Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2906
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_ef9e7f4c4bba8cb1990f355d8431909c.exe"
- * File Size: 307712
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "d8ced413907106a48f3caafd374c4fe809cb7baefa254a1e650a230226461a84"
- * MD5: "ef9e7f4c4bba8cb1990f355d8431909c"
- * SHA1: "c813db4a4a3518d049c7cde1bc45b89cfab6f836"
- * SHA512: "49c266cacc9ccb741b432169c386ba1985a43307cc134da40736f1fdce66f7e6b618b28a40d324afc046d7d4bd9539e3f91e9fec421a3fb8444db70a305a42f0"
- * CRC32: "9D973950"
- * SSDEEP: "3072:MHBOzBR8au+1TsBNEBNwBNEBN0Kqa5vLyUUUI4EsLS1e1zjD024m/VVVRrwpi73I:gDLiuiJ2KIB01vQ24k/VRUo3V4j9FL6"
- * Process Execution:
- "C93vaJJ.exe",
- "wscript.exe",
- "cmd.exe",
- "AuditLog.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
- "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\DefaultUser\\AuditLog.exe\"",
- "cmd /c \"C:\\Users\\user\\DefaultUser\\AuditLog.exe\"",
- "C:\\Users\\user\\DefaultUser\\AuditLog.exe",
- "C:\\Windows\\SysWOW64\\svchost.exe",
- "\"C:\\Users\\user\\DefaultUser\\AuditLog.exe\"",
- "C:\\Users\\user\\DefaultUser\\AuditLog.exe "
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "194.61.24.46:2405 (unknown)"
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details":
- "Window": "WSH-Timer"
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "AuditLog.exe tried to sleep 729 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: wscript.exe, pid: 2400, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: wscript.exe, pid: 2400, offset: 0x000000f0, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2400, offset: 0x000001e8, length: 0x00000078"
- "self_read": "process: wscript.exe, pid: 2400, offset: 0x00018000, length: 0x00000020"
- "self_read": "process: wscript.exe, pid: 2400, offset: 0x00018058, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2400, offset: 0x000181a8, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2400, offset: 0x00018470, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 2400, offset: 0x00018640, length: 0x00000012"
- "self_read": "process: AuditLog.exe, pid: 2452, offset: 0x00000000, length: 0x0004b200"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "C93vaJJ.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
- "Process": "wscript.exe -> cmd"
- "Description": "A scripting utility was executed",
- "Details":
- "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\""
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\DefaultUser\\AuditLog.exe\""
- "command": "cmd /c \"C:\\Users\\user\\DefaultUser\\AuditLog.exe\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "AuditLog.exe(2452) -> svchost.exe(2336)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "AuditLog.exe(2452) -> svchost.exe(2336)"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DefaultUser"
- "data": "\"C:\\Users\\user\\DefaultUser\\AuditLog.exe\""
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\DefaultUser\\AuditLog.exe"
- "file": "C:\\Users\\user\\DefaultUser"
- "Description": "File has been identified by 18 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.ef9e7f4c4bba8cb1"
- "Malwarebytes": "Trojan.MalPack.GS"
- "Cybereason": "malicious.a4a351"
- "Invincea": "heuristic"
- "Symantec": "Packed.Generic.528"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Emsisoft": "Trojan-Ransom.Shade (A)"
- "McAfee-GW-Edition": "BehavesLike.Win32.MultiPlug.fh"
- "Trapmine": "malicious.moderate.ml.score"
- "Webroot": "W32.Trojan.Gen"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "Endgame": "malicious (high confidence)"
- "Acronis": "suspicious"
- "Cylance": "Unsafe"
- "Rising": "Stealer.Agent!8.C2 (TFE:6:BZHf25MkWlT)"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "HEUR/QVM10.1.1953.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\DefaultUser\\AuditLog.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\DefaultUser\\AuditLog.exe"
- * Started Service:
- * Mutexes:
- "Remcos_Mutex_Inj",
- "MSOffice-FNHK9C",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "Mutex_RemWatchdog"
- * Modified Files:
- "C:\\Users\\user\\DefaultUser\\AuditLog.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DefaultUser",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\",
- "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\exepath",
- "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\licence",
- "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\WD",
- "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\WDH"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_CURRENT_USER\\Software\\MSOffice-FNHK9C\\WD"
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "unknown",
- "ip": "194.61.24.46",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement