o9jDrpZrgR.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.562432966697646
|
Filename: |
o9jDrpZrgR.exe
|
Filesize: |
1622827
|
MD5: |
c256204deb01c77e21ba17b5e2411245
|
SHA1: |
95ae7fb9f6710368e44a3c4e839d3d7bebbd4d5e
|
SHA256: |
f594822a45b8561a9b7a2e2ecf17558a692b1a193cf231617ba1b222723ca3ab
|
SHA512: |
f3e1f38c059ce56801382c6de631d7b90077fa77a2eb997906d2f6eef8dafe38ab041f023a11b27da41b87edb16484fb095e1053e4b01204412f3a586cd34c52
|
SSDEEP: |
24576:2TbBv5rUyXVZJQCx441vcF3iE0npCoc1cQhWdB7in6D+6:IBJLQCvvcF3KpSu
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
.NET source code contains potential unpacker |
Data Obfuscation |
|
.NET source code contains very large strings |
System Summary |
|
Contains functionality to query locales information (e.g. system language) |
Language, Device and Operating System Detection |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
Found evasive API chain (date check) |
Malware Analysis System Evasion |
|
Detected potential crypto function |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Contains functionality to read the PEB |
Anti Debugging |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
|
Found potential string decryption / allocating functions |
System Summary |
|
Contains functionality to communicate with device drivers |
System Summary |
|
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Anti Debugging |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
File is packed with WinRar |
Data Obfuscation |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
|
Reads ini files |
System Summary |
|
.NET source code contains many API calls related to security |
System Summary |
|
Contains functionality for error logging |
System Summary |
|
Contains functionality to load and extract PE file embedded resources |
System Summary |
|
Program exit points |
Malware Analysis System Evasion |
|
Sample is known by Antivirus |
System Summary |
|
Sample reads its own file content |
System Summary |
|
Contains functionality to query system information |
Malware Analysis System Evasion |
|
Reads software policies |
System Summary |
|
Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
Uses an in-process (OLE) Automation server |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
.NET source code contains long base64-encoded strings |
System Summary |
|
Contains functionality to query windows version |
Language, Device and Operating System Detection |
|
Contains functionality to register its own exception handler |
Anti Debugging |
|
Might use command line arguments |
System Summary |
|
.NET source code contains calls to encryption/decryption functions |
System Summary |
Deobfuscate/Decode Files or Information
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe
|
Category: |
dropped
|
Dump: |
conhost.exe.5.dr
|
ID: |
dr_20
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.0586566573608085
|
Encrypted: |
false
|
Ssdeep: |
24576:YJQCx441vcF3iE0npCoc1cQhWdB7in6D+:EQCvvcF3KpS
|
Size: |
1300992
|
Whitelisted: |
false
|
Reputation: |
low
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Yara detected DCRat |
Stealing of Sensitive Information, Remote Access Functionality |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Program Files\Microsoft Office 15\ClientX64\qBJICEqiLNwXNBLrN.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Microsoft Office 15\ClientX64\qBJICEqiLNwXNBLrN.exe
|
Category: |
dropped
|
Dump: |
qBJICEqiLNwXNBLrN.exe.5.dr
|
ID: |
dr_11
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.0586566573608085
|
Encrypted: |
false
|
Ssdeep: |
24576:YJQCx441vcF3iE0npCoc1cQhWdB7in6D+:EQCvvcF3KpS
|
Size: |
1300992
|
Whitelisted: |
false
|
Reputation: |
low
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Yara detected DCRat |
Stealing of Sensitive Information, Remote Access Functionality |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates files inside the program directory |
System Summary |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Recovery\qBJICEqiLNwXNBLrN.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Recovery\qBJICEqiLNwXNBLrN.exe
|
Category: |
dropped
|
Dump: |
qBJICEqiLNwXNBLrN.exe1.5.dr
|
ID: |
dr_22
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.0586566573608085
|
Encrypted: |
false
|
Ssdeep: |
24576:YJQCx441vcF3iE0npCoc1cQhWdB7in6D+:EQCvvcF3KpS
|
Size: |
1300992
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\qBJICEqiLNwXNBLrN.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\qBJICEqiLNwXNBLrN.exe
|
Category: |
dropped
|
Dump: |
qBJICEqiLNwXNBLrN.exe2.5.dr
|
ID: |
dr_24
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.0586566573608085
|
Encrypted: |
false
|
Ssdeep: |
24576:YJQCx441vcF3iE0npCoc1cQhWdB7in6D+:EQCvvcF3KpS
|
Size: |
1300992
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Temp\XJsEcPfXWC.bat
|
DOS batch file, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\XJsEcPfXWC.bat
|
Category: |
dropped
|
Dump: |
XJsEcPfXWC.bat.5.dr
|
ID: |
dr_27
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
