a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.310946870957033
|
Filename: |
a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Filesize: |
186368
|
MD5: |
3cd180f72198597215cab492c109f5a0
|
SHA1: |
01ceb31bfcb1f5d6eefffa5bf1c6cb891ca6dd75
|
SHA256: |
5ad0e5d670206288abccd95bb0e3ff1ee9a889b49423cb5160c7c59912991a0d
|
SHA512: |
2e9380e3d4baff0c090421c2da0498494ee4fe4841febe3b0517bf7bfdc319a52e89b172698d8e174bd983724d97965952568d56484cdf04024846c928f54fa2
|
SSDEEP: |
3072:Qiyi/SfJhUwLibCxNKBC6y8WyQQF1h7NOwUPfbldFw0t+Z0vhAVfEgr2Csy5rilr:ZbShBLWANKrBWyt3ZOwUPfbldFw0t+ZA
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M..!..`r..`r..`rf..r..`rf..r2.`r...r..`r...r..`r..as..`r..ar..`rf..r!.`rf..r..`rRich..`r................PE..L...A..f...........
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Found malware configuration |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Contains functionality to inject code into remote processes |
HIPS / PFW / Operating System Protection Evasion |
|
Found many strings related to Crypto-Wallets (likely being stolen) |
Stealing of Sensitive Information |
|
Searches for specific processes (likely to inject) |
HIPS / PFW / Operating System Protection Evasion |
Security Software Discovery
|
Tries to harvest and steal Bitcoin Wallet information |
Stealing of Sensitive Information |
Security Software Discovery
|
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) |
Stealing of Sensitive Information |
|
Tries to harvest and steal ftp login credentials |
Stealing of Sensitive Information |
|
Tries to steal Crypto Currency Wallets |
Stealing of Sensitive Information |
Windows Management Instrumentation
Security Software Discovery
|
AV process strings found (often used to terminate AV products) |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Windows Management Instrumentation
|
Contains functionality to call native functions |
System Summary |
|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
|
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging |
Anti Debugging |
|
Contains functionality to dynamically determine API calls |
Data Obfuscation, Anti Debugging |
|
Contains functionality to open a port and listen for incoming connection (possibly a backdoor) |
Remote Access Functionality |
|
Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
|
Contains functionality to query locales information (e.g. system language) |
Language, Device and Operating System Detection |
|
Contains functionality to read the PEB |
Anti Debugging |
|
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Anti Debugging |
Security Software Discovery
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Detected potential crypto function |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Extensive use of GetProcAddress (often used to hide API calls) |
Hooking and other Techniques for Hiding and Protection |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
Security Software Discovery
|
Found large amount of non-executed APIs |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
Queries information about the installed CPU (vendor, model number etc) |
Language, Device and Operating System Detection |
File and Directory Discovery
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses Microsoft's Enhanced Cryptographic Provider |
Cryptography |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
|
Contains functionality for error logging |
System Summary |
|
Contains functionality to download additional files from the internet |
Networking |
|
Contains functionality to enum processes or threads |
System Summary |
|
Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
Contains functionality to instantiate COM classes |
System Summary |
|
Contains functionality to modify the execution of threads in other processes |
|
Security Software Discovery
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
|
Contains functionality to query local drives |
Spreading, Malware Analysis System Evasion |
|
Contains functionality to query system information |
Malware Analysis System Evasion |
|
Contains functionality to query the account / user name |
Language, Device and Operating System Detection |
System Owner/User Discovery
|
Contains functionality to query time zone information |
Language, Device and Operating System Detection |
|
Contains functionality to register its own exception handler |
Anti Debugging |
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Enumerates the file system |
Spreading, Malware Analysis System Evasion |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Program exit points |
Malware Analysis System Evasion |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
|
Reads ini files |
System Summary |
|
Reads software policies |
System Summary |
|
SQL strings found in memory and binary data |
System Summary |
File and Directory Discovery
|
Sample is known by Antivirus |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
URLs found in memory or binary data |
Networking |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
|
C:\ProgramData\EHDHIDAEHC.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\EHDHIDAEHC.exe
