Automated Malware Analysis IOC Report for

File Path

Type

Category

Malicious

Download

edrwkgn.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.950983263373999
Filename:	edrwkgn.exe
Filesize:	3161752
MD5:	1974c88979debfe710d597fff868d0e5
SHA1:	6a184bdf47d0704d7eea68d022c3549afe05df66
SHA256:	cfb0e9f2d6e4d72ec861480007d96a3695d4b1d780c86ff066a2a2222fafffdf
SHA512:	eb43fc2ac49c1444de5f5e65d74dba718537aacfdd5405690bc639a5a36eeed817cecf0db5135525bbbbfc18e9e3f4dac84af95fb6b86f2108982fe7f91e03dd
SSDEEP:	24576:43ub5cDzp/Ook9bVHIKAuTVijaUH2AcQNoMJ+CeWwIpA1JeuoSOBRcSrBIMmCpCe:O57cQKauDOTcSrqMmpnF8OMJL+fLlm
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
PE file contains more sections than normal	System Summary
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion Security Software Discovery
Queries disk information (often used to detect virtual machines)	Malware Analysis System Evasion
Sample is known by Antivirus	System Summary
Reads software policies	System Summary
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Uses an in-process (OLE) Automation server	System Summary
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads ini files	System Summary	File and Directory Discovery
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary
PE file has a big code size	System Summary

C:\Users\alfredo\Desktop\configure.dat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\alfredo\Desktop\configure.dat
Category:	dropped
Dump:	configure.dat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\alfredo\Desktop\edrwkgn.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.775760406438328
Encrypted:	false
Size:	176
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Injects files into Windows application	HIPS / PFW / Operating System Protection Evasion	Shared Modules Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\ProgramData\SystemAcCrux\fefe7b8f3862ba4dac.bin

data

dropped

Details

File:	C:\ProgramData\SystemAcCrux\fefe7b8f3862ba4dac.bin
Category:	dropped
Dump:	fefe7b8f3862ba4dac.bin.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\alfredo\Desktop\edrwkgn.exe
Type:	data
Entropy:	0.2912439497023876
Encrypted:	false
Size:	4176
Whitelisted:	false
Reputation:	low

C:\Users\alfredo\Desktop\EuCfg.bin

data

dropped

Details

File:	C:\Users\alfredo\Desktop\EuCfg.bin
Category:	dropped
Dump:	EuCfg.bin.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\alfredo\Desktop\edrwkgn.exe
Type:	data
Entropy:	4.289822782008755
Encrypted:	false
Size:	40
Whitelisted:	false
Reputation:	low

IOC Report
edrwkgn.exe