699b599c78d27f4fa580094899974641229f41433514733b1f084e894f28f537 (SHA-256)

Malicious with 100% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file last week and declared it to be malicious.

DeepView unique and patented methods – specifically in this case, force code execution and program level indication – identified 1 indicator each.  At the time of its discovery, all of the major malware detection vendors had not identified this file of malicious.  A link to the full report with descriptions and details is below.  

Some key highlights and indicators follow.  Those discovered by DeepView proprietary methods are flagged with [FCE] for forced code execution and [PLI] for program level indication.

Type of Malware:  Virus

  • [FCE] Expresses interest in specific running processes
  • Creates a service
  • Disables Windows Security features

Evasiveness Indicators:

  • A process attempted to delay the analysis task
  • [PLI] Contains obfuscated control-flow to defeat static analysis
  • Attempts to repeatedly call a single API many times in order to delay analysis time

Other Compelling Indicators:

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlCommonly Used Port Custom Command and Control Protocol
Credential AccessCredential Dumping
Defense EvasionBypass User Account Control Disabling Security Tools Hidden Files and Directories Hidden Window Software Packing
DiscoveryProcess Discovery Virtualization / Sandbox Evasion
PersistenceHidden Files and Directories Registry Run Keys / Start Up Folder

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.