DOS batch file, ASCII text, with CRLF line terminators
|
Entropy: |
5.175572355642595
|
Encrypted: |
false
|
Ssdeep: |
3:mKDDVNGvTVLuVFcROr+jn9m1U9lEwYAfNHyBktKcKZG1Ukh4E2J5xAI+p4H:hCRLuVFOOr+DE1olSKOZG1923f+pK
|
Size: |
175
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Category: |
dropped
|
Dump: |
qBJICEqiLNwXNBLrN.exe0.5.dr
|
ID: |
dr_18
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.0586566573608085
|
Encrypted: |
false
|
Ssdeep: |
24576:YJQCx441vcF3iE0npCoc1cQhWdB7in6D+:EQCvvcF3KpS
|
Size: |
1300992
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Virtualization/Sandbox Evasion
|
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Security Software Discovery
Windows Management Instrumentation
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Windows Management Instrumentation
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Spawns processes |
System Summary |
|
Uses Microsoft Silverlight |
System Summary |
|
|
C:\Users\user\Desktop\BfMGYDNR.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\BfMGYDNR.log
|
Category: |
dropped
|
Dump: |
BfMGYDNR.log.12.dr
|
ID: |
dr_33
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.541771649974822
|
Encrypted: |
false
|
Ssdeep: |
768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
|
Size: |
33792
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\BhRGcQzx.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\BhRGcQzx.log
|
Category: |
dropped
|
Dump: |
BhRGcQzx.log.5.dr
|
ID: |
dr_6
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.660491370279985
|
Encrypted: |
false
|
Ssdeep: |
768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
|
Size: |
39936
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\BnwYCmoX.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\BnwYCmoX.log
|
Category: |
dropped
|
Dump: |
BnwYCmoX.log.12.dr
|
ID: |
dr_38
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.932541123129161
|
Encrypted: |
false
|
Ssdeep: |
1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
|
Size: |
69632
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\ESwXjeKp.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\ESwXjeKp.log
|
Category: |
dropped
|
Dump: |
ESwXjeKp.log.5.dr
|
ID: |
dr_3
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.857602289000348
|
Encrypted: |
false
|
Ssdeep: |
768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
|
Size: |
64000
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\GVjFENOl.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\GVjFENOl.log
|
Category: |
dropped
|
Dump: |
GVjFENOl.log.5.dr
|
ID: |
dr_10
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.519109060441589
|
Encrypted: |
false
|
Ssdeep: |
384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
|
Size: |
23552
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\GbOXfjDL.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\GbOXfjDL.log
|
Category: |
dropped
|
Dump: |
GbOXfjDL.log.12.dr
|
ID: |
dr_42
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.870612048031897
|
Encrypted: |
false
|
Ssdeep: |
768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
|
Size: |
46592
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\HJnNqbKj.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\HJnNqbKj.log
|
Category: |
dropped
|
Dump: |
HJnNqbKj.log.5.dr
|
ID: |
dr_14
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.8769270258874755
|
Encrypted: |
false
|
Ssdeep: |
1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
|
Size: |
85504
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\KWPomPtF.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\KWPomPtF.log
|
Category: |
dropped
|
Dump: |
KWPomPtF.log.12.dr
|
ID: |
dr_37
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.8769270258874755
|
Encrypted: |
false
|
Ssdeep: |
1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
|
Size: |
85504
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\MTqwIPIz.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\MTqwIPIz.log
|
Category: |
dropped
|
Dump: |
MTqwIPIz.log.12.dr
|
ID: |
dr_32
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.629584586954759
|
Encrypted: |
false
|
Ssdeep: |
768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
|
Size: |
39936
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\NBQmTGPX.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\NBQmTGPX.log
|
Category: |
dropped
|
Dump: |
NBQmTGPX.log.5.dr
|
ID: |
dr_17
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.618776214605176
|
Encrypted: |
false
|
Ssdeep: |
768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
|
Size: |
34304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\QJNvoZJT.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\QJNvoZJT.log
|
Category: |
dropped
|
Dump: |
QJNvoZJT.log.5.dr
|
ID: |
dr_9
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.909536568846014
|
Encrypted: |
false
|
Ssdeep: |
1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
|
Size: |
70144
