file.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.94980674543301
|
Filename: |
file.exe
|
Filesize: |
1930752
|
MD5: |
27a3277f6daec8e2369a88cea407fb46
|
SHA1: |
c7da43b9bc1a51aa28cda592d8266e17057ab6b7
|
SHA256: |
ba82209b941924aeb6196fac31a5e2d13193f49be26163683bf29a293b3fcec0
|
SHA512: |
089b550d03e9f30d5be540830aca38519fb0b839ee9dee852c86111969e12c6a0c36d821b5a2d519c7c23bf73a598a3963c01fa3df93322c1bf6e39be4f8116b
|
SSDEEP: |
49152:ea7wlm3OM01MszDNdEmzJgLZJXPLvTtY3MJnFpY:em5WXNd9zWL3XPLb2Md
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
Extra Window Memory Injection
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
Extra Window Memory Injection
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Hides threads from debuggers |
Anti Debugging |
Extra Window Memory Injection
|
Machine Learning detection for sample |
AV Detection |
|
PE file contains section with special chars |
System Summary |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Extra Window Memory Injection
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Tries to detect virtualization through RDTSC time measurements |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Tries to evade debugger and weak emulator (self modifying code) |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
|
Contains functionality for execution timing, often used to detect debuggers |
Malware Analysis System Evasion, Anti Debugging |
Extra Window Memory Injection
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
Extra Window Memory Injection
|
Creates files inside the system directory |
System Summary |
|
Creates job files (autostart) |
Boot Survival |
|
PE file contains sections with non-standard names |
Data Obfuscation |
Extra Window Memory Injection
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
Binary may include packed or encrypted code |
Data Obfuscation |
|
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) |
System Summary |
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
Extra Window Memory Injection
|
Queries a list of all running drivers |
Malware Analysis System Evasion |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Reads ini files |
System Summary |
Extra Window Memory Injection
File and Directory Discovery
|
Reads software policies |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Sample might require command line arguments |
System Summary |
Extra Window Memory Injection
|
Sample reads its own file content |
System Summary |
|
Tries to load missing DLLs |
System Summary |
Extra Window Memory Injection
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file has a big raw section |
System Summary |
Extra Window Memory Injection
|
Submission file is bigger than most known malware samples |
System Summary |
Extra Window Memory Injection
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SxQyhJr[1].exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SxQyhJr[1].exe
|
Category: |
dropped
|
Dump: |
SxQyhJr[1].exe.6.dr
|
ID: |
dr_4
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.937162817340063
|
Encrypted: |
false
|
Ssdeep: |
24576:XqgOt5BhqfWXUIue3QgJaCIPwHImKimJgWbqrD4cM9BysZODGcaXBjZrGxjf6sWI:XitThqRI3btvcimJ5bEDDMSsZ4GL3rGZ
|
Size: |
1473536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates files inside the user directory |
System Summary |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe
|
Category: |
dropped
|
Dump: |
random[1].exe2.6.dr
|
ID: |
dr_13
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.472329089980284
|
Encrypted: |
false
|
Ssdeep: |
49152:m7sNQnouAeEI0+206WUmc17WSlt3fcgJRZc2Vbf:IGQouAeEXX03UTwSz3f22Vbf
|
Size: |
2765824
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe
|
Category: |
dropped
|
Dump: |
random[1].exe0.6.dr
|
ID: |
dr_9
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.946354570205017
|
Encrypted: |
false
|
Ssdeep: |
49152:iM4IR3PksYn/lXz5lEsNEJqgIY210WiJC:R3PVkA+qqyWi4
|
Size: |
1840128
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe
|
Category: |
dropped
|
Dump: |
random[1].exe1.6.dr
|
ID: |
dr_11
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.591087909609073
|
Encrypted: |
false
|
Ssdeep: |
12288:MqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgavTK:MqDEvCTbMWu7rQYlBQcBiT6rprG8aLK
|
Size: |
922112
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe
|
Category: |
dropped
|
Dump: |
random[1].exe.6.dr
|
ID: |
dr_7
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.945678245476462
|
Encrypted: |
false
|
Ssdeep: |
49152:gYaoryX6w3X4R7fgY94kPTZJcWY+FzC9Dc2lst:7rQ6kotfgY9TPTLcWY+A9DGt
|
Size: |
1864192
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe
|
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe
|
Category: |
dropped
|
Dump: |
random[2].exe.6.dr
|
ID: |
dr_3
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
|
Entropy: |
7.98390126362659
|
Encrypted: |
false
|
Ssdeep: |
98304:Aw6d9osRZuyGN7I4dkerrBBu9iQVhNVvQsLS1vG5Qs1Wpz:f6nos/Gi4dkWu9dhTvdLS10Q
|
Size: |
4467200
