Malware of the Week – Virus

fc53a277a1d7a514c7a6e5e7c75db076299ebec1dfe4a3db3c4509511a899afa (SHA-256)

Malicious with 100% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file last week and declared it to be malicious using our proprietary techniques.  A link to the full report with descriptions and details is below.  Some key highlights and indicators follow: 

Type of Malware:  Virus

–  Disables Windows Security features

–  One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

–  Creates executable files on the filesystem

–  Installs itself for autorun at Windows startup

–  A process created a hidden window

Evasiveness Indicators:

–  Attempts to repeatedly call a single API many times in order to delay analysis time

–  Checks whether any human activity is being performed by constantly checking whether the foreground window changed

–  A process attempted to delay the analysis task

Other Compelling Indicators:

–  Attempts to disable UAC

–  Contains obfuscated control-flow to defeat static analysis

–  Performs some DNS requests

–  Performs some HTTP requests

–  HTTP traffic contains suspicious features which may be indicative of malware related traffic

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
DiscoveryProcess Discovery Virtualization / Sandbox Evasion
Defense EvasionSoftware Packing Hidden Window Hidden Files and Directories Disabling Security Tools Bypass User Account Control
PersistenceRegistry Run Keys / Start Up Folder Hidden Files and Directories
Command and ControlCommonly Used Port Custom Command and Control Protocol

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.