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\SoilvDeL.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\SoilvDeL.log
|
Category: |
dropped
|
Dump: |
SoilvDeL.log.5.dr
|
ID: |
dr_5
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.636032516496583
|
Encrypted: |
false
|
Ssdeep: |
384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
|
Size: |
34816
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\XieCzWia.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\XieCzWia.log
|
Category: |
dropped
|
Dump: |
XieCzWia.log.12.dr
|
ID: |
dr_41
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.857602289000348
|
Encrypted: |
false
|
Ssdeep: |
768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
|
Size: |
64000
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\eOLjNPjM.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\eOLjNPjM.log
|
Category: |
dropped
|
Dump: |
eOLjNPjM.log.12.dr
|
ID: |
dr_36
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.631194486392901
|
Encrypted: |
false
|
Ssdeep: |
384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
|
Size: |
32256
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\eQQkRcVr.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\eQQkRcVr.log
|
Category: |
dropped
|
Dump: |
eQQkRcVr.log.5.dr
|
ID: |
dr_13
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.631194486392901
|
Encrypted: |
false
|
Ssdeep: |
384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
|
Size: |
32256
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates files inside the user directory |
System Summary |
|
|
C:\Users\user\Desktop\egSCbkdO.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\egSCbkdO.log
|
Category: |
dropped
|
Dump: |
egSCbkdO.log.12.dr
|
ID: |
dr_31
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.660491370279985
|
Encrypted: |
false
|
Ssdeep: |
768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
|
Size: |
39936
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\fNssmckm.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\fNssmckm.log
|
Category: |
dropped
|
Dump: |
fNssmckm.log.5.dr
|
ID: |
dr_16
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.679286635687991
|
Encrypted: |
false
|
Ssdeep: |
768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
|
Size: |
38912
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\gRySjyoH.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\gRySjyoH.log
|
Category: |
dropped
|
Dump: |
gRySjyoH.log.12.dr
|
ID: |
dr_40
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.618776214605176
|
Encrypted: |
false
|
Ssdeep: |
768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
|
Size: |
34304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\hLTAIczh.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\hLTAIczh.log
|
Category: |
dropped
|
Dump: |
hLTAIczh.log.5.dr
|
ID: |
dr_8
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.541771649974822
|
Encrypted: |
false
|
Ssdeep: |
768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
|
Size: |
33792
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\jTkAEhsC.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\jTkAEhsC.log
|
Category: |
dropped
|
Dump: |
jTkAEhsC.log.12.dr
|
ID: |
dr_35
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.519109060441589
|
Encrypted: |
false
|
Ssdeep: |
384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
|
Size: |
23552
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\lGVRPIpa.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\lGVRPIpa.log
|
Category: |
dropped
|
Dump: |
lGVRPIpa.log.5.dr
|
ID: |
dr_4
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.870612048031897
|
Encrypted: |
false
|
Ssdeep: |
768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
|
Size: |
46592
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\pwLIWFpU.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\pwLIWFpU.log
|
Category: |
dropped
|
Dump: |
pwLIWFpU.log.5.dr
|
ID: |
dr_15
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.932541123129161
|
Encrypted: |
false
|
Ssdeep: |
1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
|
Size: |
69632
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\qtmQsFEO.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\qtmQsFEO.log
|
Category: |
dropped
|
Dump: |
qtmQsFEO.log.5.dr
|
ID: |
dr_7
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.629584586954759
|
Encrypted: |
false
|
Ssdeep: |
768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
|
Size: |
39936
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\sCEQoKxk.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\sCEQoKxk.log
|
Category: |
dropped
|
Dump: |
sCEQoKxk.log.12.dr
|
ID: |
dr_34
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.909536568846014
|
Encrypted: |
false
|
Ssdeep: |
1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
|
Size: |
70144
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\vnjhvXId.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\vnjhvXId.log
|
Category: |
dropped
