893Exes_1381c4eafba0a330272c831d78f60dfa_exe_2019-09-03_23_30.txt

1.  
2. * ID: 893
3. * MalFamily: "Malicious"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "Exes_1381c4eafba0a330272c831d78f60dfa.exe"
8. * File Size: 576000
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd"
11. * MD5: "1381c4eafba0a330272c831d78f60dfa"
12. * SHA1: "763f07b2bbfe567cfeefabab39aca50a5e061ee4"
13. * SHA512: "a4e07839d3cc27f3bcba3c1f1bba82a1a90984d752ee74930ad72ec148fd154dda29b5d328b9142a5b8790ccf1e506014d36df744d1625df9ed9cfbf065429cd"
14. * CRC32: "1441EB5D"
15. * SSDEEP: "6144:ijFLYna3ZqRK2CZDcdMOupj8RM6V/rBuZoE:ijFLYn0ecYdtIj8"
16.  
17. * Process Execution:
18. "50STpnDtuaHfJr.exe",
19. "powershell.exe",
20. "images.exe",
21. "powershell.exe",
22. "cmd.exe",
23. "explorer.exe",
24. "svchost.exe",
25. "WmiPrvSE.exe",
26. "WMIADAP.exe"
27.  
28.  
29. * Executed Commands:
30. "powershell Add-MpPreference -ExclusionPath C:\\",
31. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
32.  
33.  
34. * Signatures Detected:
35.  
36. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
37. "Details":
38.  
39.  
40. "Description": "Behavioural detection: Executable code extraction",
41. "Details":
42.  
43.  
44. "Description": "Creates RWX memory",
45. "Details":
46.  
47.  
48. "Description": "Guard pages use detected - possible anti-debugging.",
49. "Details":
50.  
51.  
52. "Description": "Reads data out of its own binary image",
53. "Details":
54.  
55. "self_read": "process: images.exe, pid: 2252, offset: 0x00000000, length: 0x0008ca00"
56.  
57.  
58.  
59.  
60. "Description": "A process created a hidden window",
61. "Details":
62.  
63. "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
64.  
65.  
66.  
67.  
68. "Description": "Drops a binary and executes it",
69. "Details":
70.  
71. "binary": "C:\\ProgramData\\images.exe"
72.  
73.  
74.  
75.  
76. "Description": "A scripting utility was executed",
77. "Details":
78.  
79. "command": "powershell Add-MpPreference -ExclusionPath C:\\"
80.  
81.  
82.  
83.  
84. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
85. "Details":
86.  
87. "file": "C:\\ProgramData\\images.exe:Zone.Identifier"
88.  
89.  
90.  
91.  
92. "Description": "Sniffs keystrokes",
93. "Details":
94.  
95. "SetWindowsHookExW": "Process: explorer.exe(1960)"
96.  
97.  
98.  
99.  
100. "Description": "Code injection with CreateRemoteThread in a remote process",
101. "Details":
102.  
103. "Injection": "images.exe(2252) -> cmd.exe(2024)"
104.  
105.  
106.  
107.  
108. "Description": "Behavioural detection: Injection (inter-process)",
109. "Details":
110.  
111.  
112. "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
113. "Details":
114.  
115.  
116. "Description": "A process attempted to delay the analysis task by a long amount of time.",
117. "Details":
118.  
119. "Process": "cmd.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
120.  
121.  
122. "Process": "50STpnDtuaHfJr.exe tried to sleep 1000 seconds, actually delayed analysis time by 0 seconds"
123.  
124.  
125. "Process": "WmiPrvSE.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
126.  
127.  
128. "Process": "images.exe tried to sleep 37121 seconds, actually delayed analysis time by 0 seconds"
129.  
130.  
131.  
132.  
133. "Description": "Installs itself for autorun at Windows startup",
134. "Details":
135.  
136. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
137.  
138.  
139. "data": "C:\\ProgramData\\images.exe"
140.  
141.  
142.  
143.  
144. "Description": "Creates a hidden or system file",
145. "Details":
146.  
147. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF433821.TMP"
148.  
149.  
150.  
151.  
152. "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
153. "Details":
154.  
155. "FireEye": "Generic.mg.1381c4eafba0a330"
156.  
157.  
158. "Cylance": "Unsafe"
159.  
160.  
161. "CrowdStrike": "win/malicious_confidence_90% (D)"
162.  
