Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.929778234534272
Filename:	file.exe
Filesize:	8707480
MD5:	d9a5e741b1f67593422bfb1a165288bb
SHA1:	0bc42e46e97fbf3b0754d26d88e43945edc31a0b
SHA256:	c81a924446d324b3aeb0772dfd9cbed34fb878aff823ba2888362a22f7328fe8
SHA512:	5a463b581c18e2a2076bbf888ee838745eb8fea6e718b5882951e18a213f530589cb5cf3d61e2cc4014556dc65a327b56b42b915bd9cea488adb4782af151ea4
SSDEEP:	196608:50ipMncd0lHU0kioa09gMC1tFKCnuvoMTQybYD+AvBjtO7:5VpBdxRej7nuPTH25tO
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...Cb#g.........."...........l................@.............................`......-.....`........................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Hides threads from debuggers	Anti Debugging
Modifies power options to not sleep / hibernate	Lowering of HIPS / PFW / Operating System Security Settings
Modifies the hosts file	Spam, unwanted Advertisements and Ransom Demands, HIPS / PFW / Operating System Protection Evasion, Lowering of HIPS / PFW / Operating System Security Settings	File and Directory Permissions Modification
PE file contains section with special chars	System Summary
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Uses powercfg.exe to modify the power settings	System Summary
Checks if the current process is being debugged	Anti Debugging
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
PE file contains sections with non-standard names	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Reads software policies	System Summary	System Information Discovery
Reads the hosts file	System Summary	Remote System Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses sc.exe to modify the status of services	Boot Survival	Service Execution Windows Service
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Google\Chrome\updater.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\ProgramData\Google\Chrome\updater.exe
Category:	dropped
Dump:	updater.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.929778234534272
Encrypted:	false
Ssdeep:	196608:50ipMncd0lHU0kioa09gMC1tFKCnuvoMTQybYD+AvBjtO7:5VpBdxRej7nuPTH25tO
Size:	8707480
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival	Security Software Discovery
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\System32\drivers\etc\hosts

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Windows\System32\drivers\etc\hosts
Category:	dropped
Dump:	hosts.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.269302338623222
Encrypted:	false
Ssdeep:	48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
Size:	2748
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Modifies the hosts file	Spam, unwanted Advertisements and Ransom Demands, HIPS / PFW / Operating System Protection Evasion, Lowering of HIPS / PFW / Operating System Security Settings	File and Directory Permissions Modification
Reads the hosts file	System Summary	Remote System Discovery

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1628158735648508
Encrypted:	false
Ssdeep:	3:Nlllul5mxllp:NllU4x/
Size:	64
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2onzafnc.qa5.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2onzafnc.qa5.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_2onzafnc.qa5.psm1.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ppgzy3k.pvg.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ppgzy3k.pvg.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_4ppgzy3k.pvg.ps1.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhg4u2sd.edt.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhg4u2sd.edt.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_dhg4u2sd.edt.ps1.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mohdy1o3.mhh.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mohdy1o3.mhh.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_mohdy1o3.mhh.psm1.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\System32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\System32\conhost.exe