· 6 years ago · Sep 04, 2019, 12:56 AM
1
2* ID: 896
3* MalFamily: "Malicious"
4
5* MalScore: 10.0
6
7* File Name: "Exes_1381c4eafba0a330272c831d78f60dfa.exe"
8* File Size: 576000
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd"
11* MD5: "1381c4eafba0a330272c831d78f60dfa"
12* SHA1: "763f07b2bbfe567cfeefabab39aca50a5e061ee4"
13* SHA512: "a4e07839d3cc27f3bcba3c1f1bba82a1a90984d752ee74930ad72ec148fd154dda29b5d328b9142a5b8790ccf1e506014d36df744d1625df9ed9cfbf065429cd"
14* CRC32: "1441EB5D"
15* SSDEEP: "6144:ijFLYna3ZqRK2CZDcdMOupj8RM6V/rBuZoE:ijFLYn0ecYdtIj8"
16
17* Process Execution:
18 "L1AbF3BmsWg52.exe",
19 "powershell.exe",
20 "images.exe",
21 "powershell.exe",
22 "cmd.exe",
23 "explorer.exe",
24 "svchost.exe",
25 "WmiPrvSE.exe",
26 "WMIADAP.exe",
27 "taskhost.exe"
28
29
30* Executed Commands:
31 "powershell Add-MpPreference -ExclusionPath C:\\",
32 "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
33
34
35* Signatures Detected:
36
37 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
38 "Details":
39
40
41 "Description": "Behavioural detection: Executable code extraction",
42 "Details":
43
44
45 "Description": "Guard pages use detected - possible anti-debugging.",
46 "Details":
47
48
49 "Description": "Reads data out of its own binary image",
50 "Details":
51
52 "self_read": "process: images.exe, pid: 1340, offset: 0x00000000, length: 0x0008ca00"
53
54
55
56
57 "Description": "A process created a hidden window",
58 "Details":
59
60 "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
61
62
63
64
65 "Description": "A scripting utility was executed",
66 "Details":
67
68 "command": "powershell Add-MpPreference -ExclusionPath C:\\"
69
70
71
72
73 "Description": "Attempts to remove evidence of file being downloaded from the Internet",
74 "Details":
75
76 "file": "C:\\ProgramData\\images.exe:Zone.Identifier"
77
78
79
80
81 "Description": "Sniffs keystrokes",
82 "Details":
83
84 "SetWindowsHookExW": "Process: explorer.exe(2044)"
85
86
87
88
89 "Description": "Code injection with CreateRemoteThread in a remote process",
90 "Details":
91
92 "Injection": "images.exe(1340) -> cmd.exe(572)"
93
94
95
96
97 "Description": "Behavioural detection: Injection (inter-process)",
98 "Details":
99
100
101 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
102 "Details":
103
104
105 "Description": "A process attempted to delay the analysis task by a long amount of time.",
106 "Details":
107
108 "Process": "cmd.exe tried to sleep 372 seconds, actually delayed analysis time by 0 seconds"
109
110
111 "Process": "WmiPrvSE.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
112
113
114 "Process": "images.exe tried to sleep 38241 seconds, actually delayed analysis time by 0 seconds"
115
116
117 "Process": "L1AbF3BmsWg52.exe tried to sleep 1000 seconds, actually delayed analysis time by 0 seconds"
118
119
120
121
122 "Description": "Installs itself for autorun at Windows startup",
123 "Details":
124
125 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
126
127
128 "data": "C:\\ProgramData\\images.exe"
129
130
131
132
133 "Description": "Stack pivoting was detected when using a critical API",
134 "Details":
135
136 "process": "L1AbF3BmsWg52.exe:2432"
137
138
139 "process": "images.exe:1340"
140
141
142
143
144 "Description": "Creates a hidden or system file",
145 "Details":
146
147 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF21afad2.TMP"
148
149
150
151
152 "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
153 "Details":
154
155 "FireEye": "Generic.mg.1381c4eafba0a330"
156
157
158 "Cylance": "Unsafe"
159
160
161 "CrowdStrike": "win/malicious_confidence_90% (D)"
162
163
164 "K7GW": "Riskware ( 0040eff71 )"
165
166
167 "K7AntiVirus": "Riskware ( 0040eff71 )"
168
169
170 "APEX": "Malicious"
171
172
173 "Avast": "Win32:Trojan-gen"
174
175
176 "Kaspersky": "Trojan-Spy.Win32.AveMaria.bvf"
177
178
179 "Paloalto": "generic.ml"
180
181
182 "Endgame": "malicious (high confidence)"
183
184
185 "F-Secure": "Trojan.TR/AD.MortyStealer.yepni"
186
187
188 "DrWeb": "Trojan.PWS.Maria.3"
189
190
191 "SentinelOne": "DFI - Malicious PE"
192
193
194 "Avira": "TR/AD.MortyStealer.yepni"
195
196
197 "Antiy-AVL": "TrojanSpy/Win32.AveMaria"