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe
|
Category: |
dropped
|
Dump: |
SxQyhJr.exe.6.dr
|
ID: |
dr_6
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.937162817340063
|
Encrypted: |
false
|
Ssdeep: |
24576:XqgOt5BhqfWXUIue3QgJaCIPwHImKimJgWbqrD4cM9BysZODGcaXBjZrGxjf6sWI:XitThqRI3btvcimJ5bEDDMSsZ4GL3rGZ
|
Size: |
1473536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Writes to foreign memory regions |
HIPS / PFW / Operating System Protection Evasion |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains functionality to call native functions |
System Summary |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found inlined nop instructions (likely shell or obfuscated code) |
Software Vulnerabilities |
Obfuscated Files or Information
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses Microsoft Silverlight |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe
|
Category: |
dropped
|
Dump: |
a6f0d09f38.exe.6.dr
|
ID: |
dr_8
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.945678245476462
|
Encrypted: |
false
|
Ssdeep: |
49152:gYaoryX6w3X4R7fgY94kPTZJcWY+FzC9Dc2lst:7rQ6kotfgY9TPTLcWY+A9DGt
|
Size: |
1864192
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Machine Learning detection for dropped file |
AV Detection |
|
Query firmware table information (likely to detect VMs) |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Sigma detected: New RUN Key Pointing to Suspicious Folder |
System Summary |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
Tries to steal Crypto Currency Wallets |
Stealing of Sensitive Information |
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Security Software Discovery
Windows Management Instrumentation
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Windows Management Instrumentation
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Searches for user specific document files |
Stealing of Sensitive Information |
File and Directory Discovery
|
Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe
|
Category: |
dropped
|
Dump: |
b5da647ae3.exe.6.dr
|
ID: |
dr_10
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.946354570205017
|
Encrypted: |
false
|
Ssdeep: |
49152:iM4IR3PksYn/lXz5lEsNEJqgIY210WiJC:R3PVkA+qqyWi4
|
Size: |
1840128
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Machine Learning detection for dropped file |
AV Detection |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe
|
Category: |
dropped
|
Dump: |
6e1fbaaba5.exe.6.dr
|
ID: |
dr_12
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.591087909609073
|
Encrypted: |
false
|
Ssdeep: |
12288:MqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgavTK:MqDEvCTbMWu7rQYlBQcBiT6rprG8aLK
|
Size: |
922112
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Uses taskkill to terminate processes |
HIPS / PFW / Operating System Protection Evasion |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe
|
Category: |
dropped
|
Dump: |
8b82d73f70.exe.6.dr
|
ID: |
dr_14
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.472329089980284
|
Encrypted: |
false
|
Ssdeep: |
49152:m7sNQnouAeEI0+206WUmc17WSlt3fcgJRZc2Vbf:IGQouAeEXX03UTwSz3f22Vbf
|
Size: |
2765824
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Disable Windows Defender notifications (registry) |
Lowering of HIPS / PFW / Operating System Security Settings |
Bypass User Account Control
|
Disables Windows Defender Tamper protection |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Machine Learning detection for dropped file |
AV Detection |
|
Modifies windows update settings |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe
|
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe
|
Category: |
dropped
|
Dump: |
98a7b9f337.exe.6.dr
|
ID: |
dr_5
|
Target ID: |
6
|
Process: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Type: |
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
|
Entropy: |
7.98390126362659
|
Encrypted: |
false
|
Ssdeep: |
98304:Aw6d9osRZuyGN7I4dkerrBBu9iQVhNVvQsLS1vG5Qs1Wpz:f6nos/Gi4dkWu9dhTvdLS10Q
|
Size: |
4467200
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Machine Learning detection for dropped file |
AV Detection |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Tries to detect sandboxes and other dynamic analysis tools (window names) |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Checks for debuggers (devices) |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains capabilities to detect virtual machines |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Creates mutexes |
System Summary |
|
Reads the hosts file |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Category: |
dropped
|
Dump: |
skotes.exe.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.94980674543301
|
Encrypted: |
false
|
Ssdeep: |
49152:ea7wlm3OM01MszDNdEmzJgLZJXPLvTtY3MJnFpY:em5WXNd9zWL3XPLb2Md
|
Size: |
1930752
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Creates multiple autostart registry keys |
Boot Survival |
Registry Run Keys / Startup Folder
