USBRecoveryCreator.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.948001089404294
|
Filename: |
USBRecoveryCreator.exe
|
Filesize: |
74500240
|
MD5: |
23a460c02cc1b3b220ecb54cbd974a6a
|
SHA1: |
ece022c7d45ccf9afd5b72c33f1dcfc85a42c204
|
SHA256: |
dc86aed4873dbb3cef993c84533d83efc4ad35150ae32c15d22c40adbb511c43
|
SHA512: |
333aebed6643bd38e2fbe052e1d31c36ba2f5c828defb699d50b700e475fe9fe2175eaed244eb1bef292dc7f6f34461802e924f5a9f4177f03760ad05af6be18
|
SSDEEP: |
1572864:o7lbWgSb6k8QLc49MATBx3zUUCKfhFPON+VoUAYTjeWmoUHQArfLeq:gBSbvTZmAT3wUTKUbTmoUwCD
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o..P..,P..,P..,YvK,D..,.{.-C..,.{.-M..,.{.-...,.|.-X..,.|.-]..,P..,[..,.{.-V..,.{.-...,.{.-Q..,.{.-Q..,RichP..,...............
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
Windows Management Instrumentation
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
|
Reads software policies |
System Summary |
|
Sample reads its own file content |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\0ba7d819-f360-4626-b4fb-4b6a653ac16c.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\0ba7d819-f360-4626-b4fb-4b6a653ac16c.tmp
|
Category: |
dropped
|
Dump: |
0ba7d819-f360-4626-b4fb-4b6a653ac16c.tmp.10.dr
|
ID: |
dr_80
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
6.072353008075773
|
Encrypted: |
false
|
Size: |
16243
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\246e527c-8108-42ea-be7a-ff7f7c6b46e4.tmp
|
JSON data
|
modified
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\246e527c-8108-42ea-be7a-ff7f7c6b46e4.tmp
|
Category: |
modified
|
Dump: |
246e527c-8108-42ea-be7a-ff7f7c6b46e4.tmp.10.dr
|
ID: |
dr_85
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
6.067214133779568
|
Encrypted: |
false
|
Size: |
17477
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\3f2621aa-bb61-4f6d-9263-164c8242a7de.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\3f2621aa-bb61-4f6d-9263-164c8242a7de.tmp
|
Category: |
dropped
|
Dump: |
3f2621aa-bb61-4f6d-9263-164c8242a7de.tmp.10.dr
|
ID: |
dr_32
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
5.457602145833757
|
Encrypted: |
false
|
Size: |
2054
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\5301e1b9-15c2-49f0-95dd-104cd89f2234.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\5301e1b9-15c2-49f0-95dd-104cd89f2234.tmp
|
Category: |
dropped
|
Dump: |
5301e1b9-15c2-49f0-95dd-104cd89f2234.tmp.10.dr
|
ID: |
dr_34
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
5.29175198715765
|
Encrypted: |
false
|
Size: |
2901
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp
|
Category: |
dropped
|
Dump: |
6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
|
ID: |
dr_26
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
5.697368202273589
|
Encrypted: |
false
|
Size: |
951
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\BrowserMetrics-spare.pma (copy)
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\BrowserMetrics-spare.pma (copy)
|
Category: |
dropped
|
Dump: |
BrowserMetrics-spare.pma.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\BrowserMetrics-spare.pma.tmp
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\BrowserMetrics-spare.pma.tmp
|
Category: |
dropped
|
Dump: |
BrowserMetrics-spare.pma.tmp.10.dr
|
ID: |
dr_86
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
1310720
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Crashpad\settings.dat
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Crashpad\settings.dat
|
Category: |
dropped
|
Dump: |
settings.dat.10.dr
|
ID: |
dr_24
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
1.8873942837026088
|
Encrypted: |
false
|
Size: |
280
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Crashpad\throttle_store.dat
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Crashpad\throttle_store.dat
|
Category: |
dropped
|
Dump: |
throttle_store.dat.10.dr
|
ID: |
dr_23
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text
|
Entropy: |
3.6219280948873624
|
Encrypted: |
false
|
Size: |
20
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\027a0f36-1d5f-43db-80d9-0c51c5940405.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\027a0f36-1d5f-43db-80d9-0c51c5940405.tmp
|
Category: |
dropped
|
Dump: |
027a0f36-1d5f-43db-80d9-0c51c5940405.tmp.10.dr
|
ID: |
dr_17
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
5.580537754134039
|
Encrypted: |
false
|
Size: |
6780
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\38a36b08-5554-42c3-af0c-8cf1267052d7.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\38a36b08-5554-42c3-af0c-8cf1267052d7.tmp
|
Category: |
dropped
|
Dump: |
38a36b08-5554-42c3-af0c-8cf1267052d7.tmp.10.dr
|
ID: |
dr_84
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.859838656668776
|
Encrypted: |
false
|
Size: |
6495
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp
|
Category: |
