Advanced File Analysis System

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: 12af0c0e047b70ff8406407a6c5b49050f413fa7.exe, pid: 2476, offset: 0x007786e3, length: 0x000053a0
api_process_name	process: 12af0c0e047b70ff8406407a6c5b49050f413fa7.exe, pid: 2476, offset: 0x0077dfdd, length: 0x00060e09
api_process_name	process: 12af0c0e047b70ff8406407a6c5b49050f413fa7.tmp, pid: 548, offset: 0x00000000, length: 0x0012b248

Networking

Attempts to connect to a dead IP:Port (3 unique times) Show sources

network_host_ip	66.225.197.197:80 (United States)
network_host_ip	209.48.71.168:80 (United States)
network_host_ip	72.21.91.29:80 (United States)

Performs some HTTP requests Show sources

network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAydKURKNdF6QYkQe19WQV0%3D
network_url	http://crl3.digicert.com/sha2-assured-cs-g1.crl
network_url	http://crl4.digicert.com/sha2-assured-cs-g1.crl
network_url	http://crl.globalsign.net/primobject.crl

Lowering of HIPS/ PFW/ Operating System Security Settings

Attempts to block SafeBoot use by removing registry keys Show sources

registry_delete

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option

Cryptography

At least one IP Address, Domain, or File Name was found in a crypto call Show sources

ioc	www.digicert.com1
ioc	ntrust.net1
ioc	7www.entrust.net/CPS_2048
ioc	ntrust.net
ioc	nc.1907
ioc	0www.entrust.net/rpa
ioc	http://ocsp.entrust.net02
ioc	http://crl.entrust.net/2048ca.crl0
ioc	http://www.entrust.net/rpa0
ioc	http://crl.entrust.net/level1d.crl03
ioc	http://ocsp.entrust.net0A

Stealing of Sensitive Information

Collects information to fingerprint the system Show sources

registry_read

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid

Attempts to create or modify system certificates Show sources

registry_write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob

Steals private information from local Internet browsers Show sources

file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@google[2].txt
file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@microsoft[2].txt
file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@downloads.sourceforge[1].txt
file_read	C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@c1.microsoft[2].txt

Spam, Unwanted Advertisements and Ransom Demands

Exhibits possible ransomware file modification behavior Show sources

appends_new_extension	Appends a new file extension to multiple modified files
new_appended_file_extension	.exe
new_appended_file_extension	.rtf
new_appended_file_extension	.lng
new_appended_file_extension	.dll
new_appended_file_extension	.ini
new_appended_file_extension	.bpl
new_appended_file_extension	.dat
new_appended_file_extension	.json
new_appended_file_extension	.ico
new_appended_file_extension	.avr
new_appended_file_extension	.key

Static Anomaly

Anomalous binary characteristics Show sources

static_pe_anomaly

Actual checksum does not match that reported in PE header

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Data Obfuscation

Drops a binary and executes it Show sources

file_dropped	C:\Users\user\AppData\Local\Temp\is-TF58U.tmp\reader.exe
file_dropped	C:\Users\user\AppData\Local\Temp\is-LIT24.tmp\12af0c0e047b70ff8406407a6c5b49050f413fa7.tmp
file_dropped	C:\Program Files (x86)\Auslogics\Anti-Malware\AntiMalware.exe

Malware Analysis System Evasion

A process attempted to delay the analysis task. Show sources

api_process_name

WmiPrvSE.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds

Checks the version of Bios, possibly for anti-virtualization Show sources

registry_read

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Attempts to repeatedly call a single API many times in order to delay analysis time Show sources

api_process_name

WmiPrvSE.exe (1296) called API GetSystemTimeAsFileTime 20067 times

File Name: None

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: 12af0c0e047b70ff8406407a6c5b49050f413fa7

MD5: 3b1086235aead2a5cf61ec6e8728edb9