SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.7638612229070745
|
Filename: |
SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
|
Filesize: |
743424
|
MD5: |
2d291baedb79ee55daa67417103f0905
|
SHA1: |
810f2f9576976b3e68a610fbe2797b148c82766c
|
SHA256: |
0df39b8c26a1b395b2389908f7dc4781aabba0aa10f4642baf46b8f1a9e2c426
|
SHA512: |
3e5883a3232e43797744d377712fe77b5cbc750d83f983c33a2fa190fa9347de812d01153ba7e380e60f0e9cf853974d3906891a138b59d43822673b46370203
|
SSDEEP: |
12288:xB3ZyDQWn9D5M/ANhqLcAofNy+Vr1QP7/rJFaOG9MjuLeBaVkI6omZu:xB3Z4QU9JqqVxQZ4j9Mjy0aVCRZu
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.e..............0..................
........@.. ....................................@................................
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Malicious sample detected (through community Yara rule) |
System Summary |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
.NET source code contains potential unpacker |
Data Obfuscation |
|
.NET source code contains very large array initializations |
System Summary |
|
Adds a directory exclusion to Windows Defender |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) |
Anti Debugging |
Security Software Discovery
|
Contains functionality to log keystrokes (.Net Source) |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for sample |
AV Detection |
|
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) |
Malware Analysis System Evasion |
|
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) |
Malware Analysis System Evasion |
|
Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Checks if the current process is being debugged |
Anti Debugging |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Detected potential crypto function |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found inlined nop instructions (likely shell or obfuscated code) |
Software Vulnerabilities |
|
May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
Obfuscated Files or Information
|
Yara signature match |
System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
.NET source code contains calls to encryption/decryption functions |
System Summary |
Deobfuscate/Decode Files or Information
|
.NET source code contains many API calls related to security |
System Summary |
|
.NET source code contains many randomly named methods |
Data Obfuscation |
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
|
Reads ini files |
System Summary |
File and Directory Discovery
Security Software Discovery
|
Reads software policies |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Sample reads its own file content |
System Summary |
|
URLs found in memory or binary data |
Networking |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
Checks if Microsoft Office is installed |
System Summary |
|
PE file contains a COM descriptor data directory |
System Summary |
Security Software Discovery
|
Uses Microsoft Silverlight |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\tmp9C71.tmp
|
XML 1.0 document, ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmp9C71.tmp
|
Category: |
dropped
|
Dump: |
tmp9C71.tmp.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
|
Type: |
XML 1.0 document, ASCII text
|
Entropy: |
5.097049290187453
|
Encrypted: |
false
|
Ssdeep: |
24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFNxvn:cgergYrFdOFzOzN33ODOiDdKrsuTFTv
|
Size: |
1579
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Sigma detected: Scheduled temp file as task from temp location |
Persistence and Installation Behavior |
|
Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Sigma detected: Suspicious Schtasks From Env Var Folder |
System Summary |
|
Creates temporary files |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Roaming\lnYkIr.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\lnYkIr.exe
|
Category: |
dropped
|
Dump: |
lnYkIr.exe.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.7638612229070745
|
Encrypted: |
false
|
Ssdeep: |
12288:xB3ZyDQWn9D5M/ANhqLcAofNy+Vr1QP7/rJFaOG9MjuLeBaVkI6omZu:xB3Z4QU9JqqVxQZ4j9Mjy0aVCRZu
|
Size: |
743424
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Adds a directory exclusion to Windows Defender |
HIPS / PFW / Operating System Protection Evasion |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Windows Management Instrumentation
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sigma detected: Suspicious Add Scheduled Task Parent |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.log
|
Category: |
dropped
|
Dump: |
SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.log.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.34331486778365
|
Encrypted: |
false
|
Ssdeep: |
24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
|
Size: |
1216
|
Whitelisted: |
false
|
Reputation: |
high
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a COM descriptor data directory |
System Summary |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lnYkIr.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lnYkIr.exe.log
|
Category: |
dropped
|
Dump: |
lnYkIr.exe.log.10.dr
|
ID: |
dr_13
|
Target ID: |
10
|
Process: |
C:\Users\user\AppData\Roaming\lnYkIr.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.34331486778365
|
Encrypted: |
false
|
Ssdeep: |
24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
|
Size: |
1216
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
Category: |
dropped
|
Dump: |
StartupProfileData-NonInteractive.3.dr
|
ID: |
dr_6
|
Target ID: |
3
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
data
|
Entropy: |
5.379460230152629
|
Encrypted: |
false
|
Ssdeep: |
48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
|
Size: |
2232
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzuq32ob.u1b.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzuq32ob.u1b.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_bzuq32ob.u1b.ps1.3.dr
|
ID: |
dr_7
|
Target ID: |
3
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv5xasf4.rpi.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv5xasf4.rpi.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_fv5xasf4.rpi.psm1.5.dr
|
ID: |
dr_10
|
Target ID: |
5
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga4hat10.ybz.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga4hat10.ybz.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_ga4hat10.ybz.psm1.3.dr
|
ID: |
dr_5
|
Target ID: |
3
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5tjpzaf.s5s.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5tjpzaf.s5s.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_i5tjpzaf.s5s.psm1.3.dr
|
ID: |
dr_8
|
Target ID: |
3
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlawgkar.oii.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlawgkar.oii.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_nlawgkar.oii.ps1.5.dr
|
ID: |
dr_11
|
Target ID: |
5
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny3uspx2.xmw.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny3uspx2.xmw.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_ny3uspx2.xmw.psm1.5.dr
|
ID: |
dr_12
|
Target ID: |
5
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhe4w4cg.g22.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhe4w4cg.g22.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_rhe4w4cg.g22.ps1.3.dr
|
ID: |
dr_4
|
Target ID: |
3
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqq2bpia.wp5.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqq2bpia.wp5.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_xqq2bpia.wp5.ps1.5.dr
|
ID: |
dr_9
|
Target ID: |
5
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\tmpADC6.tmp
|
XML 1.0 document, ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmpADC6.tmp
|
Category: |
dropped
|
Dump: |
tmpADC6.tmp.10.dr
|
ID: |
dr_14
|
Target ID: |
10
|
Process: |
C:\Users\user\AppData\Roaming\lnYkIr.exe
|
Type: |
XML 1.0 document, ASCII text
|
Entropy: |
5.097049290187453
|
Encrypted: |
false
|
Ssdeep: |
24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFNxvn:cgergYrFdOFzOzN33ODOiDdKrsuTFTv
|
Size: |
1579
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Sigma detected: Suspicious Add Scheduled Task Parent |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Roaming\lnYkIr.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\lnYkIr.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
lnYkIr.exe_Zone.Identifier.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Windows Management Instrumentation
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Tries to load missing DLLs |
System Summary |
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Spawns processes |
System Summary |
|
|