Xcitium Cloud Verdict

Data Obfuscation

Attempts to execute a powershell command with suspicious parameter/s Show sources

hidden_window	Attempts to execute command with a hidden window
b64_encoded	Uses a Base64 encoded command value

Malware Analysis System Evasion

Detects VirtualBox through the presence of a file Show sources

file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe

Creates a hidden or system file Show sources

file_write

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF38247f.TMP

HIPS/ PFW/ Operating System Protection Evasion

Attempts to identify installed AV products by installation directory Show sources

file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: 45fbd8304300f10b955cbdb8f7c26b7c500cfda8.exe, pid: 2272, offset: 0x00000000, length: 0x0004b00e
api_process_name	process: 45fbd8304300f10b955cbdb8f7c26b7c500cfda8.exe, pid: 2272, offset: 0x0000ce1c, length: 0x0003e1f6