dropped
|
Dump: |
39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
|
ID: |
dr_18
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.836106496442749
|
Encrypted: |
false
|
Size: |
5905
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\42d11d95-a355-4f26-a41f-510a537d3e4c.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\42d11d95-a355-4f26-a41f-510a537d3e4c.tmp
|
Category: |
dropped
|
Dump: |
42d11d95-a355-4f26-a41f-510a537d3e4c.tmp.10.dr
|
ID: |
dr_79
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.856830977544024
|
Encrypted: |
false
|
Size: |
6393
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_0
|
Category: |
dropped
|
Dump: |
data_0.13.dr
|
ID: |
dr_92
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.25265355233628506
|
Encrypted: |
false
|
Size: |
45056
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_1
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_1
|
Category: |
dropped
|
Dump: |
data_10.13.dr
|
ID: |
dr_93
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.5043132015940609
|
Encrypted: |
false
|
Size: |
270336
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_2
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_2
|
Category: |
dropped
|
Dump: |
data_20.13.dr
|
ID: |
dr_94
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.4660234612505231
|
Encrypted: |
false
|
Size: |
1056768
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_3
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\data_3
|
Category: |
dropped
|
Dump: |
data_3.13.dr
|
ID: |
dr_95
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.596348794073559
|
Encrypted: |
false
|
Size: |
4202496
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000001
|
Unicode text, UTF-8 text, with very long lines (49130), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000001
|
Category: |
dropped
|
Dump: |
f_000001.13.dr
|
ID: |
dr_59
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
Unicode text, UTF-8 text, with very long lines (49130), with no line terminators
|
Entropy: |
5.2263689873475805
|
Encrypted: |
false
|
Size: |
49132
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000002
|
ASCII text, with very long lines (3396)
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000002
|
Category: |
dropped
|
Dump: |
f_000002.13.dr
|
ID: |
dr_60
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with very long lines (3396)
|
Entropy: |
5.537081313027966
|
Encrypted: |
false
|
Size: |
213738
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000003
|
ASCII text, with very long lines (5945)
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000003
|
Category: |
dropped
|
Dump: |
f_000003.13.dr
|
ID: |
dr_61
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with very long lines (5945)
|
Entropy: |
5.575008771882825
|
Encrypted: |
false
|
Size: |
302013
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000004
|
Unicode text, UTF-8 text, with very long lines (51681), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000004
|
Category: |
dropped
|
Dump: |
f_000004.13.dr
|
ID: |
dr_62
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
Unicode text, UTF-8 text, with very long lines (51681), with no line terminators
|
Entropy: |
5.709022809150113
|
Encrypted: |
false
|
Size: |
51737
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000005
|
ASCII text, with very long lines (22564), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000005
|
Category: |
dropped
|
Dump: |
f_000005.13.dr
|
ID: |
dr_63
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with very long lines (22564), with no line terminators
|
Entropy: |
4.914327749178371
|
Encrypted: |
false
|
Size: |
22564
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000006
|
C source, Unicode text, UTF-8 text, with very long lines (28643), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000006
|
Category: |
dropped
|
Dump: |
f_000006.13.dr
|
ID: |
dr_64
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
C source, Unicode text, UTF-8 text, with very long lines (28643), with no line terminators
|
Entropy: |
5.56467374089227
|
Encrypted: |
false
|
Size: |
28649
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000007
|
Unicode text, UTF-8 text, with very long lines (25453), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000007
|
Category: |
dropped
|
Dump: |
f_000007.13.dr
|
ID: |
dr_65
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
Unicode text, UTF-8 text, with very long lines (25453), with no line terminators
|
Entropy: |
5.210289774391241
|
Encrypted: |
false
|
Size: |
25461
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000008
|
HTML document, ASCII text, with very long lines (32769)
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000008
|
Category: |
dropped
|
Dump: |
f_000008.13.dr
|
ID: |
dr_69
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
HTML document, ASCII text, with very long lines (32769)
|
Entropy: |
5.371945023505273
|
Encrypted: |
false
|
Size: |
93867
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000009
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000009
|
Category: |
dropped
|
Dump: |
f_000009.13.dr
|
ID: |
dr_70
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.888138810089
|
Encrypted: |
false
|
Size: |
307328
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_00000a
|
ASCII text, with very long lines (724)
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_00000a
|
Category: |
dropped
|
Dump: |
f_00000a.13.dr
|
ID: |
dr_71
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with very long lines (724)
|
Entropy: |
5.646059185430787
|
Encrypted: |
false
|
Size: |
551834
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_00000b
|
ASCII text, with very long lines (65536), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_00000b
|
Category: |
dropped
|
Dump: |
f_00000b.13.dr
|
ID: |
dr_82
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with very long lines (65536), with no line terminators
|
Entropy: |
6.022413301778022
|
Encrypted: |
false
|
Size: |
78840
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\index
|
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Cache\Cache_Data\index
|
Category: |
dropped
|
Dump: |
index.13.dr
|
ID: |
dr_67
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
Entropy: |
4.989325630401085E-4
|
Encrypted: |
false
|
Size: |
524656
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\012edbef7abcf9c9_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\012edbef7abcf9c9_0
|
Category: |
dropped
|
Dump: |
012edbef7abcf9c9_0.10.dr
|
ID: |
dr_22
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.597244278034834
|
Encrypted: |
false
|
Size: |
259
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\01627f27fb7071ca_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\01627f27fb7071ca_0
|
Category: |
dropped
|
Dump: |
01627f27fb7071ca_0.10.dr
|
ID: |
dr_48
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.503249529812329
|
Encrypted: |
false
|
Size: |
219
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\1493379f364199af_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\1493379f364199af_0
|
Category: |
dropped
|
Dump: |
1493379f364199af_0.10.dr
|
ID: |
dr_53
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.329216821969306
|
Encrypted: |
false
|
Size: |
230
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\5639aaefef9788b1_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\5639aaefef9788b1_0
|
Category: |
dropped
|
Dump: |
5639aaefef9788b1_0.10.dr
|
ID: |
dr_54
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.459232892716585
|
Encrypted: |
false
|
Size: |
241
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\56ff516abbc097e3_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\56ff516abbc097e3_0
|
Category: |
dropped
|
Dump: |
56ff516abbc097e3_0.10.dr
|
ID: |
dr_21
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.486935389361818
|
Encrypted: |
false
|
Size: |
249
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\57587f1582d66016_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\57587f1582d66016_0
|
Category: |
dropped
|
Dump: |
57587f1582d66016_0.10.dr
|
ID: |
dr_75
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.597915883121067
|
Encrypted: |
false
|
Size: |
240
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\5e6b352005ba6b9c_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\5e6b352005ba6b9c_0
|
Category: |
dropped
|
Dump: |
5e6b352005ba6b9c_0.10.dr
|
ID: |
dr_73
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.4980919158215285
|
Encrypted: |
false
|
Size: |
249
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\735bf054f08dabfd_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\735bf054f08dabfd_0
|
Category: |
dropped
|
Dump: |
735bf054f08dabfd_0.10.dr
|
ID: |
dr_50
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.43827034976762
|
Encrypted: |
false
|
Size: |
221
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\90b10fdbbf5e582a_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\90b10fdbbf5e582a_0
|
Category: |
dropped
|
Dump: |
90b10fdbbf5e582a_0.10.dr
|
ID: |
dr_51
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.291663433457455
|
Encrypted: |
false
|
Size: |
230
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\af91641539dc4e3a_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\af91641539dc4e3a_0
|
Category: |
dropped
|
Dump: |
af91641539dc4e3a_0.10.dr
|
ID: |
dr_52
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.3556507022103546
|
Encrypted: |
false
|
Size: |
246
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\c43927c4ca8e9a6d_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\c43927c4ca8e9a6d_0
