Edit tour
Windows
Analysis Report
http://www.autoitscriΡt.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.zip
Overview
General Information
Detection
Score: | 6 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Queries the volume information (name, serial number etc) of a device
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality for read data from the clipboard
Classification
Analysis Advice
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook |
- System is w10x64
- cmd.exe (PID: 6328 cmdline:
C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " http://www .autoitscr ipt.com/cg i-bin/getf ile.pl?aut oit3/autoi t-v3-setup .zip" > cm dline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6368 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - wget.exe (PID: 6444 cmdline:
wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttp://www. autoitscri pt.com/cgi -bin/getfi le.pl?auto it3/autoit -v3-setup. zip" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
- 7za.exe (PID: 6760 cmdline:
7za x -y - pinfected -o"C:\User s\user\Des ktop\extra ct" "C:\Us ers\user\D esktop\dow nload\auto it-v3-setu p.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) - conhost.exe (PID: 6716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- autoit-v3-setup.exe (PID: 6836 cmdline:
"C:\Users\ user\Deskt op\extract \autoit-v3 -setup.exe " MD5: FBA6E3E04B818496A4105D4D4003D348) - Uninstall.exe (PID: 5792 cmdline:
"C:\Progra m Files (x 86)\AutoIt 3\Uninstal l.exe" /S _?=C:\Prog ram Files (x86)\Auto It3 MD5: 50817B58A180347905AB039C63828348) - regsvr32.exe (PID: 6540 cmdline:
C:\Windows \system32\ regsvr32.e xe" /s /u "C:\Progra m Files (x 86)\AutoIt 3\AutoItX\ AutoItX3_x 64.dll MD5: 426E7499F6A7346F0410DEAD0805586B) - regsvr32.exe (PID: 6556 cmdline:
/s /u "C: \Program F iles (x86) \AutoIt3\A utoItX\Aut oItX3_x64. dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | Window detected: |