9c544a7c52553e62951b2aa2b33402c93be09f2f0fdb442f5790bb4d983f0b21 (SHA-256)

Malicious with 82% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file last week and declared it to be malicious.

DeepView unique and patented methods – specifically in this case, force code execution identified 4  indicators.  A link to the full report with descriptions and details is below.  

Some key highlights and indicators follow.  Those discovered by DeepView proprietary methods are flagged with [FCE] for forced code execution.

Type of Malware:  Adware

  • [FCE] Installs a browser add-on or extention
  • Sniffs keystrokes
  • Installs an hook procedure to monitor for mouse events
  • This sample modifies many files through suspicious ways, likely a polymorphic virus or a ransomware

Evasiveness Indicators:

  • A process created a hidden window
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • [FCE] Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
  • Deletes its original binary from disk

Other Compelling Indicators:

  • [FCE]  Attempts to stop active services
  • [FCE] Sample writes a large amount of files (Over 100)
  • Creates known Dexter registry keys and/or mutexes
  • Network activity contains more than one unique useragent.
  • Resolves .RU Russia TLD, Possibly Malicious

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
PersistenceBrowser Extensions
Defense EvasionSoftware PackingVirtualization / Sandbox EvasionHidden WindowNTFS File AttributesFile DeletionConnection Proxy
Credential AccessCredential Dumping
DiscoveryVirtualization / Sandbox Evasion
Lateral MovementRemote FIle Copy
Command and ControlRemote File CopyConnection Proxy

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.