|
Category: |
dropped
|
Dump: |
c43927c4ca8e9a6d_0.10.dr
|
ID: |
dr_49
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.371845171584791
|
Encrypted: |
false
|
Size: |
239
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\d988bfbda8695bb4_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\d988bfbda8695bb4_0
|
Category: |
dropped
|
Dump: |
d988bfbda8695bb4_0.10.dr
|
ID: |
dr_20
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
5.739579419347498
|
Encrypted: |
false
|
Size: |
262
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\temp-index
|
x86 executable not stripped
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\temp-index
|
Category: |
dropped
|
Dump: |
temp-index1.10.dr
|
ID: |
dr_81
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
x86 executable not stripped
|
Entropy: |
4.792426332417204
|
Encrypted: |
false
|
Size: |
336
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index (copy)
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index (copy)
|
Category: |
dropped
|
Dump: |
temp-index0.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RF4d0d28.TMP
(copy)
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RF4d0d28.TMP
(copy)
|
Category: |
dropped
|
Dump: |
temp-index0.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\wasm\index
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\wasm\index
|
Category: |
dropped
|
Dump: |
index0.10.dr
|
ID: |
dr_33
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
2.1431558784658327
|
Encrypted: |
false
|
Size: |
24
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\wasm\index-dir\temp-index
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\wasm\index-dir\temp-index
|
Category: |
dropped
|
Dump: |
temp-index.10.dr
|
ID: |
dr_35
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
2.9972243200613975
|
Encrypted: |
false
|
Size: |
48
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\wasm\index-dir\the-real-index (copy)
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Code Cache\wasm\index-dir\the-real-index (copy)
|
Category: |
dropped
|
Dump: |
temp-index.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\DawnCache\data_1
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\DawnCache\data_1
|
Category: |
dropped
|
Dump: |
data_10.10.dr
|
ID: |
dr_91
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
8.280239615765425E-4
|
Encrypted: |
false
|
Size: |
270336
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\DawnCache\index
|
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\DawnCache\index
|
Category: |
dropped
|
Dump: |
index2.10.dr
|
ID: |
dr_39
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
Entropy: |
9.47693366977411E-4
|
Encrypted: |
false
|
Size: |
262512
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\data_0
|
dBase III DBT, next free block index 3238316739, block length 1024
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\data_0
|
Category: |
dropped
|
Dump: |
data_00.10.dr
|
ID: |
dr_88
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
dBase III DBT, next free block index 3238316739, block length 1024
|
Entropy: |
0.028444322673708927
|
Encrypted: |
false
|
Size: |
45056
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\data_1
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\data_1
|
Category: |
dropped
|
Dump: |
data_1.10.dr
|
ID: |
dr_89
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.03907509111859803
|
Encrypted: |
false
|
Size: |
270336
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\data_2
|
dBase III DBT, next free block index 3238316739, block length 1024
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\data_2
|
Category: |
dropped
|
Dump: |
data_2.10.dr
|
ID: |
dr_90
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
dBase III DBT, next free block index 3238316739, block length 1024
|
Entropy: |
0.08376133919497868
|
Encrypted: |
false
|
Size: |
1056768
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\index
|
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\GPUCache\index
|
Category: |
dropped
|
Dump: |
index1.10.dr
|
ID: |
dr_38
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
Entropy: |
9.553120663130604E-4
|
Encrypted: |
false
|
Size: |
262512
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\56a46b80-df69-4b5d-9cb8-3182e24c6565.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\56a46b80-df69-4b5d-9cb8-3182e24c6565.tmp
|
Category: |
dropped
|
Dump: |
56a46b80-df69-4b5d-9cb8-3182e24c6565.tmp.13.dr
|
ID: |
dr_66
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
1.0
|
Encrypted: |
false
|
Size: |
2
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\65442db1-2f61-4545-a6d0-61bd377815a9.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\65442db1-2f61-4545-a6d0-61bd377815a9.tmp
|
Category: |
dropped
|
Dump: |
65442db1-2f61-4545-a6d0-61bd377815a9.tmp.13.dr
