Malicious with 98% Confidence
SecondWrite’s DeepView Sandbox analyzed this file this week and declared it to be malicious.
DeepView unique and patented methods – specifically in this case, force code execution (FCE) – identified 6 indicators. At the time of its discovery, several market leading malware detection vendors had not identified this file as malicious. A link to the full report with descriptions and details is below.
Some key highlights and indicators follow. Those discovered by DeepView proprietary method are flagged with [FCE] for forced code execution.
Type of Malware: RAT
- [FCE] Creates known SpyNet files, registry changes and/or mutexes
- Installs itself for autorun at Windows startup
- [FCE] Executes one or more WMI queries
- Strings possibly contain hardcoded URLs
- A process created a hidden window
- [FCE] Attempts to identify installed AV products by registry key
- Attempts to repeatedly call a single API many times in order to delay analysis time
- Queries for the computer name
- Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
- Detects VMWare through the in instruction feature
Other Compelling Indicators:
- Executed a process and injected code into it, probably while unpacking
- Reads data out of its own binary image
MITRE ATT&CK Indicators:
|MITRE Tactic||MITRE Technique|
|Defense Evasion||Hidden Window Process Injection Software Packing|
|Discovery||Security Software Discovery|
|Persistence||Registry Run Keys / Startup Folder|
|Privilege Escalation||Process Injection|
Selection from The Report:
See Full Detailed Report:
Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.