|
Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Machine Learning detection for dropped file |
AV Detection |
|
Sigma detected: New RUN Key Pointing to Suspicious Folder |
System Summary |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains functionality to read the PEB |
Anti Debugging |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Detected potential crypto function |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
Contains functionality to download additional files from the internet |
Networking |
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains functionality to query the account / user name |
Language, Device and Operating System Detection |
System Owner/User Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
|
Creates files inside the user directory |
System Summary |
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier
|
Category: |
modified
|
Dump: |
skotes.exe_Zone.Identifier.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Creates multiple autostart registry keys |
Boot Survival |
Registry Run Keys / Startup Folder
|
Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Machine Learning detection for dropped file |
AV Detection |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains functionality to read the PEB |
Anti Debugging |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Detected potential crypto function |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains functionality to download additional files from the internet |
Networking |
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains functionality to query the account / user name |
Language, Device and Operating System Detection |
System Owner/User Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
|
Creates files inside the user directory |
System Summary |
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8b82d73f70.exe.log
|
CSV text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8b82d73f70.exe.log
|
Category: |
dropped
|
Dump: |
8b82d73f70.exe.log.32.dr
|
ID: |
dr_33
|
Target ID: |
32
|
Process: |
C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe
|
Type: |
CSV text
|
Entropy: |
5.360398796477698
|
Encrypted: |
false
|
Ssdeep: |
6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
|
Size: |
226
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
|
ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
|
Category: |
dropped
|
Dump: |
mozilla-temp-41.28.dr
|
ID: |
dr_27
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
|
Entropy: |
0.4593089050301797
|
Encrypted: |
false
|
Ssdeep: |
48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
|
Size: |
32768
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)
|
Category: |
dropped
|
Dump: |
ExperimentStoreData.json.tmp.28.dr
|
ID: |
dr_30
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.929514308466053
|
Encrypted: |
false
|
Ssdeep: |
96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLzL+8P:8S+OBIUjOdwiOdYVjjwLX+8P
|
Size: |
3621
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp
|
Category: |
dropped
|
Dump: |
ExperimentStoreData.json.tmp.28.dr
|
ID: |
dr_15
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.929514308466053
|
Encrypted: |
false
|
Ssdeep: |
96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLzL+8P:8S+OBIUjOdwiOdYVjjwLX+8P
|
Size: |
3621
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)
|
Mozilla lz4 compressed data, originally 23432 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)
|
Category: |
dropped
|
Dump: |
addonStartup.json.lz4.tmp.28.dr
|
ID: |
dr_31
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 23432 bytes
|
Entropy: |
6.615424734763731
|
Encrypted: |
false
|
Ssdeep: |
96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
|
Size: |
5312
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp
|
Mozilla lz4 compressed data, originally 23432 bytes
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp
|
Category: |
dropped
|
Dump: |
addonStartup.json.lz4.tmp.28.dr
|
ID: |
dr_16
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
Mozilla lz4 compressed data, originally 23432 bytes
|
Entropy: |
6.615424734763731
|
Encrypted: |
false
|
Ssdeep: |
96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
|
Size: |
5312
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
|
SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
|
Category: |
dropped
|
Dump: |
content-prefs.sqlite.28.dr
|
ID: |
dr_18
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
|
Entropy: |
0.04905391753567332
|
Encrypted: |
false
|
Ssdeep: |
24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
|
Size: |
262144
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm
|
Category: |
dropped
|
Dump: |
favicons.sqlite-shm.28.dr
|
ID: |
dr_20
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
data
|
Entropy: |
0.017262956703125623
|
Encrypted: |
false
|
Ssdeep: |
3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
|
Size: |
32768
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
