Edit tour
Windows
Analysis Report
order_of_quotationpdf.exe
Overview
General Information
Detection
AveMaria, UACMe
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Initial sample is a PE file and has a suspicious name
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to check if Internet connection is working
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Yara detected Generic Downloader
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Found decision node followed by non-executed suspicious APIs
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores files to the Windows start menu directory
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to download and execute PE files
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64
- order_of_quotationpdf.exe (PID: 6752 cmdline:
C:\Users\u ser\Deskto p\order_of _quotation pdf.exe MD5: 3A222BA5C055F7E201AE3A121FE9DB9A) - powershell.exe (PID: 6804 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -ENC cwB0A GEAcgB0AC0 AcwBsAGUAZ QBwACAALQB zAGUAYwBvA G4AZABzACA AMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 7008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - order_of_quotationpdf.exe (PID: 2956 cmdline:
C:\Users\u ser\Deskto p\order_of _quotation pdf.exe MD5: 3A222BA5C055F7E201AE3A121FE9DB9A)
- cleanup