Malware of the Week – Worm

f764301be383fe67e8d31a9e0f744909f6c99b9514af0019a763472e1ff053dd (SHA-256)

Malicious with 100% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file this week and declared it to be malicious. 

DeepView unique and patented methods – specifically in this case, force code execution (FCE), program level indication (PLI), and automatic sequence detection (ASD) – identified 9 indicators.  A link to the full report with descriptions and details is below.  

Some key highlights and indicators follow.  Those discovered by DeepView proprietary method are flagged with [FCE] for forced code execution, [PLI] for program level indication, and [ASD] automatic sequence detection.

Type of Malware:  Worm

  • [ASD] Automatic Sequence Detection maliciousness score: 86%
  • [PLI] Contains obfuscated control-flow to defeat static analysis
  • [PLI] More than %50 of the external calls do not go through the import address table
  • [FCE] Expresses interest in specific running processes
  • [FCE] Deletes its original binary from disk

Evasiveness Indicators:

  • [FCE] Attempts to repeatedly call a single API many times in order to delay analysis time
  • [FCE] A process attempted to delay the analysis task
  • [FCE] Checks whether any human activity is being performed by constantly checking whether the foreground window changed
  • Detects VMWare through the in instruction feature
  • Checks adapter addresses which can be used to detect virtual network interfaces

Other Compelling Indicators:

  • [FCE] Attempts to modify Explorer settings to prevent hidden files from being displayed
  • Allocates read-write-execute memory (usually to unpack itself)
  • Creates an Alternate Data Stream (ADS)
  • Performs some HTTP requests
  • Performs some DNS requests

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlCommonly Used PortCustom Command and Control Protocol
Defense EvasionFile DeletionHidden Files and DirectoriesNTFS File Attributes
DiscoveryProcess DiscoveryVirtualization / Sandbox Evasion
PersistenceHidden Files and Directories

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.