Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cDouNOFXle.exe

Overview

General Information

Sample Name:cDouNOFXle.exe
Analysis ID:679544
MD5:54172888b473f2515b13fe1e2032a112
SHA1:fc4ff4d53a1ea6cfee9265840bfc1dda0ee8c1e6
SHA256:05379ea4600304f51cffa8d1ee9e3b2931a69129f6bed14d45a500d966a71fca
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected DCRat
Creates processes via WMI
Machine Learning detection for sample
Machine Learning detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
File is packed with WinRar
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • cDouNOFXle.exe (PID: 3632 cmdline: "C:\Users\user\Desktop\cDouNOFXle.exe" MD5: 54172888B473F2515B13FE1E2032A112)
    • wscript.exe (PID: 5792 cmdline: "C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • cmd.exe (PID: 5824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chainsavesref.exe (PID: 3372 cmdline: C:\comproviderRuntimecommon\chainsavesref.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
  • schtasks.exe (PID: 5100 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 2292 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5208 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5296 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 1100 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5284 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • MrsUvRPGeImAhc.exe (PID: 3432 cmdline: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
  • schtasks.exe (PID: 3056 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 2232 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 6120 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5800 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 4592 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • MrsUvRPGeImAhc.exe (PID: 2756 cmdline: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4