hDKY4f6gEA.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Filename: |
hDKY4f6gEA.exe
|
Filesize: |
1501696
|
MD5: |
3e40d7f0c47407447c1fa9be4ec0f714
|
SHA1: |
f8633060aa590db85a70e9d1ae220b220ed03a98
|
SHA256: |
497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e
|
SHA512: |
9fc81db6a6ddf93626529223d5ee8a13717fc3069d90eb66fad1ef9a3172b776578e844ead65bf8e6e334bc0ad82910a6844b99ca8643083f2d140d3aae767cf
|
SSDEEP: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb.....................6......N....
........@.. .......................`............@................................
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
.NET source code contains method to dynamically call methods (often used by packers) |
Data Obfuscation |
|
.NET source code contains potential unpacker |
Data Obfuscation |
|
Creates processes via WMI |
Persistence and Installation Behavior |
|
Disable UAC(promptonsecuredesktop) |
Lowering of HIPS / PFW / Operating System Security Settings |
Bypass User Account Control
|
Disables UAC (registry) |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Drops PE files to the user root directory |
Boot Survival |
|
Drops PE files with benign system names |
Persistence and Installation Behavior |
|
Drops executable to a common third party application directory |
Persistence and Installation Behavior |
|
Machine Learning detection for sample |
AV Detection |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Creates files inside the system directory |
System Summary |
|
Detected potential crypto function |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Drops PE files to the user directory |
Persistence and Installation Behavior |
|
Drops PE files to the windows directory (C:\Windows) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
.NET source code contains calls to encryption/decryption functions |
System Summary |
Deobfuscate/Decode Files or Information
|
.NET source code contains many randomly named methods |
Data Obfuscation |
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the program directory |
System Summary |
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Enumerates the file system |
Spreading, Malware Analysis System Evasion |
|
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) |
Malware Analysis System Evasion |
Security Software Discovery
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
|
Reads ini files |
System Summary |
File and Directory Discovery
|
Reads software policies |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Sample reads its own file content |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
URLs found in memory or binary data |
Networking |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file has a big raw section |
System Summary |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
PE file contains a COM descriptor data directory |
System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Program Files (x86)\Internet Explorer\RCXB6AF.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Internet Explorer\RCXB6AF.tmp
|
Category: |
dropped
|
Dump: |
RCXB6AF.tmp.0.dr
|
ID: |
dr_52
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204735192965171
|
Encrypted: |
false
|
Ssdeep: |
24576:KIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:KQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
low
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\Internet Explorer\services.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Internet Explorer\services.exe
|
Category: |
dropped
|
Dump: |
services.exe.0.dr
|
ID: |
dr_67
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
low
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Drops PE files with benign system names |
Persistence and Installation Behavior |
|
Drops executable to a common third party application directory |
Persistence and Installation Behavior |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Program Files (x86)\Internet Explorer\services.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Internet Explorer\services.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
services.exe_Zone.Identifier.0.dr
|
ID: |
dr_66
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
high
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
|
C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe
|
Category: |
dropped
|
Dump: |
IfYiMMRuvSUMKHkp.exe3.0.dr
|
ID: |
dr_24
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
low
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
IfYiMMRuvSUMKHkp.exe_Zone.Identifier3.0.dr
|
ID: |
dr_23
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
high
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
|
C:\Program Files (x86)\Java\jre-1.8\RCXA65D.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Java\jre-1.8\RCXA65D.tmp
|
Category: |
dropped
|
Dump: |
RCXA65D.tmp.0.dr
|
ID: |
dr_37
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204605652676782
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\Microsoft Office\RCXB219.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Microsoft Office\RCXB219.tmp
|
Category: |
dropped
|
Dump: |
RCXB219.tmp.0.dr
|
ID: |
dr_46
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204630540331046
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exe
|
Category: |
dropped
|
Dump: |
RuntimeBroker.exe.0.dr
|
ID: |
dr_56
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
RuntimeBroker.exe_Zone.Identifier.0.dr
|
ID: |
dr_54
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
|
C:\Program Files (x86)\WindowsPowerShell\RCX9FD4.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\WindowsPowerShell\RCX9FD4.tmp
|
Category: |
dropped
|
Dump: |
RCX9FD4.tmp.0.dr
|
ID: |
dr_34
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.2046119008282075
|
Encrypted: |
false
|
Ssdeep: |
24576:KIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:KQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\WindowsPowerShell\dllhost.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\WindowsPowerShell\dllhost.exe
|
Category: |
dropped
|
Dump: |
dllhost.exe.0.dr
|
ID: |
dr_15
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Sigma detected: System File Execution Location Anomaly |
System Summary |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Program Files (x86)\WindowsPowerShell\dllhost.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\WindowsPowerShell\dllhost.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
dllhost.exe_Zone.Identifier.0.dr
|
ID: |
dr_13
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Program Files (x86)\internet explorer\services.exe (copy)
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\internet explorer\services.exe (copy)
|
Category: |
dropped
|
Dump: |
RCXB6AF.tmp.0.dr
|
ID: |
dr_79
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204735192965171
|
Encrypted: |
false
|
Ssdeep: |
24576:KIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:KQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\java\jre-1.8\IfYiMMRuvSUMKHkp.exe (copy)
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\java\jre-1.8\IfYiMMRuvSUMKHkp.exe (copy)
|
Category: |
dropped
|
Dump: |
RCXA65D.tmp.0.dr
|
ID: |
dr_76
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204605652676782
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\microsoft office\RuntimeBroker.exe (copy)
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\microsoft office\RuntimeBroker.exe (copy)
|
Category: |
dropped
|
Dump: |
RCXB219.tmp.0.dr
|
ID: |
dr_77
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204630540331046
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files (x86)\windowspowershell\dllhost.exe (copy)
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\windowspowershell\dllhost.exe (copy)
|
Category: |
dropped
|
Dump: |
RCX9FD4.tmp.0.dr
|
ID: |
dr_75
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.2046119008282075
|
Encrypted: |
false
|
Ssdeep: |
24576:KIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:KQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exe
|
Category: |
dropped
|
Dump: |
IfYiMMRuvSUMKHkp.exe1.0.dr
|
ID: |
dr_12
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Microsoft\OneDrive\RCXC626.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Microsoft\OneDrive\RCXC626.tmp
|
Category: |
dropped
|
Dump: |
RCXC626.tmp.0.dr
|
ID: |
dr_63
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.2046947918139805
|
Encrypted: |
false
|
Ssdeep: |
24576:qIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:qQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Uninstall Information\RCXB8D3.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Uninstall Information\RCXB8D3.tmp
|
Category: |
dropped
|
Dump: |
RCXB8D3.tmp.0.dr
|
ID: |
dr_53
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.20470525223856
|
Encrypted: |
false
|
Ssdeep: |
24576:qIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:qQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Uninstall Information\wininit.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Uninstall Information\wininit.exe
|
Category: |
dropped
|
Dump: |
wininit.exe.0.dr
|
ID: |
dr_70
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Drops PE files with benign system names |
Persistence and Installation Behavior |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Uninstall Information\wininit.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files\Uninstall Information\wininit.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
wininit.exe_Zone.Identifier.0.dr
|
ID: |
dr_69
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
|
C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe
|
Category: |
dropped
|
Dump: |
IfYiMMRuvSUMKHkp.exe2.0.dr
|
ID: |
dr_21
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Defender\RCXA207.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Defender\RCXA207.tmp
|
Category: |
dropped
|
Dump: |
RCXA207.tmp.0.dr
|
ID: |
dr_35
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.20464173826675
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
modified
|
|
|
|
File: |
C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exe
|
Category: |
modified
|
Dump: |
IfYiMMRuvSUMKHkp.exe7.0.dr
|
ID: |
dr_40
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Multimedia Platform\RCXAA37.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Multimedia Platform\RCXAA37.tmp
|
Category: |
dropped
|
Dump: |
RCXAA37.tmp.0.dr
|
ID: |
dr_39
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204627175623906
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\ProgramData\Microsoft\MapData\RCXB47C.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\MapData\RCXB47C.tmp
|
Category: |
dropped
|
Dump: |
RCXB47C.tmp.0.dr
|
ID: |
dr_51
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204771629941512
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\ProgramData\Microsoft\MapData\SystemSettings.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\MapData\SystemSettings.exe
|
Category: |
