Windows
Analysis Report
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
DLL side loading technique detected
Sigma detected: Suspicious Call by Ordinal
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Found large amount of non-executed APIs
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64native
cmd.exe (PID: 4880 cmdline:
C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://gi thub.com/p nedev/comp are-plugin /releases/ download/v 2.0.2/Comp arePlugin_ v2.0.2_X64 .zip" > cm dline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 4152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) wget.exe (PID: 3076 cmdline:
wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://git hub.com/pn edev/compa re-plugin/ releases/d ownload/v2 .0.2/Compa rePlugin_v 2.0.2_X64. zip" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
7za.exe (PID: 2648 cmdline:
7za x -y - pinfected -o"C:\User s\user\Des ktop\extra ct" "C:\Us ers\user\D esktop\dow nload\Comp arePlugin_ v2.0.2_X64 .zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) conhost.exe (PID: 6164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
loaddll64.exe (PID: 7556 cmdline:
loaddll64. exe "C:\Us ers\user\D esktop\ext ract\Compa rePlugin.d ll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA) cmd.exe (PID: 1604 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\ext ract\Compa rePlugin.d ll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) rundll32.exe (PID: 1224 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\extr act\Compar ePlugin.dl l",#1 MD5: EF3179D498793BF4234F708D3BE28633) WerFault.exe (PID: 3148 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 1 224 -s 432 MD5: 5C06542FED8EE68994D43938E7326D75) rundll32.exe (PID: 3196 cmdline:
rundll32.e xe C:\User s\user\Des ktop\extra ct\Compare Plugin.dll ,beNotifie d MD5: EF3179D498793BF4234F708D3BE28633) WerFault.exe (PID: 4104 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 196 -s 436 MD5: 5C06542FED8EE68994D43938E7326D75) rundll32.exe (PID: 3404 cmdline:
rundll32.e xe C:\User s\user\Des ktop\extra ct\Compare Plugin.dll ,getFuncsA rray MD5: EF3179D498793BF4234F708D3BE28633) WerFault.exe (PID: 7720 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 404 -s 432 MD5: 5C06542FED8EE68994D43938E7326D75) rundll32.exe (PID: 4776 cmdline:
rundll32.e xe C:\User s\user\Des ktop\extra ct\Compare Plugin.dll ,getName MD5: EF3179D498793BF4234F708D3BE28633) rundll32.exe (PID: 372 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\extr act\Compar ePlugin.dl l",beNotif ied MD5: EF3179D498793BF4234F708D3BE28633) WerFault.exe (PID: 3148 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 72 -s 428 MD5: 5C06542FED8EE68994D43938E7326D75) rundll32.exe (PID: 428 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\extr act\Compar ePlugin.dl l",getFunc sArray MD5: EF3179D498793BF4234F708D3BE28633) WerFault.exe (PID: 3344 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 4 28 -s 424 MD5: 5C06542FED8EE68994D43938E7326D75) rundll32.exe (PID: 6664 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\extr act\Compar ePlugin.dl l",getName MD5: EF3179D498793BF4234F708D3BE28633)