Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PRTService.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.818104665244162
Filename:	PRTService.exe
Filesize:	957952
MD5:	4a838989da416e3d16c520d03c3ba192
SHA1:	f2fb096d74527a06c5b5c2975fd438419ec171b6
SHA256:	26c2caf1eb317e9354cec8a92e824a495ce7d253f6d1779226138e6994553cf9
SHA512:	ab62430a4d72f4e6d71c489fe45e338a8b877f5d9936bd10ea60a6d325fa02e03d25652a04a3262fcff8347e121fee876b4b98c8f767f5339ba8c01c1d0d9f9c
SSDEEP:	12288:4BnFzJLhIE3wD2gM+L+GQtXJoqWJ+7MVOIVcD:cFprPDtPW87MVOs8
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z............................z.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
One or more processes crash	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_prtservice.exe_9a52ed83f9a038e8d5d8a8b157025a4bf964059_00000000_170c17b5\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_prtservice.exe_9a52ed83f9a038e8d5d8a8b157025a4bf964059_00000000_170c17b5\Report.wer
Category:	dropped
Dump:	Report.wer.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	3.77494316680188
Encrypted:	false
Ssdeep:	192:qukBTvHiNmXmhnZaKsn9fXeewQlfY/u7s6S274ItxUn:r2TiraDfY/u7s6X4ItW
Size:	12060
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC2.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC2.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERDC2.tmp.WERInternalMetadata.xml.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	3.696497169104449
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNik6U6ksMe6YSKSUNC1lgmfZJAdS+Cp1yb1fYqGm:RrlsNiI696YfSUNC1lgmfXOSnypfr
Size:	7680
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE60.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE60.tmp.xml
Category:	dropped
Dump:	WERE60.tmp.xml.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.4714599202674306
Encrypted:	false
Ssdeep:	48:cvIwSD8zsvJgtWI9ZVWSC8Bhs8fm8M4JFKzLtJ2F3f+q8vCLtJfebF9pd:uITfR6kSNbRJFKsfKMep9pd
Size:	4699
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\1d7a2c72-3aee-4299-91f8-2280595a512b\AgileDotNetRT.dll
Category:	dropped
Dump:	AgileDotNetRT.dll.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\PRTService.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.470545105128027
Encrypted:	false
Ssdeep:	3072:eoVfy2n+bR4l+w5wIDn+1HcR6bpMpImsGPZni2:ly2n+bR42xcR6bpUxni2
Size:	123285
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PRTService.exe

'C:\Users\user\Desktop\PRTService.exe'

Details

Is windows:	false
Is dropped:	false
PID:	5480
Target ID:	1
Parent PID:	5724
Name:	PRTService.exe
Path:	C:\Users\user\Desktop\PRTService.exe
Commandline:	'C:\Users\user\Desktop\PRTService.exe'
Size:	957952
MD5:	4A838989DA416E3D16C520D03C3BA192
Time:	12:04:55
Date:	22/07/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xec0000
Modulesize:	983040
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 852

Details

Is windows:	true
Is dropped:	false
PID:	5976
Target ID:	2
Parent PID:	5480
Name:	dw20.exe
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Commandline:	dw20.exe -x -s 852
Size:	33936
MD5:	8D10DA8A3E11747E51F23C882C22BBC3
Time:	12:04:56
Date:	22/07/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x10000000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

