Automated Malware Analysis IOC Report for

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.809562114075596
Filename:	$RWRW8GN.exe
Filesize:	3226240
MD5:	5857fbba8e5ac8092ba198aa3dfc9fe6
SHA1:	fa75a8c5ba95375ce13fb471e374b073e13ca48b
SHA256:	11bb618d3843c92fb351fbd30df08971b6385d69e9a9b6e558a8db274af4e087
SHA512:	ad284ef0d069ffcee47b750833185fc3f9a1eef07f318eb73c67867b3dc87cae0a81ae3f378831f82d17ceddd14c9348df82556af0369508a5b0a1ca59f32041
SSDEEP:	98304:DSih4opH4opH4op4U9tNz9TC0rGa/xlbLP/h8:9DBDBD1tqAHbba
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\CheatEngine74.exe (copy)
Category:	dropped
Dump:	is-98J8H.tmp.2.dr
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for dropped file	AV Detection	Security Software Discovery

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\_isetup\_setup64.tmp
Category:	dropped
Dump:	_setup64.tmp.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	4.720366600008286
Encrypted:	false
Size:	6144
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\botva2.dll
Category:	dropped
Dump:	botva2.dll.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.216405702855349
Encrypted:	false
Size:	37888
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-98J8H.tmp
Category:	dropped
Dump:	is-98J8H.tmp.2.dr
ID:	dr_12
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.9936530066806135
Encrypted:	true
Size:	24244632
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-M41BH.tmp
Category:	dropped
Dump:	is-M41BH.tmp.2.dr
ID:	dr_8
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.107549282306921
Encrypted:	false
Size:	45608
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0 (copy)
Category:	dropped
Dump:	is-M41BH.tmp.2.dr
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe (copy)
Category:	dropped
Dump:	is-M41BH.tmp.2.dr
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Enables debug privileges	Anti Debugging
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1_extract\saBSI.exe
Category:	dropped
Dump:	saBSI.exe.2.dr
ID:	dr_11
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.623147525519113
Encrypted:	false
Size:	1184128
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\zbShieldUtils.dll
Category:	dropped
Dump:	zbShieldUtils.dll.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.6100200574741494
Encrypted:	false
Size:	2060288
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Category:	dropped
Dump:	$RWRW8GN.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\$RWRW8GN.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.393838872890634
Encrypted:	false
Size:	3014144
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
query blbeacon for getting browser version	System Summary	Software
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads the Windows registered organization settings	System Summary	System Owner/User Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Executable creates window controls seldom found in malware	System Summary
Uses Rich Edit Controls	System Summary
Reads the Windows registered owner settings	System Summary	System Owner/User Discovery

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\AVG_BRW.png (copy)
Category:	dropped
Dump:	is-5O4U5.tmp.2.dr
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PNG image data, 547 x 280, 8-bit/color RGBA, non-interlaced
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\RAV_Cross.png (copy)
Category:	dropped
Dump:	is-JM3L4.tmp.2.dr
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\WebAdvisor.png (copy)
Category:	dropped
Dump:	is-LNRJO.tmp.2.dr
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-5O4U5.tmp
Category:	dropped
Dump:	is-5O4U5.tmp.2.dr
ID:	dr_7
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PNG image data, 547 x 280, 8-bit/color RGBA, non-interlaced
Entropy:	7.9807583617034075
Encrypted:	false
Size:	47501
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-8IG6P.tmp
Category:	dropped
Dump:	is-8IG6P.tmp.2.dr
ID:	dr_9
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.995975187354872
Encrypted:	true
Size:	527389
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-JM3L4.tmp
Category:	dropped
Dump:	is-JM3L4.tmp.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Entropy:	7.973739579566582
Encrypted:	false
Size:	75974
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-LNRJO.tmp
Category:	dropped
Dump:	is-LNRJO.tmp.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Entropy:	7.952703392311964
Encrypted:	false
Size:	48743
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-O9CCD.tmp
Category:	dropped
Dump:	is-O9CCD.tmp.2.dr
ID:	dr_10
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.999961326921834
Encrypted:	true
Size:	5627619
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\logo.png
Category:	dropped
Dump:	logo.png.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	PNG image data, 768 x 768, 8-bit/color RGBA, non-interlaced
Entropy:	7.933893788279908
Encrypted:	false
Size:	264312
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1 (copy)
Category:	dropped
Dump:	is-8IG6P.tmp.2.dr
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip (copy)
Category:	dropped
Dump:	is-8IG6P.tmp.2.dr
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod2 (copy)
Category:	dropped
Dump:	is-O9CCD.tmp.2.dr
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
$RWRW8GN.exe

Files

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report$RWRW8GN.exe

Files

Domains

IPs

IOC Report
$RWRW8GN.exe