edrwkgn.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.950983263373999
|
Filename: |
edrwkgn.exe
|
Filesize: |
3161752
|
MD5: |
1974c88979debfe710d597fff868d0e5
|
SHA1: |
6a184bdf47d0704d7eea68d022c3549afe05df66
|
SHA256: |
cfb0e9f2d6e4d72ec861480007d96a3695d4b1d780c86ff066a2a2222fafffdf
|
SHA512: |
eb43fc2ac49c1444de5f5e65d74dba718537aacfdd5405690bc639a5a36eeed817cecf0db5135525bbbbfc18e9e3f4dac84af95fb6b86f2108982fe7f91e03dd
|
SSDEEP: |
24576:43ub5cDzp/Ook9bVHIKAuTVijaUH2AcQNoMJ+CeWwIpA1JeuoSOBRcSrBIMmCpCe:O57cQKauDOTcSrqMmpnF8OMJL+fLlm
|
Preview: |
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
|
Uses 32bit PE files |
Compliance, System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
PE file contains more sections than normal |
System Summary |
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Windows Management Instrumentation
Virtualization/Sandbox Evasion
Security Software Discovery
|
Queries disk information (often used to detect virtual machines) |
Malware Analysis System Evasion |
|
Sample is known by Antivirus |
System Summary |
|
Reads software policies |
System Summary |
|
Parts of this applications are using Borland Delphi (Probably coded in Delphi) |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
|
Creates files inside the user directory |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Reads ini files |
System Summary |
File and Directory Discovery
|
PE file has a big raw section |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
PE file has a big code size |
System Summary |
|
|
C:\Users\alfredo\Desktop\configure.dat
|
ASCII text, with CRLF line terminators
|
dropped
|
 |
|
|
File: |
C:\Users\alfredo\Desktop\configure.dat
|
Category: |
dropped
|
Dump: |
configure.dat.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\alfredo\Desktop\edrwkgn.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.775760406438328
|
Encrypted: |
false
|
Size: |
176
|
Whitelisted: |
false
|
Reputation: |
low
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Injects files into Windows application |
HIPS / PFW / Operating System Protection Evasion |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Creates files inside the user directory |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\ProgramData\SystemAcCrux\fefe7b8f3862ba4dac.bin
|
data
|
dropped
|
|
|
|
File: |
C:\ProgramData\SystemAcCrux\fefe7b8f3862ba4dac.bin
|
Category: |
dropped
|
Dump: |
fefe7b8f3862ba4dac.bin.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\alfredo\Desktop\edrwkgn.exe
|
Type: |
data
|
Entropy: |
0.2912439497023876
|
Encrypted: |
false
|
Size: |
4176
|
Whitelisted: |
false
|
Reputation: |
low
|
|
C:\Users\alfredo\Desktop\EuCfg.bin
|
data
|
dropped
|
|
|
|
File: |
C:\Users\alfredo\Desktop\EuCfg.bin
|
Category: |
dropped
|
Dump: |
EuCfg.bin.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\alfredo\Desktop\edrwkgn.exe
|
Type: |
data
|
Entropy: |
4.289822782008755
|
Encrypted: |
false
|
Size: |
40
|
Whitelisted: |
false
|
Reputation: |
low
|
|