|
Category: |
dropped
|
Dump: |
EHDHIDAEHC.exe.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.080918121113332
|
Encrypted: |
false
|
Ssdeep: |
98304:rTuq7CQXa0LJ2aMhpxnbUO6PsJrq6GnRHhPf6:mQXa0LP6pxbAPyWRd
|
Size: |
5140480
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Allocates memory in foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Writes to foreign memory regions |
HIPS / PFW / Operating System Protection Evasion |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found inlined nop instructions (likely shell or obfuscated code) |
Software Vulnerabilities |
Obfuscated Files or Information
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses Microsoft Silverlight |
System Summary |
|
|
C:\ProgramData\freebl3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\freebl3.dll
|
Category: |
dropped
|
Dump: |
freebl3.dll.0.dr
|
ID: |
dr_4
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.872871740790978
|
Encrypted: |
false
|
Ssdeep: |
12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
|
Size: |
685392
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\ProgramData\mozglue.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\mozglue.dll
|
Category: |
dropped
|
Dump: |
mozglue.dll.0.dr
|
ID: |
dr_5
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.833616094889818
|
Encrypted: |
false
|
Ssdeep: |
12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
|
Size: |
608080
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
|
C:\ProgramData\nss3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\nss3.dll
|
Category: |
dropped
|
Dump: |
nss3.dll.0.dr
|
ID: |
dr_9
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.787733948558952
|
Encrypted: |
false
|
Ssdeep: |
49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
|
Size: |
2046288
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\ProgramData\softokn3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\softokn3.dll
|
Category: |
dropped
|
Dump: |
softokn3.dll.0.dr
|
ID: |
dr_7
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.727482641240852
|
Encrypted: |
false
|
Ssdeep: |
6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
|
Size: |
257872
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe
|
Category: |
dropped
|
Dump: |
mine[1].exe.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.080918121113332
|
Encrypted: |
false
|
Ssdeep: |
98304:rTuq7CQXa0LJ2aMhpxnbUO6PsJrq6GnRHhPf6:mQXa0LP6pxbAPyWRd
|
Size: |
5140480
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\ProgramData\BFCAAEHJDBKJ\AAKEGI
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\AAKEGI
|
Category: |
dropped
|
Dump: |
AAKEGI.0.dr
|
ID: |
dr_14
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
Entropy: |
1.1358696453229276
|
Encrypted: |
false
|
Ssdeep: |
192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
|
Size: |
106496
|
Whitelisted: |
false
|
Reputation: |
high
|
|
C:\ProgramData\BFCAAEHJDBKJ\CFCFHJ
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\CFCFHJ
|
Category: |
dropped
|
Dump: |
CFCFHJ.0.dr
|
ID: |
dr_12
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
Entropy: |
0.7873599747470391
|
Encrypted: |
false
|
Ssdeep: |
96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
|
Size: |
159744
|
Whitelisted: |
false
|
Reputation: |
high
|
|
C:\ProgramData\BFCAAEHJDBKJ\CGDHIE
|
ASCII text, with very long lines (1809), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\CGDHIE
|
Category: |
dropped
|
Dump: |
CGDHIE.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
ASCII text, with very long lines (1809), with CRLF line terminators
|
Entropy: |
5.536643647658967
|
Encrypted: |
false
|
Ssdeep: |
192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
|
Size: |
9571
|
Whitelisted: |
false
|
Reputation: |
moderate
|
|
C:\ProgramData\BFCAAEHJDBKJ\ECFHJK
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\ECFHJK
|
Category: |
dropped
|
Dump: |
ECFHJK.0.dr
|
ID: |
dr_13
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
Entropy: |
0.8553638852307782
|
Encrypted: |
false
|
Ssdeep: |
48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
|
Size: |
40960
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\BFCAAEHJDBKJ\FHDAEH
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\FHDAEH
|
Category: |
dropped
|
Dump: |
FHDAEH.0.dr
|
ID: |
dr_17
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
Entropy: |
0.9746603542602881
|
Encrypted: |
false
|
Ssdeep: |
192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
|
Size: |
114688
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\ProgramData\BFCAAEHJDBKJ\GCAFCA
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\GCAFCA
|
Category: |
dropped
|
Dump: |
GCAFCA.0.dr
|
ID: |
dr_11
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
Entropy: |
2.5793180405395284
|
Encrypted: |
false
|
Ssdeep: |
96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
|
Size: |
28672
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\BFCAAEHJDBKJ\IDGDAA
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\IDGDAA
|
Category: |
dropped
|
Dump: |
IDGDAA.0.dr
|
ID: |
dr_16
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
