2906Exes_ef9e7f4c4bba8cb1990f355d8431909c_exe_2019-09-24_11_30.txt


* ID: 2906
* MalFamily: "Malicious"

* MalScore: 10.0

* File Name: "Exes_ef9e7f4c4bba8cb1990f355d8431909c.exe"
* File Size: 307712
* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
* SHA256: "d8ced413907106a48f3caafd374c4fe809cb7baefa254a1e650a230226461a84"
* MD5: "ef9e7f4c4bba8cb1990f355d8431909c"
* SHA1: "c813db4a4a3518d049c7cde1bc45b89cfab6f836"
* SHA512: "49c266cacc9ccb741b432169c386ba1985a43307cc134da40736f1fdce66f7e6b618b28a40d324afc046d7d4bd9539e3f91e9fec421a3fb8444db70a305a42f0"
* CRC32: "9D973950"
* SSDEEP: "3072:MHBOzBR8au+1TsBNEBNwBNEBN0Kqa5vLyUUUI4EsLS1e1zjD024m/VVVRrwpi73I:gDLiuiJ2KIB01vQ24k/VRUo3V4j9FL6"

* Process Execution:
    "C93vaJJ.exe",
    "wscript.exe",
    "cmd.exe",
    "AuditLog.exe",
    "svchost.exe"


* Executed Commands:
    "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
    "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
    "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\DefaultUser\\AuditLog.exe\"",
    "cmd /c \"C:\\Users\\user\\DefaultUser\\AuditLog.exe\"",
    "C:\\Users\\user\\DefaultUser\\AuditLog.exe",
    "C:\\Windows\\SysWOW64\\svchost.exe",
    "\"C:\\Users\\user\\DefaultUser\\AuditLog.exe\"",
    "C:\\Users\\user\\DefaultUser\\AuditLog.exe "


* Signatures Detected:

        "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
        "Details":


        "Description": "Behavioural detection: Executable code extraction",
        "Details":


        "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
        "Details":

                "IP_ioc": "194.61.24.46:2405 (unknown)"


        "Description": "Detected script timer window indicative of sleep style evasion",
        "Details":

                "Window": "WSH-Timer"


        "Description": "A process attempted to delay the analysis task.",
        "Details":

                "Process": "AuditLog.exe tried to sleep 729 seconds, actually delayed analysis time by 0 seconds"


        "Description": "Reads data out of its own binary image",
        "Details":

                "self_read": "process: wscript.exe, pid: 2400, offset: 0x00000000, length: 0x00000040"


                "self_read": "process: wscript.exe, pid: 2400, offset: 0x000000f0, length: 0x00000018"


                "self_read": "process: wscript.exe, pid: 2400, offset: 0x000001e8, length: 0x00000078"


                "self_read": "process: wscript.exe, pid: 2400, offset: 0x00018000, length: 0x00000020"


                "self_read": "process: wscript.exe, pid: 2400, offset: 0x00018058, length: 0x00000018"


                "self_read": "process: wscript.exe, pid: 2400, offset: 0x000181a8, length: 0x00000018"


                "self_read": "process: wscript.exe, pid: 2400, offset: 0x00018470, length: 0x00000010"


                "self_read": "process: wscript.exe, pid: 2400, offset: 0x00018640, length: 0x00000012"


                "self_read": "process: AuditLog.exe, pid: 2452, offset: 0x00000000, length: 0x0004b200"


        "Description": "A process created a hidden window",
        "Details":

                "Process": "C93vaJJ.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"


                "Process": "wscript.exe -> cmd"


        "Description": "A scripting utility was executed",
        "Details":

                "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\""


        "Description": "Uses Windows utilities for basic functionality",
        "Details":

                "command": "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\DefaultUser\\AuditLog.exe\""


                "command": "cmd /c \"C:\\Users\\user\\DefaultUser\\AuditLog.exe\""


        "Description": "Behavioural detection: Injection (Process Hollowing)",
        "Details":

                "Injection": "AuditLog.exe(2452) -> svchost.exe(2336)"


        "Description": "Executed a process and injected code into it, probably while unpacking",
        "Details":

                "Injection": "AuditLog.exe(2452) -> svchost.exe(2336)"


        "Description": "Behavioural detection: Injection (inter-process)",
        "Details":


        "Description": "Installs itself for autorun at Windows startup",
        "Details":

                "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DefaultUser"


                "data": "\"C:\\Users\\user\\DefaultUser\\AuditLog.exe\""


        "Description": "Creates a hidden or system file",
        "Details":

                "file": "C:\\Users\\user\\DefaultUser\\AuditLog.exe"


                "file": "C:\\Users\\user\\DefaultUser"


        "Description": "File has been identified by 18 Antiviruses on VirusTotal as malicious",
        "Details":

                "FireEye": "Generic.mg.ef9e7f4c4bba8cb1"


                "Malwarebytes": "Trojan.MalPack.GS"


                "Cybereason": "malicious.a4a351"


                "Invincea": "heuristic"


                "Symantec": "Packed.Generic.528"


                "APEX": "Malicious"


                "Paloalto": "generic.ml"


                "Emsisoft": "Trojan-Ransom.Shade (A)"


                "McAfee-GW-Edition": "BehavesLike.Win32.MultiPlug.fh"


                "Trapmine": "malicious.moderate.ml.score"


                "Webroot": "W32.Trojan.Gen"


                "Microsoft": "Trojan:Win32/Wacatac.B!ml"


                "Endgame": "malicious (high confidence)"


                "Acronis": "suspicious"


                "Cylance": "Unsafe"


                "Rising": "Stealer.Agent!8.C2 (TFE:6:BZHf25MkWlT)"


                "CrowdStrike": "win/malicious_confidence_100% (W)"


                "Qihoo-360": "HEUR/QVM10.1.1953.Malware.Gen"


        "Description": "Creates a copy of itself",
        "Details":

                "copy": "C:\\Users\\user\\DefaultUser\\AuditLog.exe"


        "Description": "Drops a binary and executes it",
        "Details":

                "binary": "C:\\Users\\user\\DefaultUser\\AuditLog.exe"


* Started Service:

* Mutexes:
    "Remcos_Mutex_Inj",
    "MSOffice-FNHK9C",
    "Local\\ZoneAttributeCacheCounterMutex",
    "Local\\ZonesCacheCounterMutex",
    "Local\\ZonesLockedCacheCounterMutex",
    "Mutex_RemWatchdog"


* Modified Files:
    "C:\\Users\\user\\DefaultUser\\AuditLog.exe",
    "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"


* Deleted Files:
    "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"


* Modified Registry Keys:
    "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DefaultUser",
    "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
    "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
    "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\",
    "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\exepath",
    "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\licence",
    "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\WD",
    "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\WDH"


* Deleted Registry Keys:
    "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
    "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
    "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
    "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
    "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\WD"


* DNS Communications:

* Domains:

* Network Communication - ICMP:

* Network Communication - HTTP:

* Network Communication - SMTP:

* Network Communication - Hosts:

        "country_name": "unknown",
        "ip": "194.61.24.46",
        "inaddrarpa": "",
        "hostname": ""


* Network Communication - IRC: