Malware of the Week – Ransomware

d79e4c4ceb3abc8a51a01eff14a51694d7c25f9306ee71a922a01fddb48a15fe (SHA-256)

Malicious with 100% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file – a Windows PE32 Executable – this week and declared it to be malicious.  At the time of its discovery, all major malware detection vendors had not identified this file as malicious.  DeepView unique and patented methods identified 2 indicators – specifically in this case, automated sequence detection (ASD) and program level indication (PLI). 

A link to the full report with descriptions and details is below.  Some key highlights and indicators follow. 

Type of Malware:  Ransomware

  • [ASD] Automatic Sequence Detection maliciousness score: 56%
  • Installs itself for autorun at Windows startup
  • Attempts to disable UAC
  • Expresses interest in specific running processes

Evasiveness Indicators:

  • Deletes its original binary from disk
  • Attempts to modify Explorer settings to prevent hidden files from being displayed
  • Attempts to modify Explorer settings to prevent file extensions from being displayed
  • A process created a hidden window
  • Disables Windows Security features

Other Compelling Indicators:

  • [PLI] Contains obfuscated control-flow to defeat static analysis.
  • Expresses interest in specific running processes
  • One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc
  • Creates executable files on the filesystem
  • Sample writes a large amount of files (Over 100)

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlUncommonly Used Port Remote File Copy Commonly Used Port Custom Command and Control Protocol
Defense EvasionVirtualization / Sandbox EvasionHidden WindowNTFS File AttributesScriptingFile DeletionHidden Files and DirectoriesProcess Injection
DiscoveryVirtualization / Sandbox EvasionProcess Discovery
Lateral MovementRemote File Copy
PersistenceHidden Files and Directories Registry Run Keys / Startup Folder
Privilege EscalationBypass User Account Control

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution,Program Level Indicators, and Automatic Sequence Detection.