Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

KRITENESIAS.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	5.255161402824075
Filename:	KRITENESIAS.exe
Filesize:	62464
MD5:	e6e3f0819cd71162daebb192061b78de
SHA1:	a03a28f1c6f0329ad2af6aa6cce1e6058e5df8ee
SHA256:	f58196e6f2428a361e9c3c004c3f340e5f4ea281c16ecc5222dd10bc02098dfc
SHA512:	3012ae1c4d513c9968a56e24cb67875e0c590157d43c0efaea85cadd276f2774843f3f1234b6ededebda0d9a795534611210bae1863e06f5fd63a28c76c8618e
SSDEEP:	768:HE3sS2x+nv/bTVi9uRL/DrICdT1968HiqqLPpAF76R:HE3D2xivfcERL3ICF19xrsBA
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;.B.Z...Z...Z..."G..Z.......Z.......Z.......Z.......Z..."...Z...Z...Z.......Z....+..Z...ZC..Z.......Z..Rich.Z.................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to access PhysicalDrive, possible boot sector overwrite	Operating System Destruction
Contains functionality to infect the boot sector	Persistence and Installation Behavior, Boot Survival	Bootkit
Infects the VBR (Volume Boot Record) of the hard disk	Persistence and Installation Behavior
Writes directly to the primary disk partition (DR0)	Persistence and Installation Behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to record screenshots	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries disk information (often used to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery System Information Discovery
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

\Device\Harddisk0\DR0

DOS/MBR boot sector

dropped

Details

File:	\Device\Harddisk0\DR0
Category:	dropped
Dump:	DR0.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\KRITENESIAS.exe
Type:	DOS/MBR boot sector
Entropy:	2.4115103828740536
Encrypted:	false
Ssdeep:	3:Fpip6lr8HslbS+JthWUZlW7apQSurthosXjJPyzOTUG+KRSlD9ppFKfu4Rjmy776:1rlfJaA4apOrVzEzOAG+KcrpwpRT2
Size:	512
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Infects the VBR (Volume Boot Record) of the hard disk	Persistence and Installation Behavior	Bootkit
Writes directly to the primary disk partition (DR0)	Persistence and Installation Behavior	Bootkit

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.12.dr
ID:	dr_5
Target ID:	12
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1510207563435464
Encrypted:	false
Ssdeep:	3:NlllulPki/llllZ:NllUcylll
Size:	64
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ar1l3lt.qch.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ar1l3lt.qch.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_0ar1l3lt.qch.ps1.12.dr
ID:	dr_3
Target ID:	12
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vc5qcrh.qhc.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vc5qcrh.qhc.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_0vc5qcrh.qhc.psm1.12.dr
ID:	dr_4
Target ID:	12
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4fwagcx.owr.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4fwagcx.owr.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_e4fwagcx.owr.ps1.12.dr
ID:	dr_1
Target ID:	12
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jwzw5bs5.20n.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jwzw5bs5.20n.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_jwzw5bs5.20n.psm1.12.dr
ID:	dr_2
Target ID:	12
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\KRITENESIAS.exe

"C:\Users\user\Desktop\KRITENESIAS.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f

C:\Windows\SysWOW64\reg.exe

reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell wininit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell wininit

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Memdumps

Base Address

Regiontype

Protect

Malicious

7B6000

heap

page read and write

7B6000

heap

page read and write

78B000

heap

page read and write

2FF0000

heap

page read and write

173000

stack

page read and write

3E50000

trusted library allocation

page read and write

7B6000

heap

page read and write

780000

heap

page read and write

6BE000

stack

page read and write

7B6000

heap

page read and write

A9000

stack

page read and write

22C0000

trusted library allocation

page read and write

C03000

unkown

page readonly

758000

heap

page read and write

318E000

stack

page read and write

C00000

unkown

page readonly

3070000

heap

page read and write

25E0000

heap

page read and write

2F0E000

stack

page read and write

73A000

heap

page read and write

245F000

stack

page read and write

7B6000

heap

page read and write

77E000

heap

page read and write

BF6000

unkown

page readonly

320E000

stack

page read and write

7B6000

heap

page read and write

788000

heap

page read and write

2B70000

heap

page read and write

2F40000

heap

page read and write

259E000

stack

page read and write

4F0000

heap

page read and write

78B000

heap

page read and write

258E000

stack

page read and write

2B0D000

stack

page read and write

92E000

stack

page read and write

3B04000

heap

page read and write

3210000

heap

page read and write

BEE000

stack

page read and write

3A60000

trusted library allocation

page read and write

3260000

heap

page read and write

75C000

heap

page read and write

77E000

heap

page read and write

7B6000

heap

page read and write

7B6000

heap

page read and write

750000

heap

page read and write

2470000

trusted library allocation

page read and write

7B6000

heap

page read and write

24B0000

trusted library allocation

page read and write

780000

heap

page read and write

7B6000

heap

page read and write

2DCD000

stack

page read and write

782000

heap

page read and write

7B6000

heap

page read and write

7B6000

heap

page read and write

77E000

heap

page read and write

7B6000

heap

page read and write

2600000

heap

page read and write

C00000

unkown

page readonly

53E000

stack

page read and write

75C000

heap

page read and write

786000

heap

page read and write

BF0000

unkown

page readonly

5A0000

heap

page read and write

73E000

heap

page read and write

77E000

heap

page read and write

7B6000

heap

page read and write

2F8F000

stack

page read and write

782000

heap

page read and write

700000

heap

page read and write

BF6000

unkown

page readonly

5A5000

heap

page read and write

758000

heap

page read and write

7B6000

heap

page read and write

755000

heap

page read and write

31CF000

stack

page read and write

3260000

heap

page read and write

3A80000

trusted library allocation

page read and write

7BF000

heap

page read and write

74C000

heap

page read and write

25D0000

heap

page read and write

7B7000

heap

page read and write

7B6000

heap

page read and write

5A9000

heap

page read and write

750000

heap

page read and write

7B6000

heap

page read and write

22E0000

trusted library allocation

page read and write

2F10000

heap

page read and write

7B6000

heap

page read and write

2FF8000

heap

page read and write

758000

heap

page read and write

7B6000

heap

page read and write

7B6000

heap

page read and write

710000

heap

page read and write

7B6000

heap

page read and write

3300000

heap

page read and write

22AF000

stack

page read and write

730000

heap

page read and write

3A3B000

stack

page read and write

4C4C000

stack

page read and write

2540000

heap

page read and write

6F0000

heap

page read and write

3B00000

heap

page read and write

783000

heap

page read and write

47D000

stack

page read and write

786000

heap

page read and write

759000

heap

page read and write

43D000

stack

page read and write

5B5000

heap

page read and write

75D000

heap

page read and write

268F000

stack

page read and write

303D000

stack

page read and write

2300000

trusted library allocation

page read and write

24F0000

trusted library allocation

page read and write

7B6000

heap

page read and write

2BFF000

stack

page read and write

7B6000

heap

page read and write

BF1000

unkown

page execute read

BF1000

unkown

page execute read

788000

heap

page read and write

7B6000

heap

page read and write

7B6000

heap

page read and write

264E000

stack

page read and write

32E0000

heap

page read and write

3308000

heap

page read and write

7BF000

heap

page read and write

7BF000

heap

page read and write

2ACD000

stack

page read and write

325F000

stack

page read and write

269F000

stack

page read and write

2490000

trusted library allocation

page read and write

2698000

heap

page read and write

2690000

heap

page read and write

7BF000

heap

page read and write

BF0000

unkown

page readonly

783000

heap

page read and write

5B0000

heap

page read and write

783000

heap

page read and write

235E000

stack

page read and write

410000

heap

page read and write

57E000

stack

page read and write

C03000

unkown

page readonly

25CF000

stack

page read and write

2BBE000

stack

page read and write

There are 133 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
KRITENESIAS.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportKRITENESIAS.exe

Files

Processes

Memdumps

IOC Report
KRITENESIAS.exe