Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip

Overview

General Information

Sample URL:https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip
Analysis ID:597349
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

DLL side loading technique detected
Sigma detected: Suspicious Call by Ordinal
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Found large amount of non-executed APIs
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64native
  • cmd.exe (PID: 4880 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • wget.exe (PID: 3076 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • 7za.exe (PID: 2648 cmdline: 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\ComparePlugin_v2.0.2_X64.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
    • conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • loaddll64.exe (PID: 7556 cmdline: loaddll64.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 1604 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 1224 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 3148 cmdline: C:\Windows\system32\WerFault.exe -u -p 1224 -s 432 MD5: 5C06542FED8EE68994D43938E7326D75)
    • rundll32.exe (PID: 3196 cmdline: rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,beNotified MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 4104 cmdline: C:\Windows\system32\WerFault.exe -u -p 3196 -s 436 MD5: 5C06542FED8EE68994D43938E7326D75)
    • rundll32.exe (PID: 3404 cmdline: rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getFuncsArray MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7720 cmdline: C:\Windows\system32\WerFault.exe -u -p 3404 -s 432 MD5: 5C06542FED8EE68994D43938E7326D75)
    • rundll32.exe (PID: 4776 cmdline: rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getName MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 372 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",beNotified MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 3148 cmdline: C:\Windows\system32\WerFault.exe -u -p 372 -s 428 MD5: 5C06542FED8EE68994D43938E7326D75)
    • rundll32.exe (PID: 428 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getFuncsArray MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 3344 cmdline: C:\Windows\system32\WerFault.exe -u -p 428 -s 424 MD5: 5C06542FED8EE68994D43938E7326D75)
    • rundll32.exe (PID: 6664 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getName MD5: EF3179D498793BF4234F708D3BE28633)