|
ID: |
dr_87
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
5.252848960418791
|
Encrypted: |
false
|
Size: |
1803
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\7a58ac41-47c3-4414-b6ee-90555ae92473.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\7a58ac41-47c3-4414-b6ee-90555ae92473.tmp
|
Category: |
dropped
|
Dump: |
7a58ac41-47c3-4414-b6ee-90555ae92473.tmp.13.dr
|
ID: |
dr_57
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.1275671571169275
|
Encrypted: |
false
|
Size: |
40
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Network Persistent State (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Network Persistent State (copy)
|
Category: |
dropped
|
Dump: |
e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp.13.dr
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Network Persistent State~RF4d1333.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Network Persistent State~RF4d1333.TMP (copy)
|
Category: |
dropped
|
Dump: |
e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp.13.dr
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Network Persistent State~RF4d812f.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Network Persistent State~RF4d812f.TMP (copy)
|
Category: |
dropped
|
Dump: |
e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp.13.dr
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports (copy)
|
Category: |
dropped
|
Dump: |
56a46b80-df69-4b5d-9cb8-3182e24c6565.tmp.13.dr
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports~RF4c638a.TMP
(copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports~RF4c638a.TMP
(copy)
|
Category: |
dropped
|
Dump: |
56a46b80-df69-4b5d-9cb8-3182e24c6565.tmp.13.dr
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Sdch Dictionaries (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\Sdch Dictionaries (copy)
|
Category: |
dropped
|
Dump: |
7a58ac41-47c3-4414-b6ee-90555ae92473.tmp.13.dr
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\d0f21931-ace5-4cde-9bcf-4e0b07f57c1b.tmp
|
JSON data
|
modified
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\d0f21931-ace5-4cde-9bcf-4e0b07f57c1b.tmp
|
Category: |
modified
|
Dump: |
d0f21931-ace5-4cde-9bcf-4e0b07f57c1b.tmp.13.dr
|
ID: |
dr_83
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.619434150836742
|
Encrypted: |
false
|
Size: |
59
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Network\e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp
|
Category: |
dropped
|
Dump: |
e8b728ca-a013-4d5a-b2df-97ac4ad0c62d.tmp.13.dr
|
ID: |
dr_58
|
Target ID: |
13
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.619434150836742
|
Encrypted: |
false
|
Size: |
59
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences (copy)
|
Category: |
dropped
|
Dump: |
39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences~RF4cbb30.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences~RF4cbb30.TMP (copy)
|
Category: |
dropped
|
Dump: |
39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences~RF4cee17.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences~RF4cee17.TMP (copy)
|
Category: |
dropped
|
Dump: |
39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences~RF4d75c5.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Preferences~RF4d75c5.TMP (copy)
|
Category: |
dropped
|
Dump: |
39f80b5e-f713-4e1b-86f3-4ccef2e12912.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\PreferredApps
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\PreferredApps
|
Category: |
dropped
|
Dump: |
PreferredApps.10.dr
|
ID: |
dr_78
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.051821770808046
|
Encrypted: |
false
|
Size: |
33
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\README
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\README
|
Category: |
dropped
|
Dump: |
README.10.dr
|
ID: |
dr_29
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.2629097520179995
|
Encrypted: |
false
|
Size: |
182
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Secure Preferences (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Secure Preferences (copy)
|
Category: |
dropped
|
Dump: |
027a0f36-1d5f-43db-80d9-0c51c5940405.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Site Characteristics Database\000001.dbtmp
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Site Characteristics Database\000001.dbtmp
|
Category: |
dropped
|
Dump: |
000001.dbtmp.10.dr
|
ID: |
dr_31
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text
|
Entropy: |
3.2743974703476995
|
Encrypted: |
false
|
Size: |
16
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Site Characteristics Database\CURRENT (copy)
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Site Characteristics Database\CURRENT (copy)
|
Category: |
dropped
|
Dump: |
000001.dbtmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001
|
OpenPGP Secret Key
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001
|
Category: |
dropped
|
Dump: |
MANIFEST-000001.10.dr
|
ID: |
dr_37
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
OpenPGP Secret Key
|
Entropy: |
4.704993772857998
|
Encrypted: |
false
|
Size: |
41
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\b9ef0d62-b181-4573-a293-e03534377839.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Default\b9ef0d62-b181-4573-a293-e03534377839.tmp
|
Category: |
dropped
|
Dump: |
b9ef0d62-b181-4573-a293-e03534377839.tmp.10.dr
|
ID: |
dr_74
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.856913687531697
|
Encrypted: |
false
|
Size: |
6159
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\GrShaderCache\index
|
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\GrShaderCache\index
|
Category: |
dropped
|
Dump: |
index3.10.dr
|
ID: |
dr_43
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
Entropy: |
9.553120663130604E-4
|
Encrypted: |
false
|
Size: |
262512
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\GraphiteDawnCache\data_0
|
FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\GraphiteDawnCache\data_0
|
Category: |
dropped
|
Dump: |
data_0.10.dr
|
ID: |
dr_56
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
|
Entropy: |
0.01057775872642915
|
Encrypted: |
false
|
Size: |
8192
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\GraphiteDawnCache\index
|
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\GraphiteDawnCache\index
|
Category: |
dropped
|
Dump: |
index4.10.dr
|
ID: |
dr_55
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
Entropy: |
9.553120663130604E-4
|
Encrypted: |
false
|
Size: |
262512
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Last Version
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Last Version
|
Category: |
dropped
|
Dump: |
Last Version.10.dr
|
ID: |
dr_28
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
2.7192945256669794
|
Encrypted: |
false
|
Size: |
13
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State (copy)
|
Category: |
dropped
|
Dump: |
6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4c6213.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4c6213.TMP (copy)
|
Category: |
dropped
|
Dump: |
6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4c6261.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4c6261.TMP (copy)
|
Category: |
dropped
|
Dump: |
6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4c8952.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4c8952.TMP (copy)
|
Category: |
dropped
|
Dump: |
6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4ceec3.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4ceec3.TMP (copy)
|
Category: |
dropped
|
Dump: |
6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4d75c5.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Local State~RF4d75c5.TMP (copy)
|
Category: |
dropped
|
Dump: |
6fd7a13f-0753-4d03-b0e5-eb9627615cf1.tmp.10.dr
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\ShaderCache\data_3
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\ShaderCache\data_3
|
Category: |
dropped
|
Dump: |
data_3.10.dr
|
ID: |
dr_30
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
0.012340643231932763
|
Encrypted: |
false
|
Size: |
8192
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\ShaderCache\index
|
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\ShaderCache\index
|
Category: |
dropped
|
Dump: |
index.10.dr
|
ID: |
dr_27
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
|
Entropy: |
9.553120663130604E-4
|
Encrypted: |
false
|
Size: |
262512
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSettings
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSettings
|
Category: |
dropped
|
Dump: |
customSettings.10.dr
|
ID: |
dr_44
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.3818353308528755
|
Encrypted: |
false
|
Size: |
47
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14
|
Category: |
dropped
|
Dump: |
customSettings_F95BA787499AB4FA9EFFF472CE383A14.10.dr
|
ID: |
dr_45
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.014438730983427
|
Encrypted: |
false
|
Size: |
35
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSynchronousLookupUris
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSynchronousLookupUris
|
Category: |
dropped
|
Dump: |
customSynchronousLookupUris.10.dr
|
ID: |
dr_41
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
3.922828737239167
|
Encrypted: |
false
|
Size: |
29
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSynchronousLookupUris_0
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\customSynchronousLookupUris_0
|
Category: |
dropped
|
Dump: |
customSynchronousLookupUris_0.10.dr
|
ID: |
dr_42
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
7.99333285466604
|
Encrypted: |
true
|
Size: |
35302