163.  
164. "K7GW": "Riskware ( 0040eff71 )"
165.  
166.  
167. "K7AntiVirus": "Riskware ( 0040eff71 )"
168.  
169.  
170. "APEX": "Malicious"
171.  
172.  
173. "Avast": "Win32:Trojan-gen"
174.  
175.  
176. "Kaspersky": "Trojan-Spy.Win32.AveMaria.bvf"
177.  
178.  
179. "Paloalto": "generic.ml"
180.  
181.  
182. "Endgame": "malicious (high confidence)"
183.  
184.  
185. "F-Secure": "Trojan.TR/AD.MortyStealer.yepni"
186.  
187.  
188. "DrWeb": "Trojan.PWS.Maria.3"
189.  
190.  
191. "SentinelOne": "DFI - Malicious PE"
192.  
193.  
194. "Avira": "TR/AD.MortyStealer.yepni"
195.  
196.  
197. "Antiy-AVL": "TrojanSpy/Win32.AveMaria"
198.  
199.  
200. "ZoneAlarm": "Trojan-Spy.Win32.AveMaria.bvf"
201.  
202.  
203. "Malwarebytes": "Backdoor.AveMaria"
204.  
205.  
206. "Fortinet": "W32/AveMaria.BVF!tr"
207.  
208.  
209. "AVG": "Win32:Trojan-gen"
210.  
211.  
212. "Cybereason": "malicious.2bbfe5"
213.  
214.  
215. "Panda": "Trj/GdSda.A"
216.  
217.  
218. "Qihoo-360": "HEUR/QVM20.1.A46F.Malware.Gen"
219.  
220.  
221.  
222.  
223. "Description": "Creates a copy of itself",
224. "Details":
225.  
226. "copy": "C:\\ProgramData\\images.exe"
227.  
228.  
229.  
230.  
231. "Description": "Collects information to fingerprint the system",
232. "Details":
233.  
234.  
235.  
236. * Started Service:
237.  
238. * Mutexes:
239. "CicLoadWinStaWinSta0",
240. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
241. "Global\\CLR_PerfMon_WrapMutex",
242. "Global\\CLR_CASOFF_MUTEX",
243. "Global\\ADAP_WMI_ENTRY",
244. "Global\\RefreshRA_Mutex",
245. "Global\\RefreshRA_Mutex_Lib",
246. "Global\\RefreshRA_Mutex_Flag"
247.  
248.  
249. * Modified Files:
250. "C:\\ProgramData\\images.exe",
251. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
252. "\\??\\PIPE\\srvsvc",
253. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GQ4JN80CS7GZM44MX5D0.temp",
254. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
255. "C:\\Users\\user\\AppData\\Local\\Microsoft Vision\\03-09-2019_17.08.36",
256. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\Z38GN1C8K4I6BWVWYRZ0.temp",
257. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF433821.TMP",
258. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
259.  
260.  
261. * Deleted Files:
262. "C:\\ProgramData\\images.exe:Zone.Identifier",
263. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\GQ4JN80CS7GZM44MX5D0.temp",
264. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2276.3512515",
265. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2276.3512515",
266. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2276.3512515",
267. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF433821.TMP",
268. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1120.4405375",
269. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1120.4405375",
270. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1120.4405375"
271.  
272.  
273. * Modified Registry Keys:
274. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
275. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
276. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
277. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT",
278. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT\\inst",
279. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images",
280. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
281. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
282. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList"
283.  
284.  
285. * Deleted Registry Keys:
286. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDEChannel\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
287. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDEChannel\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
288.  
289.  
290. * DNS Communications:
291.  
292. "type": "A",
293. "request": "warzo.duckdns.org",
294. "answers":
295.  
296. "data": "23.105.131.202",
297. "type": "A"
298.  
299.  
300.  
301.  
302.  
303. * Domains:
304.  
305. "ip": "23.105.131.202",
306. "domain": "warzo.duckdns.org"
307.  
308.  
309.  
310. * Network Communication - ICMP:
311.  
312. * Network Communication - HTTP:
313.  
314. * Network Communication - SMTP:
315.  
316. * Network Communication - Hosts:
317.  
318. "country_name": "United States",
319. "ip": "23.105.131.202",
320. "inaddrarpa": "",
321. "hostname": "warzo.duckdns.org"
322.  
323.  
324.  
325. * Network Communication - IRC: