Report #13394

(1)

Binary

DLL False

Size 21.30KB

trid 61.7% Win64 Executable

14.7% Win32 Dynamic Link Library 10.0% Win32 Executable

4.5% OS/2 Executable

4.4% Generic Win/DOS Executable

type PE

wordsize 32

Subsystem Windows CLI

Hashes

md5 da78903faa5adb2bde0c91f7e7a81732

sha1 54657c7e2849eb0af883a734d5e66727bba6236f

crc32 0xbf6201c8

sha224 727c542a3a6a39c615238294296cba37043326fc53865c41ba6d5afa

sha256 eb6f8e74520b666944c31d17df7d62c445b40428e64014638837fc0e50628 2ec

sha384 1806afe79e1fd5d729b0dd389152df8c0fa932c435f0b9ccfbec7f58fdfc6a760 62bb387a4f83f0b36da62c956070d1a

sha512 b3b88918e0e61204912cb288115d6d5f76163e21fdbcd6e674d3e3d5a6391 aa60591a717bf0cab812cc119a8f33ad657f02354632fe48d96bc61cc8e9d6 2afbf

ssdeep 384:79z/Ibagu/0Ei6ImDxWlfwWhDBRJOnhlnWH:pzYG/0T76Ij1PL

Community

Report #13394

Creation Date: Aug. 20, 2021, 1:59 p.m.

Last Update: Aug. 20, 2021, 11:13 p.m.

File:

ScriptRunner.exe Results:

(2)

Google False

HashLib False

YARA

Matches NET_executable, Microsoft_Visual_C_v70_Basic_NET, Microsoft_Visual_Studi o_NET_additional, HasDebugData, url, IP, contentis_base64, IsNET_EXE, Mic rosoft_Visual_C_Basic_NET, Microsoft_Visual_Studio_NET, HasOverlay, IsCon sole, NET_executable_, domain, IsPE32, Microsoft_Visual_C_v70_Basic_NET_

additional

Suspicious True

Imports

mscoree.dll _CorExeMain

Strings

List

http://www.microsoft.com/windows0

ScriptRunner.pdb

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0 Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

Gd:\os\public\x86fre\onecoreuap\internal\strongnamekeys\fake\windows.snk

ScriptRunner.exe -appvscript foo.cmd arg1 arg2 -appvscriptrunnerparameters -wait -timeout=30 -rollbackonerror - appvscript foobar.exe arg1 arg2

ScriptRunner.exe ScriptRunner.exe ScriptRunner.exe ScriptRunner.exe 10.0.0.0

Rollback is Wait is Script is Timeout is

RollbackOnError is mscoree.dll

Script failed. RetCode = DebuggableAttribute DebuggingModes

(3)

Script exited with non-zero exit code. Because -rollbackonerror was set, the current operation will be rolled back.

)Microsoft Root Certificate Authority 20100 )Microsoft Root Certificate Authority 20100

-appvscriptrunnerparameters must follow an executable script _CorExeMain

-appvscript must be followed by the script to execute -appvscript must be followed by an executable script -ROLLBACKONERROR

-ROLLBACKONERROR 10.0.10011.16384 LaunchAllScripts IEnumerable`1 get_Current 10.0.19041.867 10.0.19041.867 op_Equality set_Arguments get_Arguments 229879+4633440

-APPVSCRIPTRUNNERPARAMETERS -APPVSCRIPTRUNNERPARAMETERS get_Count

get_HResult System.Core get_FileName set_FileName get_ExitCode -APPVSCRIPT -APPVSCRIPT get_Wait Example:

set_Wait get_HasExited set_StartInfo get_Timeout set_Timeout get_Message -TIMEOUT=

-TIMEOUT=

Microsoft Corporation1 get_InvariantCulture System.Linq

System.Text

GetProcessStartInfo

#Strings Error: {0}

get_Length

RuntimeCompatibilityAttribute IFormatProvider

Microsoft Corporation Microsoft Corporation

<>9__7_0

set_RollbackOnError get_RollbackOnError ComVisibleAttribute

(4)

waitPattern timeoutPattern

</assembly>

rollbackPattern StringComparison CompanyName scriptPattern Environment -? /? HELP -HELP ? -? /? HELP -HELP ? value__

ProductName

AssemblyKeyFileAttribute

Foremost

Matches 0.exe, 13 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed: http://www.microsoft.com/pki/certs/microoceraut_2010-06-23.crt 0, http://www.microsoft.com/pkiops/certs/micwinpropca2011_2011-10-19.cr t0, http://www.microsoft.com/windows0, http://crl.microsoft.com/pki/crl/pro ducts/microoceraut_2010-06-23.crl0z, http://www.microsoft.com/pki/docs/c ps/default.htm0@, http://www.microsoft.com/pki/certs/mictimstapca_2010- 07-01.crt0, http://crl.microsoft.com/pki/crl/products/mictimstapca_2010-07- 01.crl0z, http://www.microsoft.com/pkiops/crl/micwinpropca2011_2011-10- 19.crl0a

hasURLs: True Suspicious

hasAllowed: True hasSuspicious: False

Files Allowed: mscoree.dll

hasFiles: True Suspicious

Binary

Sizes RVA

RVA: 16

(5)

Suspicious: False Code

Size: 2560

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 4096 Suspicious: False Headers

Headers: 512 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 35013

Suspicous: False

Sections Allowed: .text, .rsrc, .reloc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 4

Suspicious: False Image

Version: True Suspicious: 4 Linker

Version: 48.0 Suspicious: False Subsystem

Version: 4.0 Suspicious: False Suspicious: False

EntryPoint Address: 18094

Suspicious: False

Anomalies Anomalies: The Debug TimeDateStamp(s) and the file header TimeDateSt

(6)

amp do not match.

hasAnomalies: True

Libraries Allowed: mscoree.dll

hasLibs: True Suspicious

Timestamp Past: False

Valid: True

Value: 2077-02-06 06:06:29 Future: True

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C# / Basic .NET, Microsoft Visual Studio .NET, . NET executable, Microsoft Visual C# v7.0 / Basic .NET

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret .text: 1

cpuinstructionsresultscomparison .text: 1

AVclass

File

(7)

Trace

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\Windows\System32\MUI\0416\mscorees.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\Windows\System32\MUI\0416\mscorees.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\Windows\System32\mscorrc.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\Windows\System32\mscorrc.dll.DLL

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\mscorrc.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\Windows\system\mscorrc.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\Windows\mscorrc.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\Monitor\mscorrc.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\Windows\mscorrc.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\Windows\System32\wbem\mscorrc.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe

C:\Windows\System32\WindowsPowerShell\v1.0\

mscorrc.dll

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe C:\malware.exe.config

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe

C:\Windows\Microsoft.NET\Framework64\v4.0.40 305

20/8/2021 - 22:45:43

.497 Open 247

6

C:\malware.

exe

C:\Windows\Microsoft.NET\Framework64\v4.0.40 305

20/8/2021 - 22:45:43

.512 Open 247

6

C:\malware.

exe C:\Windows\Fonts\StaticCache.dat

(8)

20/8/2021 - 22:45:43

.512 Read 247

6

C:\malware.

exe C:\Windows\Fonts\StaticCache.dat StaticCache.

dat

20/8/2021 - 22:45:43

.512 Open 247

6

C:\malware.

exe C:\Windows\System32\uxtheme.dll

20/8/2021 - 22:45:43

.512 Open 247

6

C:\malware.

exe C:\Windows\System32\uxtheme.dll

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

exe C:\dwmapi.dll

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

exe C:\Windows\System32\dwmapi.dll

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

exe C:\Windows\System32\dwmapi.dll

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

exe C:\Windows\System32\ole32.dll

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

exe C:\Windows\System32\ole32.dll

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

exe C:\Windows\System32\rpcss.dll

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

exe C:\CRYPTBASE.dll

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

exe C:\Windows\System32\cryptbase.dll

20/8/2021 - 22:45:43 .559

Unkno wn

247 6

C:\malware.

exe C:\Windows\System32\cryptbase.dll cryptbase.dll

20/8/2021 - 22:45:43

.559 Open 247

6

C:\malware.

exe C:\Windows\System32\cryptbase.dll

20/8/2021 - 22:45:43 .559

Unkno wn

247 6

C:\malware.

exe C:\Windows\System32\cryptbase.dll cryptbase.dll

20/8/2021 - 22:45:43

.575 Open 247

6

C:\malware.

exe C:\Windows\Globalization\Sorting\SortDefault.nls

(9)

20/8/2021 - 22:45:43 .575

Unkno wn

247 6

C:\malware.

exe C:\Windows\Globalization\Sorting\SortDefault.nls SortDefault.

nls

Process

Trace

Analysis

Reason Timeout

Status Sucessfully Executed

Results 1

Registry

Trace

File Summary

Created Identified: False

Deleted Identified: False

Process Summary

Registry Summary

Proxy Identified: False

(10)

AutoRun Identified: False

Browsers Identified: False

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

Summary

DNS False

TCP False

(11)

UDP False

HTTP False

Results

BINARY

NFS 2.0 (Threshold = 0.8) confidence: 95.00%

suspicious: False

NFS 3.0 (Threshold = 0.75) confidence: 50.33%

suspicious: True

Decision Tree (NFS-BRMalware) confidence: 100.00%

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 99.31%

Random Forest (100 estimators, NFS-BRMalware) confidence: 58.00%

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 77.53%

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 100.00%

suspicious: False