Registry

Path

Value

Malicious

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

AmiHivePermissionsCorrect

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

AmiHiveOwnerCorrect

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

ProgramId

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

FileId

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

LowerCaseLongPath

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

LongPathHash

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Name

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Publisher

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Version

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

BinFileVersion

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

BinaryType

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

ProductName

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

ProductVersion

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

LinkDate

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

BinProductVersion

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Size

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Language

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

IsPeFile

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

IsOsComponent

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

DeviceTicket

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

DeviceId

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

ApplicationFlags

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

001800062C4102CA

There are 13 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF574296000

unkown

page readonly

1A1A000

unkown

page execute and read and write

5A60000

unkown

page read and write

5C60000

heap private

page read and write

7FF574228000

unkown

page readonly

EC0000

unkown image

page readonly

EC0000

unkown image

page readonly

513AC7F000

unkown

page read and write

22521F00000

heap default

page read and write

7FF57409F000

unkown

page readonly

1A12000

unkown

page execute and read and write

1470000

unkown

page read and write

15BB000

heap default

page read and write

13A0000

unkown

page readonly

513A9FB000

unkown

page read and write

561E000

unkown

page read and write

7FF5742A5000

unkown

page readonly

6E486000

unkown image

page readonly

7FF574269000

unkown

page readonly

22521EA0000

heap private

page read and write

22521F10000

unkown

page readonly

22522A00000

unkown

page readonly

5740000

unkown

page execute and read and write

7FF574319000

unkown

page readonly

10C1000

unkown

page read and write

22522108000

unkown

page read and write

1A30000

heap private

page read and write

5D60000

heap private

page execute and read and write

513A59E000

unkown

page read and write

158A000

heap default

page read and write

1530000

unkown

page readonly

6E488000

unkown image

page execute and write copy

578B000

unkown

page readonly

1570000

heap private

page execute and read and write

7FF574226000

unkown

page readonly

15D4000

heap default

page read and write

7FF574311000

unkown

page readonly

14BE000

unkown

page read and write

7FF5742B0000

unkown

page readonly

6E481000

unkown image

page readonly

7FF57430E000

unkown

page readonly

7FF573F6D000

unkown

page readonly

5760000

unkown

page readonly

22522660000

unkown

page read and write

EF8000

unkown image

page readonly

1580000

heap default

page read and write

7FF57423A000

unkown

page readonly

1A40000

unkown

page readonly

10CA000

unkown

page read and write

513A49B000

unkown

page read and write

14C0000

heap private

page read and write

152E000

unkown

page read and write

5B80000

unkown

page read and write

22522200000

unkown

page readonly

7FF574157000

unkown

page readonly

7FF5742B7000

unkown

page readonly

3070000

unkown

page read and write

7FF574286000

unkown

page readonly

22522000000

unkown

page read and write

7FF57428C000

unkown

page readonly

32A0000

unkown

page readonly

22522056000

unkown

page read and write

5750000

unkown

page readonly

1A22000

unkown

page execute and read and write

7FF57418C000

unkown

page readonly

6E487000

unkown image

page execute and read and write

14E0000

heap default

page read and write

5B70000

unkown

page readonly

7FF5740EA000

unkown

page readonly

5A5F000

unkown

page read and write

7FF574108000

unkown

page readonly

10D0000

unkown

page read and write

225226B0000

unkown

page readonly

6E460000

unkown image

page readonly

EC2000

unkown image

page readonly

14D0000

unkown

page readonly

22522100000

unkown

page read and write

22522081000

unkown

page read and write

2252204B000

unkown

page read and write

6E483000

unkown image

page read and write

7FF57427D000

unkown

page readonly

10CD000

unkown

page read and write

57B0000

unkown

page readonly

2252203C000

unkown

page read and write

7FF574123000

unkown

page readonly

22522802000

unkown

page read and write

7FF574212000

unkown

page readonly

2252208E000

unkown

page read and write

7FF57412D000

unkown

page readonly

187F000

unkown

page read and write

571E000

unkown

page read and write

123C000

unkown

page read and write

7FF57424E000

unkown

page readonly

6E460000

unkown image

page readonly

513A51E000

unkown

page read and write

7FF57425F000

unkown

page readonly

22522051000

unkown

page read and write

1A2C000

unkown

page execute and read and write

6E485000

unkown image

page write copy

1A2A000

unkown

page execute and read and write

5910000

unkown

page readonly

7FF573E20000

unkown

page readonly

22521FF0000

unkown

page readonly

513AD7F000

unkown

page read and write

3195000

heap private

page read and write

3190000

heap private

page read and write

5750000

unkown

page read and write

513AA7E000

unkown

page read and write

595E000

unkown

page read and write

22521FE0000

unkown

page readonly

307B000

unkown

page execute and read and write

576C000

unkown

page readonly

2252204E000

unkown

page read and write

5810000

unkown

page readonly

7FF574255000

unkown

page readonly

3062000

unkown

page execute and read and write

177E000

unkown

page read and write

1560000

unkown

page read and write

5767000

unkown

page readonly

7FF573E0A000

unkown

page readonly

7FF5742B4000

unkown

page readonly

22522029000

unkown

page read and write

EC2000

unkown image

page readonly

7FF57429C000

unkown

page readonly

22522046000

unkown

page read and write

3170000

unkown

page read and write

6E471000

unkown image

page execute read

30BE000

unkown

page read and write

3180000

unkown

page readonly

22522013000

unkown

page read and write

7FF573E10000

unkown

page readonly

5730000

unkown

page read and write

22522113000

unkown

page read and write

7FF574151000

unkown

page readonly

10BD000

unkown

page read and write

7FF574319000

unkown

page readonly

3077000

unkown

page execute and read and write

329F000

unkown

page read and write

7FF574210000

unkown

page readonly

35E1000

unkown

page read and write

5B60000

unkown

page read and write

5900000

unkown

page execute and read and write

15E2000

heap default

page read and write

45E1000

unkown

page read and write

22522070000

unkown

page read and write

EF8000

unkown image

page readonly

7FF5740DE000

unkown

page readonly

513AB77000

unkown

page read and write

7FF574222000

unkown

page readonly

EC0000

unkown image

page readonly

5720000

unkown

page readonly

7FF57403A000

unkown

page readonly

1540000

unkown

page read and write

22522102000

unkown

page read and write

1336000

unkown

page read and write

There are 145 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

Registry

Memdumps