Exes_55610ca97ada08b87127917dfc931435_exe_2019-07-17_19_30.txt

1.  
2. * MalFamily: "5B537D77"
3.  
4. * MalScore: 10.0
5.  
6. * File Name: "Exes_55610ca97ada08b87127917dfc931435.exe"
7. * File Size: 935424
8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. * SHA256: "efcc24a10495c7d9ed4445e99661edb28a40afaf59fb2289cab0c10b26572d39"
10. * MD5: "55610ca97ada08b87127917dfc931435"
11. * SHA1: "431377a44732665861cb9ed1c0d728d4fa7faec6"
12. * SHA512: "2e66fed38189ca83c4ff4a8f0ffb20c794e8703c9515703c2c1bd8b2c45105dea279b54c4af3c54a6f74e3eecf3bfe57056023caf992269da8ee913f1f36d194"
13. * CRC32: "5B537D77"
14. * SSDEEP: "24576:nrIKt0CU+YM7oG2VB+XwK6G9o47GQuWc+DVn:PKNVB0a+xn"
15.  
16. * Process Execution:
17. "Exes_55610ca97ada08b87127917dfc931435.exe",
18. "Exes_55610ca97ada08b87127917dfc931435.exe",
19. "images.exe",
20. "images.exe",
21. "cmd.exe"
22.  
23.  
24. * Executed Commands:
25. "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_55610ca97ada08b87127917dfc931435.exe\"",
26. "\"C:\\ProgramData\\images.exe\""
27.  
28.  
29. * Signatures Detected:
30.  
31. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
32. "Details":
33.  
34. "IP": "159.122.133.231:5200"
35.  
36.  
37.  
38.  
39. "Description": "Creates RWX memory",
40. "Details":
41.  
42.  
43. "Description": "A process attempted to delay the analysis task.",
44. "Details":
45.  
46. "Process": "cmd.exe tried to sleep 264 seconds, actually delayed analysis time by 0 seconds"
47.  
48.  
49.  
50.  
51. "Description": "A process created a hidden window",
52. "Details":
53.  
54. "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
55.  
56.  
57.  
58.  
59. "Description": "Drops a binary and executes it",
60. "Details":
61.  
62. "binary": "C:\\ProgramData\\images.exe"
63.  
64.  
65.  
66.  
67. "Description": "Executed a process and injected code into it, probably while unpacking",
68. "Details":
69.  
70. "Injection": "Exes_55610ca97ada08b87127917dfc931435.exe(2356) -> Exes_55610ca97ada08b87127917dfc931435.exe(1948)"
71.  
72.  
73.  
74.  
75. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
76. "Details":
77.  
78. "file": "C:\\ProgramData\\images.exe:Zone.Identifier"
79.  
80.  
81.  
82.  
83. "Description": "Code injection with CreateRemoteThread in a remote process",
84. "Details":
85.  
86. "Injection": "images.exe(1580) -> cmd.exe(2756)"
87.  
88.  
89.  
90.  
91. "Description": "Installs itself for autorun at Windows startup",
92. "Details":
93.  
94. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
95.  
96.  
97. "data": "C:\\ProgramData\\images.exe"
98.  
99.  
100.  
101.  
102. "Description": "File has been identified by 21 Antiviruses on VirusTotal as malicious",
103. "Details":
104.  
105. "FireEye": "Generic.mg.55610ca97ada08b8"
106.  
107.  
108. "TrendMicro": "TrojanSpy.Win32.LOKI.SMDD.hp"
109.  
110.  
111. "Symantec": "Packed.Generic.516"
112.  
113.  
114. "APEX": "Malicious"
115.  
116.  
117. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
118.  
119.  
120. "Invincea": "heuristic"
121.  
122.  
123. "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.dh"
124.  
125.  
126. "Trapmine": "malicious.high.ml.score"
127.  
128.  
129. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
130.  
131.  
132. "Endgame": "malicious (high confidence)"
133.  
134.  
135. "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
136.  
137.  
138. "AhnLab-V3": "Win-Trojan/Delphiless.Exp"
139.  
140.  
141. "Acronis": "suspicious"
142.  
143.  
144. "Cylance": "Unsafe"
145.  
146.  
147. "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
148.  
149.  
150. "Rising": "Trojan.Injector!1.AFE3 (CLASSIC)"
151.  
152.  
153. "SentinelOne": "DFI - Suspicious PE"
154.  
155.  
156. "Fortinet": "W32/Injector.EGKJ!tr"
157.  
158.  
159. "Cybereason": "malicious.447326"
160.  
161.  
162. "CrowdStrike": "win/malicious_confidence_90% (D)"
163.  
164.  
165. "Qihoo-360": "HEUR/QVM05.1.9663.Malware.Gen"
166.  
167.  
168.  
169.  
170. "Description": "Creates a copy of itself",
171. "Details":
172.  
173. "copy": "C:\\ProgramData\\images.exe"
174.  
175.  
176.  
177.  
178. "Description": "Anomalous binary characteristics",
179. "Details":
180.  
181. "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
182.  
183.  
184.  
185.  
186.  
187. * Started Service:
188.  
189. * Mutexes:
190.  
191. * Modified Files:
192. "C:\\ProgramData\\images.exe"
193.  
194.  
195. * Deleted Files:
196. "C:\\ProgramData\\images.exe:Zone.Identifier"
197.  
198.  
199. * Modified Registry Keys:
200. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
201. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
202. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
203. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\1FFK5KMT5B",
204. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\1FFK5KMT5B\\inst",
205. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
206.  
207.  
208. * Deleted Registry Keys:
209.  
210. * DNS Communications:
211.  
212. "type": "A",
213. "request": "masterprof.warzonedns.com",
214. "answers":
215.  
216. "data": "159.122.133.231",
217. "type": "A"
218.  
219.  
220.  
221.  
222.  
223. * Domains:
224.  
225. "ip": "159.122.133.231",
226. "domain": "masterprof.warzonedns.com"
227.  
228.  
229.  
230. * Network Communication - ICMP:
231.  
232. * Network Communication - HTTP:
233.  
234. * Network Communication - SMTP:
235.  
236. * Network Communication - Hosts:
237.  
238. * Network Communication - IRC: