Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.919455819398224
Filename:	file.exe
Filesize:	8530840
MD5:	cc966bdad155dceb3dca2a8f30735c77
SHA1:	f68759ee0fe3b9b20be0112139058418919d7373
SHA256:	18c96bd577f15c92a89a17ee3a768a581b050ec34fcfa72823e624336291170b
SHA512:	c81a289a58799330c53373c03f386005de16f41488fa39ad813be9b708aa3eb0d8abdadf1bfc443ce3a0d8c7eadacbe953e8b8f8647df693721e94375315b467
SSDEEP:	196608:hRoogBLbAVkOn6naqZnpxu1dudreT1e10IJlZr:0ogBLbIkg6naqZnnuPudST4OIJ
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....<.g.........."...........l.....8..........@..........................................`........................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Hides threads from debuggers	Anti Debugging	Security Software Discovery
Modifies power options to not sleep / hibernate	Lowering of HIPS / PFW / Operating System Security Settings
Modifies the hosts file	Spam, unwanted Advertisements and Ransom Demands, HIPS / PFW / Operating System Protection Evasion, Lowering of HIPS / PFW / Operating System Security Settings	File and Directory Permissions Modification
PE file contains section with special chars	System Summary
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Uses powercfg.exe to modify the power settings	System Summary
Checks if the current process is being debugged	Anti Debugging
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
PE file contains sections with non-standard names	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Reads software policies	System Summary
Reads the hosts file	System Summary	Remote System Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses sc.exe to modify the status of services	Boot Survival	Service Execution Windows Service
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Google\Chrome\updater.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\ProgramData\Google\Chrome\updater.exe
Category:	dropped
Dump:	updater.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.919455819398224
Encrypted:	false
Ssdeep:	196608:hRoogBLbAVkOn6naqZnpxu1dudreT1e10IJlZr:0ogBLbIkg6naqZnnuPudST4OIJ
Size:	8530840
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival	Security Software Discovery
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\System32\drivers\etc\hosts

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Windows\System32\drivers\etc\hosts
Category:	dropped
Dump:	hosts.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.269302338623222
Encrypted:	false
Ssdeep:	48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
Size:	2748
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Modifies the hosts file	Spam, unwanted Advertisements and Ransom Demands, HIPS / PFW / Operating System Protection Evasion, Lowering of HIPS / PFW / Operating System Security Settings	File and Directory Permissions Modification
Reads the hosts file	System Summary	Remote System Discovery

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1940658735648508
Encrypted:	false
Ssdeep:	3:Nlllulbnolz:NllUc
Size:	64
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d245st2.f03.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d245st2.f03.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_1d245st2.f03.ps1.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq1ndhks.u4t.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq1ndhks.u4t.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_oq1ndhks.u4t.ps1.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4i3bxw0.wii.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4i3bxw0.wii.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_u4i3bxw0.wii.psm1.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjpnm1vs.e5r.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjpnm1vs.e5r.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_zjpnm1vs.e5r.psm1.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\System32\conhost.exe