· 6 years ago · Sep 04, 2019, 12:54 AM
1
2* ID: 850
3* MalFamily: ""
4
5* MalScore: 10.0
6
7* File Name: "Exes_2ad8ef1b928417101943241a0c67f1d2.exe"
8* File Size: 509952
9* File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
10* SHA256: "c27868ae972f35e6ce230e6a10584f29460ed2b26f7ef990895617bc6c35bd3b"
11* MD5: "2ad8ef1b928417101943241a0c67f1d2"
12* SHA1: "668058f23749bc937892987a8afb611f4a1f5f4f"
13* SHA512: "d1cf5c120762529ea655c3c51bc5376d2983aaa462e0105d587e87ba8ca163ae16e2c10be8e17b0a9ea6b7431526094ad4525e6d90e99269f26c33f2a9205bf2"
14* CRC32: "E47396CC"
15* SSDEEP: "12288:DEj/V4IrKI4Klpu+2xwkcdLrYxQ1QMS7X7EsC0MVf2o:45bmIN2eNZqgQT7XA30"
16
17* Process Execution:
18 "NobRpFPXzj38pA1.exe",
19 "NobRpFPXzj38pA1.exe",
20 "services.exe",
21 "svchost.exe",
22 "WmiPrvSE.exe",
23 "lsass.exe",
24 "taskhost.exe",
25 "WMIADAP.exe"
26
27
28* Executed Commands:
29 "\"C:\\Users\\user\\AppData\\Local\\Temp\\NobRpFPXzj38pA1.exe\"",
30 "C:\\Windows\\system32\\lsass.exe"
31
32
33* Signatures Detected:
34
35 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
36 "Details":
37
38
39 "Description": "Behavioural detection: Executable code extraction",
40 "Details":
41
42
43 "Description": "Creates RWX memory",
44 "Details":
45
46
47 "Description": "Guard pages use detected - possible anti-debugging.",
48 "Details":
49
50
51 "Description": "A process attempted to delay the analysis task.",
52 "Details":
53
54 "Process": "NobRpFPXzj38pA1.exe tried to sleep 1290 seconds, actually delayed analysis time by 0 seconds"
55
56
57 "Process": "WmiPrvSE.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
58
59
60
61
62 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
63 "Details":
64
65 "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
66
67
68 "suspicious_request_iocs": "http://checkip.amazonaws.com/"
69
70
71
72
73 "Description": "Performs some HTTP requests",
74 "Details":
75
76 "url_iocs": "http://checkip.amazonaws.com/"
77
78
79
80
81 "Description": "The binary likely contains encrypted or compressed data.",
82 "Details":
83
84 "section": "name: .text, entropy: 7.93, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0007bc00, virtual_size: 0x0007bbc4"
85
86
87
88
89 "Description": "Behavioural detection: Injection (Process Hollowing)",
90 "Details":
91
92 "Injection": "NobRpFPXzj38pA1.exe(1528) -> NobRpFPXzj38pA1.exe(2036)"
93
94
95
96
97 "Description": "Executed a process and injected code into it, probably while unpacking",
98 "Details":
99
100 "Injection": "NobRpFPXzj38pA1.exe(1528) -> NobRpFPXzj38pA1.exe(2036)"
101
102
103
104
105 "Description": "Attempts to remove evidence of file being downloaded from the Internet",
106 "Details":
107
108 "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier"
109
110
111
112
113 "Description": "Deletes its original binary from disk",
114 "Details":
115
116
117 "Description": "Sniffs keystrokes",
118 "Details":
119
120 "SetWindowsHookExW": "Process: NobRpFPXzj38pA1.exe(2036)"
121
122
123
124
125 "Description": "Behavioural detection: Injection (inter-process)",
126 "Details":
127
128
129 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
130 "Details":
131
132
133 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
134 "Details":
135
136 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11419166 times"
137
138
139
140
141 "Description": "Steals private information from local Internet browsers",
142 "Details":
143
144 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
145
146
147 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
148
149
150
151
152 "Description": "Installs itself for autorun at Windows startup",
153 "Details":
154
155 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp"
156
157
158 "data": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
159
160
161
162
163 "Description": "Creates a hidden or system file",
164 "Details":
165
166 "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
167
168
169
170
171 "Description": "File has been identified by 23 Antiviruses on VirusTotal as malicious",
172 "Details":
173
174 "MicroWorld-eScan": "Gen:Variant.MSILPerseus.194040"
175
176
177 "Arcabit": "Trojan.MSILPerseus.D2F5F8"
178
179
180 "Invincea": "heuristic"
181
182
183 "Symantec": "ML.Attribute.HighConfidence"
184
185
186 "APEX": "Malicious"
187
188
189 "BitDefender": "Gen:Variant.MSILPerseus.194040"
190
191
192 "Paloalto": "generic.ml"
193
194
195 "Ad-Aware": "Gen:Variant.MSILPerseus.194040"
196
197
198 "McAfee-GW-Edition": "BehavesLike.Win32.Generic.gc"
199
200
201 "FireEye": "Generic.mg.2ad8ef1b92841710"
202
203
204 "Emsisoft": "Gen:Variant.MSILPerseus.194040 (B)"
205
206
207 "SentinelOne": "DFI - Malicious PE"
208
209
210 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
211
212
213 "Endgame": "malicious (high confidence)"
214
215
216 "GData": "Gen:Variant.MSILPerseus.194040"
217
218
219 "AhnLab-V3": "Win-Trojan/MSILKrypt17.Exp"
220
221
222 "Acronis": "suspicious"
223
224
225 "VBA32": "CIL.StupidCryptor.Heur"
226
227
228 "ALYac": "Gen:Variant.MSILPerseus.194040"
229
230
231 "MAX": "malware (ai score=86)"
232
233
234 "Cylance": "Unsafe"
235
236
237 "CrowdStrike": "win/malicious_confidence_100% (D)"
238
239
240 "Qihoo-360": "HEUR/QVM03.0.A339.Malware.Gen"
241
242
243
244
245 "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
246 "Details":
247
248
249 "Description": "Creates a copy of itself",
250 "Details":
251
252 "copy": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
253
254
255 "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\tmpG825.tmp"
256
257
258
259
260 "Description": "Harvests information related to installed mail clients",
261 "Details":
262
263 "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
264
265
266 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
267
268
269 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
270
271
272 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
273
274
275 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
276
277
278 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
279
280
281 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
282
283
284 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
285
286
287 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
288
289
290 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
291
292
293 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
294
295
296 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
297
298
299 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
300
301
302 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
303
304
305 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
306
307
308 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
309
310
311 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
312
313
314
315
316 "Description": "Collects information to fingerprint the system",
317 "Details":
318
319
320
321* Started Service:
322 "VaultSvc"
323
324
325* Mutexes:
326 "Global\\CLR_PerfMon_WrapMutex",
327 "Global\\CLR_CASOFF_MUTEX",
328 "Local\\_!MSFTHISTORY!_",
329 "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
330 "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
331 "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
332 "Global\\.net clr networking",
333 "Global\\ADAP_WMI_ENTRY",
334 "Global\\RefreshRA_Mutex",
335 "Global\\RefreshRA_Mutex_Lib",
336 "Global\\RefreshRA_Mutex_Flag"
337
338
339* Modified Files:
340 "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe",
341 "C:\\Users\\user\\AppData\\Local\\Temp\\tmpG825.tmp",
342 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
343 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
344 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
345 "C:\\Users\\user\\AppData\\Roaming\\eqgczies.rg2\\Chrome\\Default\\Cookies",
346 "C:\\Users\\user\\AppData\\Roaming\\eqgczies.rg2.zip",
347 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
348 "\\??\\WMIDataDevice",
349 "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
350
351
352* Deleted Files:
353 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1528.23296937",
354 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1528.23296937",
355 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1528.23296953",
356 "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier",
357 "C:\\Users\\user\\AppData\\Local\\Temp\\NobRpFPXzj38pA1.exe",
358 "C:\\Users\\user\\AppData\\Roaming\\eqgczies.rg2\\Chrome\\Default\\Cookies",
359 "C:\\Users\\user\\AppData\\Roaming\\eqgczies.rg2\\Chrome\\Default",
360 "C:\\Users\\user\\AppData\\Roaming\\eqgczies.rg2\\Chrome",
361 "C:\\Users\\user\\AppData\\Roaming\\eqgczies.rg2",
362 "C:\\Users\\user\\AppData\\Roaming\\eqgczies.rg2.zip"
363
364
365* Modified Registry Keys:
366 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp",
367 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\NobRpFPXzj38pA1_RASAPI32",
368 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\NobRpFPXzj38pA1_RASAPI32\\EnableFileTracing",
369 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\NobRpFPXzj38pA1_RASAPI32\\EnableConsoleTracing",
370 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\NobRpFPXzj38pA1_RASAPI32\\FileTracingMask",
371 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\NobRpFPXzj38pA1_RASAPI32\\ConsoleTracingMask",
372 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\NobRpFPXzj38pA1_RASAPI32\\MaxFileSize",
373 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\NobRpFPXzj38pA1_RASAPI32\\FileDirectory"
374
375
376* Deleted Registry Keys:
377
378* DNS Communications:
379
380 "type": "A",
381 "request": "checkip.amazonaws.com",
382 "answers":
383
384 "data": "52.55.255.113",
385 "type": "A"
386
387
388 "data": "checkip.check-ip.aws.a2z.com",
389 "type": "CNAME"
390
391
392 "data": "52.44.169.135",
393 "type": "A"
394
395
396 "data": "checkip.us-east-1.prod.check-ip.aws.a2z.com",
397 "type": "CNAME"
398
399
400 "data": "18.205.71.63",
401 "type": "A"
402
403
404 "data": "3.224.145.145",
405 "type": "A"
406
407
408 "data": "18.204.189.102",
409 "type": "A"
410
411
412 "data": "34.196.181.158",
413 "type": "A"
414
415
416
417
418
419* Domains:
420
421 "ip": "18.205.71.63",
422 "domain": "checkip.amazonaws.com"
423
424
425
426* Network Communication - ICMP:
427
428* Network Communication - HTTP:
429
430 "count": 1,
431 "body": "",
432 "uri": "http://checkip.amazonaws.com/",
433 "user-agent": "",
434 "method": "GET",
435 "host": "checkip.amazonaws.com",
436 "version": "1.1",
437 "path": "/",
438 "data": "GET / HTTP/1.1\r\nHost: checkip.amazonaws.com\r\nConnection: Keep-Alive\r\n\r\n",
439 "port": 80
440
441
442
443* Network Communication - SMTP:
444
445* Network Communication - Hosts:
446
447 "country_name": "United States",
448 "ip": "18.204.189.102",
449 "inaddrarpa": "",
450 "hostname": "checkip.amazonaws.com"
451
452
453
454* Network Communication - IRC: