Malicious with 100% Confidence
SecondWrite’s DeepView Sandbox analyzed this file this week and declared it to be malicious.
DeepView unique and patented methods – specifically in this case, force code execution (FCE) and program level indication (PLI) – identified 14 indicators. A link to the full report with descriptions and details is below.
Some key highlights and indicators follow. Those discovered by DeepView proprietary method are flagged with [FCE] for forced code execution.
Type of Malware: BOT
- [FCE] Installs itself for autorun at Windows startup
- [PLI] More than %50 of the external calls do not go through the import address table
- [FCE] Expresses interest in specific running processes
- [FCE] Attempts to modify proxy settings
- [FCE] Installs a hook procedure to monitor for mouse events
- [FCE] Checks whether any human activity is being performed by constantly checking whether the foreground window changed
- [FCE] A process attempted to delay the analysis task
- [FCE] Attempts to repeatedly call a single API many times in order to delay analysis time
- Checks adapter addresses which can be used to detect virtual network interfaces
- Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
Other Compelling Indicators:
- [FCE] Internet Explorer creates one or more martian processes
- [FCE] Sniffs keystrokes
- [FCE] Connects to IP address(es) that are no longer responding to requests (legitimate services will remain up-and-running usually)
- [FCE] Network activity contains more than one unique useragent
- [FCE] Creates an Alternate Data Stream (ADS)
MITRE ATT&CK Indicators:
|MITRE Tactic||MITRE Technique|
|Command and Control||Commonly Used PortConnection ProxyCustom Command and Control Protocol|
|Credential Access||Credential Dumping|
|Defense Evasion||NTFS File Attributes|
|Discovery||Process DiscoverySystem Information DiscoveryVirtualization / Sandbox Evasion|
|Persistence||Registry Run Keys / Startup Folder|
Selection from The Report:
See Full Detailed Report:
Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.