Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

prog.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.70466082348244
Filename:	prog.exe
Filesize:	3030176
MD5:	5f10f34b3ef012f1db5f21755cad4ab1
SHA1:	439ab3bd92cd515b092607291ac054f3fad1359f
SHA256:	f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660
SHA512:	7f6473adb10d878b8c9cb9360c04ed843401d6eb69ca1df546e956e18032598cbdd1fffbdc45c0fe7d3927a6fa54ef77b9d2e10175e3ca15c6421cfa678d59ce
SSDEEP:	49152:ZtH86NYYGclfMk3iDPS6wcXLuankPBUJCBuB+zVma85E4xTz:ZtH8SHGc5MWiDdj7uakPBUJ1oV0EkTz
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Q......................,.............. ....@...........................-............................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Machine Learning detection for sample	AV Detection
Modifies power options to not sleep / hibernate	Lowering of HIPS / PFW / Operating System Security Settings
Uses powercfg.exe to modify the power settings	System Summary
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Contains functionality to call native functions	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Security Software Discovery
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Drops files with a known system name (to hide its detection)
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Uses sc.exe to modify the status of services	Boot Survival	Service Execution Windows Service
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\win32\svhost.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\ProgramData\win32\svhost.exe
Category:	dropped
Dump:	svhost.exe.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\prog.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.53722623620131
Encrypted:	false
Ssdeep:	49152:BMnw0O8lulPUtBbXmsGHePO2/cqKQBxLEHq86RM+uFVwYm6fYfOuFa1Y+PJq++W5:CnfxYW/b8em2/ctQBxGql2+Szm6fYfOo
Size:	2663424
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found large amount of non-executed APIs	Malware Analysis System Evasion
Drops files with a known system name (to hide its detection)
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\prog.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\prog.exe
Category:	dropped
Dump:	prog.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\prog.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.53722623620131
Encrypted:	false
Ssdeep:	49152:BMnw0O8lulPUtBbXmsGHePO2/cqKQBxLEHq86RM+uFVwYm6fYfOuFa1Y+PJq++W5:CnfxYW/b8em2/ctQBxGql2+Szm6fYfOo
Size:	2663424
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Disable power options	Change of critical system settings
Sigma detected: Stop EventLog	HIPS / PFW / Operating System Protection Evasion
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
Modifies power options to not sleep / hibernate	Lowering of HIPS / PFW / Operating System Security Settings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Uses powercfg.exe to modify the power settings	System Summary
Contains functionality to call native functions	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sigma detected: Powershell Defender Exclusion	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Drops files with a known system name (to hide its detection)
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses sc.exe to modify the status of services	Boot Survival	Service Execution Windows Service
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.3.dr
ID:	dr_6
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1940658735648508
Encrypted:	false
Ssdeep:	3:Nlllul3nqth:NllUa
Size:	64
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c14qiz0m.w44.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c14qiz0m.w44.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_c14qiz0m.w44.ps1.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2k44ady.woi.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2k44ady.woi.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_l2k44ady.woi.psm1.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pya4eufh.ber.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pya4eufh.ber.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_pya4eufh.ber.ps1.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqt1u0o5.fl2.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqt1u0o5.fl2.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_xqt1u0o5.fl2.psm1.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\prog.exe

"C:\Users\user\Desktop\prog.exe"

C:\Users\user\AppData\Local\Temp\prog.exe

"C:\Users\user\AppData\Local\Temp\prog.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe delete "appdata"

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe create "appdata" binpath= "C:\ProgramData\win32\svhost.exe" start= "auto"

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe start "appdata"

C:\ProgramData\win32\svhost.exe

C:\Windows\System32\conhost.exe