|
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database
pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
|
Category: |
dropped
|
Dump: |
permissions.sqlite.28.dr
|
ID: |
dr_26
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database
pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
|
Entropy: |
0.07324952325868538
|
Encrypted: |
false
|
Ssdeep: |
12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki+:DLhesh7Owd4+ji
|
Size: |
98304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
|
Category: |
dropped
|
Dump: |
places.sqlite-shm.28.dr
|
ID: |
dr_21
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
data
|
Entropy: |
0.035455806264726504
|
Encrypted: |
false
|
Ssdeep: |
3:GtlstFBpij8E1S694tlstFBpij8E1S6ltL89//alEl:GtWttij8RW4tWttij8ROtL89XuM
|
Size: |
32768
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
|
SQLite Write-Ahead Log, version 3007000
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
|
Category: |
dropped
|
Dump: |
places.sqlite-wal.28.dr
|
ID: |
dr_22
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite Write-Ahead Log, version 3007000
|
Entropy: |
0.03972939710481977
|
Encrypted: |
false
|
Ssdeep: |
3:Ol1aj8vUi/ysdMjlxVsF57l8rEXsxdwhml8XW3R2:K8AvUcilxVCl8dMhm93w
|
Size: |
32824
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js
|
ASCII text, with very long lines (1809), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js
|
Category: |
dropped
|
Dump: |
prefs-1.js.28.dr
|
ID: |
dr_24
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text, with very long lines (1809), with CRLF line terminators
|
Entropy: |
5.491817387652442
|
Encrypted: |
false
|
Ssdeep: |
192:9naRtLYbBp6Ahj4qyaaX86KlNvh5RfGNBw8dYSl:geqquOtcwL0
|
Size: |
11974
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)
|
ASCII text, with very long lines (1809), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)
|
Category: |
dropped
|
Dump: |
prefs-1.js.28.dr
|
ID: |
dr_28
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
ASCII text, with very long lines (1809), with CRLF line terminators
|
Entropy: |
5.491817387652442
|
Encrypted: |
false
|
Ssdeep: |
192:9naRtLYbBp6Ahj4qyaaX86KlNvh5RfGNBw8dYSl:geqquOtcwL0
|
Size: |
11974
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
|
SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
|
Category: |
dropped
|
Dump: |
protections.sqlite.28.dr
|
ID: |
dr_19
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database
pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
|
Entropy: |
0.04062825861060003
|
Encrypted: |
false
|
Ssdeep: |
6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)
|
Category: |
dropped
|
Dump: |
sessionCheckpoints.json.tmp.28.dr
|
ID: |
dr_29
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.194538242412464
|
Encrypted: |
false
|
Ssdeep: |
3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
|
Size: |
90
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp
|
Category: |
dropped
|
Dump: |
sessionCheckpoints.json.tmp.28.dr
|
ID: |
dr_25
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
4.194538242412464
|
Encrypted: |
false
|
Ssdeep: |
3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
|
Size: |
90
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
|
SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database
pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
|
Category: |
dropped
|
Dump: |
storage.sqlite.28.dr
|
ID: |
dr_23
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database
pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
|
Entropy: |
2.0836444556178684
|
Encrypted: |
false
|
Ssdeep: |
24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
|
Size: |
4096
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)
|
Category: |
dropped
|
Dump: |
targeting.snapshot.json.tmp.28.dr
|
ID: |
dr_32
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.033312689034004
|
Encrypted: |
false
|
Ssdeep: |
48:YrSAYvc86UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:ycByTEr5QFRzzcMvbw6KkCrrc2Rn27
|
Size: |
4537
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp
|
Category: |
dropped
|
Dump: |
targeting.snapshot.json.tmp.28.dr
|
ID: |
dr_17
|
Target ID: |
28
|
Process: |
C:\Program Files\Mozilla Firefox\firefox.exe
|
Type: |
JSON data
|
Entropy: |
5.033312689034004
|
Encrypted: |
false
|
Ssdeep: |
48:YrSAYvc86UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:ycByTEr5QFRzzcMvbw6KkCrrc2Rn27
|
Size: |
4537
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Windows\Tasks\skotes.job
|
data
|
dropped
|
|
|
|
File: |
C:\Windows\Tasks\skotes.job
|
Category: |
dropped
|
Dump: |
skotes.job.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
data
|
Entropy: |
3.4136171436422336
|
Encrypted: |
false
|
Ssdeep: |
6:nV5YvXflNeRKUEZ+lX1CGdKUe6tPjgsW2YRZuy0lBHt0:EPf2RKQ1CGAFAjzvYRQVBHt0
|
Size: |
284
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the system directory |
System Summary |
|
Creates job files (autostart) |
Boot Survival |
|
|