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\edgeSettings
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\edgeSettings
|
Category: |
dropped
|
Dump: |
edgeSettings.10.dr
|
ID: |
dr_15
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
3.5724312513221195
|
Encrypted: |
false
|
Size: |
18
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\edgeSettings_2.0-0
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\edgeSettings_2.0-0
|
Category: |
dropped
|
Dump: |
edgeSettings_2.0-0.10.dr
|
ID: |
dr_16
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.459693941095613
|
Encrypted: |
false
|
Size: |
3581
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\synchronousLookupUris
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\synchronousLookupUris
|
Category: |
dropped
|
Dump: |
synchronousLookupUris.10.dr
|
ID: |
dr_40
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.493433469104717
|
Encrypted: |
false
|
Size: |
47
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\topTraffic
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\topTraffic
|
Category: |
dropped
|
Dump: |
topTraffic.10.dr
|
ID: |
dr_46
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
3.9904355005135823
|
Encrypted: |
false
|
Size: |
50
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371
|
Category: |
dropped
|
Dump: |
topTraffic_170540185939602997400506234197983529371.10.dr
|
ID: |
dr_47
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
7.999649474060713
|
Encrypted: |
true
|
Size: |
575056
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Variations
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\Variations
|
Category: |
dropped
|
Dump: |
Variations.10.dr
|
ID: |
dr_25
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
4.3751917412896075
|
Encrypted: |
false
|
Size: |
86
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\d0eb52f5-0d88-4b3a-8151-07a3b526ecd4.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\Desktop\USBRecoveryCreator.exe.WebView2\EBWebView\d0eb52f5-0d88-4b3a-8151-07a3b526ecd4.tmp
|
Category: |
dropped
|
Dump: |
d0eb52f5-0d88-4b3a-8151-07a3b526ecd4.tmp.10.dr
|
ID: |
dr_19
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
JSON data
|
Entropy: |
5.274396304706787
|
Encrypted: |
false
|
Size: |
3425
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries memory information (via WMI often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
|
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Adds / modifies Windows certificates |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Hooking and other Techniques for Hiding and Protection |
|
PE file contains executable resources (Code or Archives) |
System Summary |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Stores large binary data to the registry |
Hooking and other Techniques for Hiding and Protection |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
HIPS / PFW / Operating System Protection Evasion |
Command and Scripting Interpreter
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Reads software policies |
System Summary |
System Information Discovery
|
Sample reads its own file content |
System Summary |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a big raw section |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
PE file has a big code size |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\ProgramData\Lenovo\USBRecoveryCreator\Patch.zip
|
Zip archive data, at least v2.0 to extract, compression method=store
|
modified
|
|
|
|
File: |
C:\ProgramData\Lenovo\USBRecoveryCreator\Patch.zip
|
Category: |
modified
|
Dump: |
Patch.zip.0.dr
|
ID: |
dr_4
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
Zip archive data, at least v2.0 to extract, compression method=store
|
Entropy: |
7.998646744279036
|
Encrypted: |
true
|
Size: |
5048993
|
Whitelisted: |
false
|
|
C:\ProgramData\Lenovo\USBRecoveryCreator\SanitizerOptions.json
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Lenovo\USBRecoveryCreator\SanitizerOptions.json
|
Category: |
dropped
|
Dump: |
SanitizerOptions.json.0.dr
|
ID: |
dr_14
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
Entropy: |
3.544734095128017
|
Encrypted: |
false
|
Size: |
911
|
Whitelisted: |
false
|
|
C:\ProgramData\Lenovo\USBRecoveryCreator\ThirdPartyNotices.txt
|
Unicode text, UTF-8 text, with very long lines (755), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Lenovo\USBRecoveryCreator\ThirdPartyNotices.txt
|
Category: |
dropped
|
Dump: |
ThirdPartyNotices.txt.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
Unicode text, UTF-8 text, with very long lines (755), with CRLF line terminators
|
Entropy: |
5.188380685218441
|
Encrypted: |
false
|
Size: |
94420
|
Whitelisted: |
false
|
|
C:\ProgramData\Lenovo\USBRecoveryCreator\USBComponent.dll
|
PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\Lenovo\USBRecoveryCreator\USBComponent.dll