Entropy: |
0.8180424350137764
|
Encrypted: |
false
|
Ssdeep: |
96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
|
Size: |
49152
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\ProgramData\BFCAAEHJDBKJ\IJKKKF
|
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\IJKKKF
|
Category: |
dropped
|
Dump: |
IJKKKF.0.dr
|
ID: |
dr_18
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
Entropy: |
0.08235737944063153
|
Encrypted: |
false
|
Ssdeep: |
12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
|
Size: |
98304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\BFCAAEHJDBKJ\IJKKKF-shm
|
data
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\IJKKKF-shm
|
Category: |
dropped
|
Dump: |
IJKKKF-shm.0.dr
|
ID: |
dr_19
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
data
|
Entropy: |
0.017262956703125623
|
Encrypted: |
false
|
Ssdeep: |
3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
|
Size: |
32768
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\ProgramData\BFCAAEHJDBKJ\JDAKJD
|
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\JDAKJD
|
Category: |
dropped
|
Dump: |
JDAKJD.0.dr
|
ID: |
dr_15
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
Entropy: |
0.037963276276857943
|
Encrypted: |
false
|
Ssdeep: |
192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
|
Size: |
5242880
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\BFCAAEHJDBKJ\JDAKJD-shm
|
data
|
dropped
|
|
|
|
File: |
C:\ProgramData\BFCAAEHJDBKJ\JDAKJD-shm
|
Category: |
dropped
|
Dump: |
JDAKJD-shm.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
data
|
Entropy: |
0.017262956703125623
|
Encrypted: |
false
|
Ssdeep: |
3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
|
Size: |
32768
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\ProgramData\HCBAKJEHDBGH\BGIJDG
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
dropped
|
|
|
|
File: |
C:\ProgramData\HCBAKJEHDBGH\BGIJDG
|
Category: |
dropped
|
Dump: |
BGIJDG.6.dr
|
ID: |
dr_22
|
Target ID: |
6
|
Process: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
Entropy: |
2.5793180405395284
|
Encrypted: |
false
|
Ssdeep: |
96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
|
Size: |
28672
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\HCBAKJEHDBGH\IIIEBG
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
|
|
|
File: |
C:\ProgramData\HCBAKJEHDBGH\IIIEBG
|
Category: |
dropped
|
Dump: |
IIIEBG.6.dr
|
ID: |
dr_23
|
Target ID: |
6
|
Process: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
Entropy: |
0.7873599747470391
|
Encrypted: |
false
|
Ssdeep: |
96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
|
Size: |
159744
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\msvcp140.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\msvcp140.dll
|
Category: |
dropped
|
Dump: |
msvcp140.dll.0.dr
|
ID: |
dr_6
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.673992339875127
|
Encrypted: |
false
|
Ssdeep: |
12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
|
Size: |
450024
|
Whitelisted: |
true
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
|
C:\ProgramData\vcruntime140.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\vcruntime140.dll
|
Category: |
dropped
|
Dump: |
vcruntime140.dll.0.dr
|
ID: |
dr_8
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.920480786566406
|
Encrypted: |
false
|
Ssdeep: |
1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
|
Size: |
80880
|
Whitelisted: |
true
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EHDHIDAEHC.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EHDHIDAEHC.exe.log
|
Category: |
dropped
|
Dump: |
EHDHIDAEHC.exe.log.4.dr
|
ID: |
dr_20
|
Target ID: |
4
|
Process: |
C:\ProgramData\EHDHIDAEHC.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.358731107079437
|
Encrypted: |
false
|
Ssdeep: |
12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
|
Size: |
522
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199747278259[1].htm
|
HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199747278259[1].htm
|
Category: |
dropped
|
Dump: |
76561199747278259[1].htm.0.dr
|
ID: |
dr_10
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
|
Type: |
HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
|
Entropy: |
5.400456805268228
|
Encrypted: |
false
|
Ssdeep: |
768:Edpqm+0Ih3tAA9CWGhOfcDAJTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2g:Ed8m+0Ih3tAA9CWGhOFJTBv++nIjBtP0
|
Size: |
34745
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the user directory |
System Summary |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\76561199747278259[1].htm
|
HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\76561199747278259[1].htm
|
Category: |
dropped
|
Dump: |
76561199747278259[1].htm.6.dr
|
ID: |
dr_21
|
Target ID: |
6
|
Process: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
Type: |
HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
|
Entropy: |
5.4006599806036535
|
Encrypted: |
false
|
Ssdeep: |
768:Edpqm+0Ih3tAA9CWGhOfcDAJTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2g:Ed8m+0Ih3tAA9CWGhOFJTBv++nIjBtP0
|
Size: |
34745
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|