|
Dump: |
vnjhvXId.log.12.dr
|
ID: |
dr_30
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.636032516496583
|
Encrypted: |
false
|
Ssdeep: |
384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
|
Size: |
34816
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\Desktop\zdaXCUIW.log
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\zdaXCUIW.log
|
Category: |
dropped
|
Dump: |
zdaXCUIW.log.12.dr
|
ID: |
dr_39
|
Target ID: |
12
|
Process: |
C:\Users\user\Contacts\qBJICEqiLNwXNBLrN.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.679286635687991
|
Encrypted: |
false
|
Ssdeep: |
768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
|
Size: |
38912
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Category: |
dropped
|
Dump: |
BlockrefBrokerperf.exe.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\o9jDrpZrgR.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.0586566573608085
|
Encrypted: |
false
|
Ssdeep: |
24576:YJQCx441vcF3iE0npCoc1cQhWdB7in6D+:EQCvvcF3KpS
|
Size: |
1300992
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Yara detected DCRat |
Stealing of Sensitive Information, Remote Access Functionality |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Found inlined nop instructions (likely shell or obfuscated code) |
Software Vulnerabilities |
Obfuscated Files or Information
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the program directory |
System Summary |
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Enumerates the file system |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Spawns processes |
System Summary |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files (x86)\Microsoft.NET\RedistList\088424020bedd6
|
ASCII text, with very long lines (881), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Microsoft.NET\RedistList\088424020bedd6
|
Category: |
dropped
|
Dump: |
088424020bedd6.5.dr
|
ID: |
dr_21
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
ASCII text, with very long lines (881), with no line terminators
|
Entropy: |
5.900735913753077
|
Encrypted: |
false
|
Ssdeep: |
24:1Y3GTX7pFBlH/ymgRYcqN4mYuRQK2abdfWuGyIsNNCqQO:gYX7pzx/ymbcA4mYu2gVIiNjQO
|
Size: |
881
|
Whitelisted: |
false
|
Reputation: |
low
|
|
C:\Program Files\Microsoft Office 15\ClientX64\9bce06a9fec5b2
|
ASCII text, with very long lines (819), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files\Microsoft Office 15\ClientX64\9bce06a9fec5b2
|
Category: |
dropped
|
Dump: |
9bce06a9fec5b2.5.dr
|
ID: |
dr_12
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
ASCII text, with very long lines (819), with no line terminators
|
Entropy: |
5.889288515938023
|
Encrypted: |
false
|
Ssdeep: |
12:MTMEng4c8lklC6j5qLCumELxLYwwCcbuUTwjmCT1ERlcIxP1AUzmKA0Qm6L2n:MTMEnnRilCFmuswrcbNEXSxOq0k
|
Size: |
819
|
Whitelisted: |
false
|
Reputation: |
low
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Recovery\9bce06a9fec5b2
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Recovery\9bce06a9fec5b2
|
Category: |
dropped
|
Dump: |
9bce06a9fec5b21.5.dr
|
ID: |
dr_23
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
5.756222698628844
|
Encrypted: |
false
|
Ssdeep: |
3:cCaa2dMZfGVF0Cdw7zHYQ/EgWSX8FqmRCdxueUuA8auSt+W8NXeSwNaIIiV:cCH2dMZ+P0CS7zd/aSX8Fq7f4d+B68s
|
Size: |
197
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BlockrefBrokerperf.exe.log
|
ASCII text, with CRLF line terminators
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BlockrefBrokerperf.exe.log
|
Category: |
modified
|
Dump: |
BlockrefBrokerperf.exe.log.5.dr
|
ID: |
dr_28
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.367720686892084
|
Encrypted: |
false
|
Ssdeep: |
48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHVHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkt1GqZ4x
|
Size: |
1698
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\9bce06a9fec5b2
|
ASCII text, with very long lines (696), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\9bce06a9fec5b2
|
Category: |
dropped
|
Dump: |
9bce06a9fec5b22.5.dr
|
ID: |
dr_25
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
ASCII text, with very long lines (696), with no line terminators
|
Entropy: |
5.900633508358525
|
Encrypted: |
false
|
Ssdeep: |
12:HpxwWUaiD2/KsY8o6JdxGez9emf0uYW9n2am0X6UWsjCWgrL5Ey3RUIKj:HgWUnjEoEdx/omfY30XHWUCzrLyaUhj
|
Size: |
696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\nltb4WKmeR
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\nltb4WKmeR
|
Category: |
dropped
|
Dump: |
nltb4WKmeR.5.dr
|
ID: |
dr_26
|
Target ID: |
5
|
Process: |
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.133660689688186
|
Encrypted: |
false
|
Ssdeep: |
3:zPhN9K4vtyQgn:jh2441
|
Size: |
25
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates temporary files |
System Summary |
|
|
C:\Users\user\Contacts\9bce06a9fec5b2
|
ASCII text, with very long lines (744), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Contacts\9bce06a9fec5b2
|
Category: |
dropped
|
Dump: |
9bce06a9fec5b20.5.dr
|
ID: |
dr_19
|
Target ID: |
5
|
|