|
Category: |
dropped
|
Dump: |
USBComponent.dll.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.415661387821956
|
Encrypted: |
false
|
Size: |
179472
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\ProgramData\Lenovo\USBRecoveryCreator\msvcp140.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\Lenovo\USBRecoveryCreator\msvcp140.dll
|
Category: |
dropped
|
Dump: |
msvcp140.dll.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.693790505404224
|
Encrypted: |
false
|
Size: |
448408
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\ProgramData\Lenovo\USBRecoveryCreator\vcruntime140.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\Lenovo\USBRecoveryCreator\vcruntime140.dll
|
Category: |
dropped
|
Dump: |
vcruntime140.dll.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.936349345750277
|
Encrypted: |
false
|
Size: |
90520
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
|
Category: |
dropped
|
Dump: |
5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres.10.dr
|
ID: |
dr_77
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
3.850625322628129
|
Encrypted: |
false
|
Size: |
2278
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres
|
Category: |
dropped
|
Dump: |
e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres.10.dr
|
ID: |
dr_76
|
Target ID: |
10
|
Process: |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
|
Type: |
data
|
Entropy: |
3.912879467044931
|
Encrypted: |
false
|
Size: |
2684
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\D3DCompiler_47_cor3.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\D3DCompiler_47_cor3.dll
|
Category: |
dropped
|
Dump: |
D3DCompiler_47_cor3.dll.0.dr
|
ID: |
dr_7
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.577665867424953
|
Encrypted: |
false
|
Size: |
4127200
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\Lenovo.CertificateValidation.Native.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\Lenovo.CertificateValidation.Native.dll
|
Category: |
dropped
|
Dump: |
Lenovo.CertificateValidation.Native.dll.0.dr
|
ID: |
dr_12
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.5270976270211145
|
Encrypted: |
false
|
Size: |
308120
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\PenImc_cor3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\PenImc_cor3.dll
|
Category: |
dropped
|
Dump: |
PenImc_cor3.dll.0.dr
|
ID: |
dr_8
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.44368804805963
|
Encrypted: |
false
|
Size: |
145584
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\PresentationNative_cor3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\PresentationNative_cor3.dll
|
Category: |
dropped
|
Dump: |
PresentationNative_cor3.dll.0.dr
|
ID: |
dr_9
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.31976158432139
|
Encrypted: |
false
|
Size: |
945840
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\WebView2Loader.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\WebView2Loader.dll
|
Category: |
dropped
|
Dump: |
WebView2Loader.dll1.0.dr
|
ID: |
dr_13
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.470572997559548
|
Encrypted: |
false
|
Size: |
115624
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\runtimes\win-arm64\native\WebView2Loader.dll
|
PE32+ executable (DLL) (console) Aarch64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\runtimes\win-arm64\native\WebView2Loader.dll
|
Category: |
dropped
|
Dump: |
WebView2Loader.dll0.0.dr
|
ID: |
dr_6
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32+ executable (DLL) (console) Aarch64, for MS Windows
|
Entropy: |
6.08860710021013
|
Encrypted: |
false
|
Size: |
135656
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\runtimes\win-x64\native\WebView2Loader.dll
|
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\runtimes\win-x64\native\WebView2Loader.dll
|
Category: |
dropped
|
Dump: |
WebView2Loader.dll.0.dr
|
ID: |
dr_5
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
Entropy: |
6.183536777437394
|
Encrypted: |
false
|
Size: |
160184
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\vcruntime140_cor3.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\vcruntime140_cor3.dll
|
Category: |
dropped
|
Dump: |
vcruntime140_cor3.dll.0.dr
|
ID: |
dr_10
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.94127019484021
|
Encrypted: |
false
|
Size: |
90520
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\wpfgfx_cor3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\.net\USBRecoveryCreator\1bdc\wpfgfx_cor3.dll
|
Category: |
dropped
|
Dump: |
wpfgfx_cor3.dll.0.dr
|
ID: |
dr_11
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\USBRecoveryCreator.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.558105251240892
|
Encrypted: |
false
|
Size: |
1804976
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|