198
199
200 "ZoneAlarm": "Trojan-Spy.Win32.AveMaria.bvf"
201
202
203 "Malwarebytes": "Backdoor.AveMaria"
204
205
206 "Fortinet": "W32/AveMaria.BVF!tr"
207
208
209 "AVG": "Win32:Trojan-gen"
210
211
212 "Cybereason": "malicious.2bbfe5"
213
214
215 "Panda": "Trj/GdSda.A"
216
217
218 "Qihoo-360": "HEUR/QVM20.1.A46F.Malware.Gen"
219
220
221
222
223 "Description": "Creates a copy of itself",
224 "Details":
225
226 "copy": "C:\\ProgramData\\images.exe"
227
228
229
230
231 "Description": "Drops a binary and executes it",
232 "Details":
233
234 "binary": "C:\\ProgramData\\images.exe"
235
236
237
238
239 "Description": "Collects information to fingerprint the system",
240 "Details":
241
242
243
244* Started Service:
245
246* Mutexes:
247 "Global\\CLR_PerfMon_WrapMutex",
248 "Global\\CLR_CASOFF_MUTEX",
249 "Global\\ADAP_WMI_ENTRY",
250 "Global\\RefreshRA_Mutex",
251 "Global\\RefreshRA_Mutex_Lib",
252 "Global\\RefreshRA_Mutex_Flag"
253
254
255* Modified Files:
256 "C:\\ProgramData\\images.exe",
257 "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
258 "\\??\\PIPE\\srvsvc",
259 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\H89AQB09FTYVTS1R2EIX.temp",
260 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
261 "C:\\Users\\user\\AppData\\Local\\Microsoft Vision\\04-09-2019_02.52.18",
262 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\EFIF7CEKMGS59OTQZ3W7.temp",
263 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF21afad2.TMP",
264 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
265
266
267* Deleted Files:
268 "C:\\ProgramData\\images.exe:Zone.Identifier",
269 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\H89AQB09FTYVTS1R2EIX.temp",
270 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1968.35318437",
271 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1968.35318453",
272 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1968.35318453",
273 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF21afad2.TMP",
274 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1772.35322703",
275 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1772.35322703",
276 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1772.35322703"
277
278
279* Modified Registry Keys:
280 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
281 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
282 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
283 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT",
284 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT\\inst",
285 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images",
286 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.106\\CheckSetting",
287 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.102\\CheckSetting",
288 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.101\\CheckSetting",
289 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.100\\CheckSetting",
290 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.103\\CheckSetting",
291 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.104\\CheckSetting",
292 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
293 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
294 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\S38OS404-1Q43-42S2-9305-67QR0O28SP23\\rkcybere.rkr",
295 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
296 "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList"
297
298
299* Deleted Registry Keys:
300 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
301 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
302
303
304* DNS Communications:
305
306 "type": "A",
307 "request": "warzo.duckdns.org",
308 "answers":
309
310 "data": "23.105.131.202",
311 "type": "A"
312
313
314
315
316
317* Domains:
318
319 "ip": "23.105.131.202",
320 "domain": "warzo.duckdns.org"
321
322
323
324* Network Communication - ICMP:
325
326* Network Communication - HTTP:
327
328* Network Communication - SMTP:
329
330* Network Communication - Hosts:
331
332 "country_name": "United States",
333 "ip": "23.105.131.202",
334 "inaddrarpa": "",
335 "hostname": "warzo.duckdns.org"
336
337
338
339* Network Communication - IRC: