Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1688
- * MalFamily: "Trojan.Autoit"
- * MalScore: 10.0
- * File Name: "Exes_97816f8dd94d63a4f608d76338b0d9ef.exe"
- * File Size: 1129635
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "0d310e6d0f42fddaa21866fb4254f27f4fae7b95689f7bf3593429cee2b7acec"
- * MD5: "97816f8dd94d63a4f608d76338b0d9ef"
- * SHA1: "acb680f732f9257d89c4a16f9e474a573e0d06c8"
- * SHA512: "b54958f57490c707066a146f733d7996e25af1890d0dfadb37ae9761bff01c7c8a7c5e871b9fa1f35c777fe34061cca35cfc01bd3fb81d05ca121c63a728c492"
- * CRC32: "515CF846"
- * SSDEEP: "12288:8hkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aaZjupXgOcwywYbKPm7cia:0RmJkcoQricOIQxiZY1iaozLNPenjLqe"
- * Process Execution:
- "JLe2ujwgu6.exe",
- "cmd.exe",
- "schtasks.exe",
- "wscript.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "msoia.exe",
- "WMIADAP.exe",
- "taskeng.exe",
- "taskeng.exe",
- "explorer.exe"
- * Executed Commands:
- "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1",
- "WSCript C:\\Users\\user\\AppData\\Local\\Temp\\EPGNVR.vbs",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "taskeng.exe BA95BF75-FDB3-4DB7-B60E-48341AA969B1 S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe C05BF83C-5ED3-4408-992C-5513FEBEE1FC S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
- "taskeng.exe 8A32D3B5-B47B-4B57-88CB-A81D3D24443A S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 22690220-5953-4AA7-B8C2-186F354EF3FB S-1-5-18:NT AUTHORITY\\System:Service:",
- "schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
- "Details":
- "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details":
- "Window": "WSH-Timer"
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "wscript.exe"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00000000, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0000ffec, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00010000, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0001ffd8, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00020000, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0002ffc4, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00030000, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0003ffb0, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00040000, length: 0x00020000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0004ff9c, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0005ff88, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00060000, length: 0x00030000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0006ff74, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0007ff60, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0008ff4c, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00090000, length: 0x00040000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0009ff38, length: 0x00010000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000a2614, length: 0x00001000"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000a2628, length: 0x00000200"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000a26bd, length: 0x00000200"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000a26d9, length: 0x000715ca"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000d0000, length: 0x00043ca3"
- "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00113c9b, length: 0x00000008"
- "self_read": "process: wscript.exe, pid: 4092, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: wscript.exe, pid: 4092, offset: 0x000000f0, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 4092, offset: 0x000001e8, length: 0x00000078"
- "self_read": "process: wscript.exe, pid: 4092, offset: 0x00018000, length: 0x00000020"
- "self_read": "process: wscript.exe, pid: 4092, offset: 0x00018058, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 4092, offset: 0x000181a8, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 4092, offset: 0x00018470, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 4092, offset: 0x00018640, length: 0x00000012"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
- "Description": "A scripting utility was executed",
- "Details":
- "command": "WSCript C:\\Users\\user\\AppData\\Local\\Temp\\EPGNVR.vbs"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
- "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
- "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
- "command": "schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
- "command": "schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
- "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExW": "Process: explorer.exe(1884)"
- "Description": "Behavioural detection: Transacted Hollowing",
- "Details":
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "wscript.exe tried to sleep 2100 seconds, actually delayed analysis time by 0 seconds"
- "Process": "svchost.exe tried to sleep 307 seconds, actually delayed analysis time by 0 seconds"
- "Process": "taskeng.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
- "Process": "WmiPrvSE.exe tried to sleep 1920 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
- "Details":
- "regkeyval": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2\\ProgramsCache"
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\EPGNVR"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe\""
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\EPGNVR.lnk"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\EPGNVR.lnk"
- "task": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
- "Description": "File has been identified by 28 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "AIT:Trojan.Nymeria.705"
- "FireEye": "Generic.mg.97816f8dd94d63a4"
- "Cybereason": "malicious.dd94d6"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "Trojan-Spy.PowerShell.KeyLogger.c"
- "BitDefender": "AIT:Trojan.Nymeria.705"
- "Endgame": "malicious (high confidence)"
- "Emsisoft": "AIT:Trojan.Nymeria.705 (B)"
- "F-Secure": "Heuristic.HEUR/AGEN.1034185"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.TrojanAitInject.tc"
- "Trapmine": "malicious.high.ml.score"
- "Avira": "HEUR/AGEN.1034185"
- "MAX": "malware (ai score=88)"
- "ZoneAlarm": "Trojan-Spy.PowerShell.KeyLogger.c"
- "GData": "AIT:Trojan.Nymeria.705 (2x)"
- "Acronis": "suspicious"
- "VBA32": "Trojan.Autoit.F"
- "ALYac": "AIT:Trojan.Nymeria.705"
- "Ad-Aware": "AIT:Trojan.Nymeria.705"
- "ESET-NOD32": "a variant of Win32/Autoit.DB"
- "Rising": "Trojan.Agent/Autoit!1.BC29 (CLASSIC)"
- "Ikarus": "Trojan.Autoit"
- "eGambit": "Unsafe.AI_Score_70%"
- "Fortinet": "AutoIt/Agent.DB!tr"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "HEUR/QVM10.1.D67D.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe"
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- * Started Service:
- * Mutexes:
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\EPGNVR.lnk",
- "C:\\Users\\user\\AppData\\Local\\Temp\\EPGNVR.vbs",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "\\Device\\LanmanDatagramReceiver",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\Windows\\Tasks\\EPGNVR.exe.job",
- "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
- "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\EPGNVR",
- "HKEY_CURRENT_USER\\Software\\Win32",
- "HKEY_CURRENT_USER\\Software\\Win32\\EPGNVR",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\BDF81CCC-EE92-45F2-874A-49B237F964AF\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\BDF81CCC-EE92-45F2-874A-49B237F964AF\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\EPGNVR.exe\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\EPGNVR.exe\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\BDF81CCC-EE92-45F2-874A-49B237F964AF\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\BDF81CCC-EE92-45F2-874A-49B237F964AF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F23C90F8-7F8A-47A8-8A78-2147F4A03645\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F23C90F8-7F8A-47A8-8A78-2147F4A03645\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F23C90F8-7F8A-47A8-8A78-2147F4A03645\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F23C90F8-7F8A-47A8-8A78-2147F4A03645\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\BA95BF75-FDB3-4DB7-B60E-48341AA969B1",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C05BF83C-5ED3-4408-992C-5513FEBEE1FC",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\8A32D3B5-B47B-4B57-88CB-A81D3D24443A",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\22690220-5953-4AA7-B8C2-186F354EF3FB",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2\\ProgramsCache",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\BA95BF75-FDB3-4DB7-B60E-48341AA969B1\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C05BF83C-5ED3-4408-992C-5513FEBEE1FC\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\8A32D3B5-B47B-4B57-88CB-A81D3D24443A\\data"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\EPGNVR.exe.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\EPGNVR.exe.job.fp"
- * DNS Communications:
- "type": "A",
- "request": "plunder.nsupdate.info",
- "answers":
- * Domains:
- "ip": "185.58.205.148",
- "domain": "plunder.nsupdate.info"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement