Windows\system32\net.exe" localgroup administrators "user" /del MD5: DD0561156F62BC1958CE0E370B23711B)
      • conhost.exe (PID: 2628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 7040 cmdline: C:\Windows\system32\net1 localgroup administrators "user" /del MD5: B5A26C2BF17222E86B91D26F1247AF3E)
    • schtasks.exe (PID: 6240 cmdline: "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ComSvcConfig.exe (PID: 4564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe MD5: 2778AE0EB674B74FF8028BF4E51F1DF5)
    • aspnet_regbrowsers.exe (PID: 7068 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
  • svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4876 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_regbrowsers.exe (PID: 4588 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
  • svchost.exe (PID: 1004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6712 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AddInProcess32.exe (PID: 5200 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
    • ilasm.exe (PID: 6684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe MD5: 432EAF71554C788169F9E8258BB9FF60)
    • AddInProcess32.exe (PID: 6748 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
  • #NEW ORDER FOR JANUARY 2022.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 6240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • jsc.exe (PID: 6512 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe MD5: 2B40A449D6034F41771A460DADD53A60)
  • svchost.exe (PID: 6916 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 1424 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • CasPol.exe (PID: 5344 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6852 cmdline: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" MD5: 8B974D65BF7E334D75F57027821AC628)
    • powershell.exe (PID: 5692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • RegSvcs.exe (PID: 4204 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000003B.00000000.888165359.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001F.00000000.710933564.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000025.00000000.745218195.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 156 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.#NEW ORDER FOR JANUARY 2022.exe.42c5920.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                32.2.svchost.exe.470db20.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  32.2.svchost.exe.470db20.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    31.0.aspnet_regbrowsers.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 73 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" , ParentImage: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe, ParentProcessId: 6852, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4204
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, ProcessId: 6684
                      Sigma detected: Hurricane Panda ActivityShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add, CommandLine: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add, ProcessId: 5664
                      Sigma detected: Net.exe User Account CreationShow sources
                      Source: Process startedAuthor: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, ProcessId: 3604
                      Sigma detected: Net.exe ExecutionShow sources
                      Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add, ProcessId: 3604
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe" , ParentImage: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exe, ParentProcessId: 6852, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4204
                      Sigma detected: Group Modification LoggingShow sources
                      Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x2005f, data 9: -
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" , ParentImage: C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe, ParentProcessId: 6588, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#NEW ORDER FOR JANUARY 2022.exe" -Force, ProcessId: 6684
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866083503977576.6684.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: #NEW ORDER FOR JANUARY 2022.exeReversingLabs: Detection: 18%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\BABEDAFADDBCFEAAEFCDFCDE\svchost.exeReversingLabs: Detection: 18%
                      Source: 37.2.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.aspnet_regbrowsers.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.2.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.aspnet_regbrowsers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 32.2.svchost.exe.5f89510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5a90000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.svchost.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6349510.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.5aa9510.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.svchost.exe.6330000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4416ba0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#NEW ORDER FOR JANUARY 2022.exe.4305940.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000026.00000003.795978697.0000000005A52000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.929093994.0000000006280000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927387694.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.778887336.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.737999019.0000000005A90000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000003.850266618.0000000006E02000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.850912152.0000000006330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.786901859.0000000005F70000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.814234215.0000000006432000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.920418875.0000000005C10000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000003.756169106.0000000006B42000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.916893319.0000000004381000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.911408277.000000000413D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000003.735522789.00000000067C2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.871462494.00000000038F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.706917679.00000000062D2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.775543622.00000000043E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.927142303.000000000478D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.895927015.0000000005330000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #NEW ORDER FOR JANUARY 2022.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4876, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6712, type: MEMORYSTR
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: #NEW ORDER FOR JANUARY 2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: aspnet_regbrowsers.pdbp source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdbp??? |?_CorExeMainmscoree.dll?% @ source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.779987071.000000000474D000.00000004.00000001.sdmp
                      Source: Binary string: ???Oy??.pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb?x source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp
                      Source: Binary string: aspnet_regbrowsers.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.730764637.00000000036ED000.00000004.00000001.sdmp
                      Source: Binary string: ilasm.pdb source: svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: E:\A\_work\940\s\obj\Editor\IntellisenseDef\Release\net472\Microsoft.VisualStudio.Language.Intellisense.pdb source: svchost.exe, svchost.exe, 00000024.00000002.828856160.00000000047BC000.00000004.00000001.sdmp
                      Source: Binary string: ComSvcConfig.pdb source: #NEW ORDER FOR JANUARY 2022.exe, 00000000.00000002.734755598.0000000004305000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Uses