dropped
|
Dump: |
SystemSettings.exe.0.dr
|
ID: |
dr_62
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
|
C:\ProgramData\Microsoft\MapData\SystemSettings.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\MapData\SystemSettings.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
SystemSettings.exe_Zone.Identifier.0.dr
|
ID: |
dr_60
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
|
C:\Recovery\IfYiMMRuvSUMKHkp.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Recovery\IfYiMMRuvSUMKHkp.exe
|
Category: |
dropped
|
Dump: |
IfYiMMRuvSUMKHkp.exe4.0.dr
|
ID: |
dr_26
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Recovery\RCX9764.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Recovery\RCX9764.tmp
|
Category: |
dropped
|
Dump: |
RCX9764.tmp.0.dr
|
ID: |
dr_18
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.20456808285741
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Recovery\RCXC0C5.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Recovery\RCXC0C5.tmp
|
Category: |
dropped
|
Dump: |
RCXC0C5.tmp.0.dr
|
ID: |
dr_59
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204570883071254
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Recovery\smss.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Recovery\smss.exe
|
Category: |
dropped
|
Dump: |
smss.exe.0.dr
|
ID: |
dr_5
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files with benign system names |
Persistence and Installation Behavior |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\All Users\Desktop\IfYiMMRuvSUMKHkp.exe (copy)
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\All Users\Desktop\IfYiMMRuvSUMKHkp.exe (copy)
|
Category: |
dropped
|
Dump: |
RCXC366.tmp.0.dr
|
ID: |
dr_81
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204631963126828
|
Encrypted: |
false
|
Ssdeep: |
24576:KIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:KQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\All Users\Microsoft\MapData\SystemSettings.exe (copy)
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\All Users\Microsoft\MapData\SystemSettings.exe (copy)
|
Category: |
dropped
|
Dump: |
RCXB47C.tmp.0.dr
|
ID: |
dr_78
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204771629941512
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\Default\AppData\Roaming\Microsoft\IfYiMMRuvSUMKHkp.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\Default\AppData\Roaming\Microsoft\IfYiMMRuvSUMKHkp.exe
|
Category: |
dropped
|
Dump: |
IfYiMMRuvSUMKHkp.exe.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\Default\AppData\Roaming\Microsoft\RCXBE25.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\Default\AppData\Roaming\Microsoft\RCXBE25.tmp
|
Category: |
dropped
|
Dump: |
RCXBE25.tmp.0.dr
|
ID: |
dr_57
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204595851890258
|
Encrypted: |
false
|
Ssdeep: |
24576:qIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:qQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\Default\Application Data\Microsoft\IfYiMMRuvSUMKHkp.exe (copy)
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\Default\Application Data\Microsoft\IfYiMMRuvSUMKHkp.exe (copy)
|
Category: |
dropped
|
Dump: |
RCXBE25.tmp.0.dr
|
ID: |
dr_80
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204595851890258
|
Encrypted: |
false
|
Ssdeep: |
24576:qIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:qQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\Public\Desktop\IfYiMMRuvSUMKHkp.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\Public\Desktop\IfYiMMRuvSUMKHkp.exe
|
Category: |
dropped
|
Dump: |
IfYiMMRuvSUMKHkp.exe0.0.dr
|
ID: |
dr_8
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\Public\Desktop\RCXC366.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\Public\Desktop\RCXC366.tmp
|
Category: |
dropped
|
Dump: |
RCXC366.tmp.0.dr
|
ID: |
dr_61
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204631963126828
|
Encrypted: |
false
|
Ssdeep: |
24576:KIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:KQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\Public\Videos\IfYiMMRuvSUMKHkp.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\Public\Videos\IfYiMMRuvSUMKHkp.exe
|
Category: |
dropped
|
Dump: |
IfYiMMRuvSUMKHkp.exe5.0.dr
|
ID: |
dr_29
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates files inside the user directory |
System Summary |
|
|
C:\Users\Public\Videos\RCX99B7.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\Public\Videos\RCX99B7.tmp
|
Category: |
dropped
|
Dump: |
RCX99B7.tmp.0.dr
|
ID: |
dr_20
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204636341215856
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\Public\Videos\RCXBB84.tmp
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\Public\Videos\RCXBB84.tmp
|
Category: |
dropped
|
Dump: |
RCXBB84.tmp.0.dr
|
ID: |
dr_55
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204797042163612
|
Encrypted: |
false
|
Ssdeep: |
24576:KIpz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:KQzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\Public\Videos\dasHost.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\Public\Videos\dasHost.exe
|
Category: |
dropped
|
Dump: |
dasHost.exe.0.dr
|
ID: |
dr_73
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\hDKY4f6gEA.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.204705864090623
|
Encrypted: |
false
|
Ssdeep: |
24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV
|
Size: |
1501696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|