Advanced File Analysis System | Valkyrie
Total Page:16
File Type:pdf, Size:1020Kb
Page 1 Summary File Name: AdobeFlashPlayer__43ea717824.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows SHA1: 770919dce557c0e461c9f8430120bbc84583beb4 MALWARE MD5: cf97766e767843bba1aad7036985185d Valkyrie Final Verdict DETECTION SECTION CLASSIFICATION Backdoor(6.51%) Ransomware(0.00%) Bot(0.86%) 86% Worm(0.26%) Exploit(0.00%) 69% 52% Trojan 34% Pua(5.85%) Password Stealer(0.63%) 17% Rootkit(0.00%) Trojan Severity: High Generic(1.83%) Verdict: Malware Spyware(0.00%) Trojan Downloader(0.97%) Remote Trojan Access Dropper(81.14%) Trojan(0.00%V)irus(1.77%) Rogue(0.17%) HIGH LEVEL BEHAVIOR DISTRIBUTION Hooking (3) Network (167) Process (1370) Misc (768) 8.0% 31.7% System (5444) Crypto (340) Threading (47) Synchronization (29) 18.0% Services (4) Windows (10) File System (3093) Device (292) 31.7% Com (176) Registry (5448) ACTIVITY OVERVIEW Networking 3 (33.33%) Hooking and other Techniques for Hiding Protection 2 (22.22%) Lowering of HIPS/ PFW/ Operating System Security Settings 1 (11.11%) Packer 1 (11.11%) Static Anomaly 1 (11.11%) Data Obfuscation 1 (11.11%) Page 2 Activity Details NETWORKING Attempts to connect to a dead IP:Port (4 unique times) Show sources HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources Performs some HTTP requests Show sources LOWERING OF HIPS/ PFW/ OPERATING SYSTEM SECURITY SETTINGS Attempts to disable Windows Defender Show sources PACKER The binary likely contains encrypted or compressed data. Show sources STATIC ANOMALY Anomalous binary characteristics Show sources HOOKING AND OTHER TECHNIQUES FOR HIDING PROTECTION Creates RWX memory Show sources Executed a process and injected code into it, probably while unpacking Show sources DATA OBFUSCATION Drops a binary and executes it Show sources Page 3 Behavior Graph 10:55:32 10:56:01 10:56:29 PID 2948 10:55:32 Create Process The malicious file created a child process as 770919dce557c0e461c9f8430120bbc84583beb4.exe (PPID 1656) 10:55:32 NtAllocateVirtualMemory 10:55:37 Create Process 10:55:37 NtResumeThread PID 2728 10:55:38 Create Process The malicious file created a child process as 770919dce557c0e461c9f8430120bbc84583beb4.exe (PPID 2948) 10:55:40 Create Process PID 2724 10:55:41 Create Process The malicious file created a child process as 770919dce557c0e461c9f8430120bbc84583beb4.exe (PPID 2728) 10:55:48 Create Process PID 2428 10:55:50 Create Process The malicious file created a child process as 770919dce557c0e461c9f8430120bbc84583beb4.exe (PPID 2724) 10:55:50 RegSetValueExW 10:56:07 Create Process 10:56:10 connect 10:56:19 ConnectEx 10:56:29 [ 2 times ] PID 2388 10:56:13 Create Process The malicious file created a child process as explorer.exe (PPID 2428) 10:56:22 Create Process PID 1200 10:56:27 Create Process The malicious file created a child process as explorer.exe (PPID 2388) 10:56:29 ConnectEx PID 872 10:55:52 Create Process The malicious file created a child process as svchost.exe (PPID 460) Page 4 Behavior Summary ACCESSED FILES C:\Users\user\AppData\Local\Temp\770919dce557c0e461c9f8430120bbc84583beb4.ENU C:\Users\user\AppData\Local\Temp\770919dce557c0e461c9f8430120bbc84583beb4.ENU.DLL C:\Users\user\AppData\Local\Temp\770919dce557c0e461c9f8430120bbc84583beb4.EN C:\Users\user\AppData\Local\Temp\770919dce557c0e461c9f8430120bbc84583beb4.EN.DLL C:\Windows\Fonts\staticcache.dat C:\Users\user\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL C:\Windows\System32\wbem\api-ms-win-core-fibers-l1-1-1.DLL C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL C:\Program Files\Microsoft Network Monitor 3\api-ms-win-core-fibers-l1-1-1.DLL C:\Program Files (x86)\Universal Extractor\api-ms-win-core-fibers-l1-1-1.DLL C:\Program Files (x86)\Universal Extractor\bin\api-ms-win-core-fibers-l1-1-1.DLL C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\api-ms-win-core-fibers-l1-1-1.DLL C:\Python27\api-ms-win-core-fibers-l1-1-1.DLL C:\Python27\Scripts\api-ms-win-core-fibers-l1-1-1.DLL C:\tools\sysinternals\api-ms-win-core-fibers-l1-1-1.DLL C:\tools\api-ms-win-core-fibers-l1-1-1.DLL C:\tools\IDA_Pro_v6\python\api-ms-win-core-fibers-l1-1-1.DLL C:\Users\user\AppData\Local\Temp\api-ms-win-core-localization-l1-2-1.DLL C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL C:\Windows\system\api-ms-win-core-localization-l1-2-1.DLL C:\Windows\api-ms-win-core-localization-l1-2-1.DLL C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-localization-l1-2-1.DLL C:\Windows\System32\wbem\api-ms-win-core-localization-l1-2-1.DLL C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-localization-l1-2-1.DLL C:\Program Files\Microsoft Network Monitor 3\api-ms-win-core-localization-l1-2-1.DLL C:\Program Files (x86)\Universal Extractor\api-ms-win-core-localization-l1-2-1.DLL C:\Program Files (x86)\Universal Extractor\bin\api-ms-win-core-localization-l1-2-1.DLL C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\api-ms-win-core-localization-l1-2-1.DLL Page 5 C:\Python27\api-ms-win-core-localization-l1-2-1.DLL C:\Python27\Scripts\api-ms-win-core-localization-l1-2-1.DLL C:\tools\sysinternals\api-ms-win-core-localization-l1-2-1.DLL C:\tools\api-ms-win-core-localization-l1-2-1.DLL C:\tools\IDA_Pro_v6\python\api-ms-win-core-localization-l1-2-1.DLL \Device\KsecDD C:\Users\user\AppData\Local\Temp\770919dce557c0e461c9f8430120bbc84583beb4.exe C:\Windows\SysWOW64\shell32.dll C:\Users\user\AppData\Local\Microsoft\Windows\Caches C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000004a.db C:\Users\user\Desktop\desktop.ini C:\Windows\SysWOW64\propsys.dll C:\Windows\sysnative\propsys.dll C:\ C:\Users C:\Users\desktop.ini C:\Users\user C:\Users\user\Searches C:\Users\user\Searches\desktop.ini C:\Users\user\Videos C:\Users\user\Videos\desktop.ini C:\Users\user\Pictures C:\Users\user\Pictures\desktop.ini C:\Users\user\Desktop C:\Users\user\Contacts C:\Users\user\Contacts\desktop.ini C:\Users\user\Favorites C:\Users\user\Favorites\desktop.ini C:\Users\user\Music C:\Users\user\Music\desktop.ini C:\Users\user\Downloads C:\Users\user\Downloads\desktop.ini C:\Users\user\Documents C:\Users\user\Documents\desktop.ini Page 6 C:\Users\user\Links C:\Users\user\Links\desktop.ini C:\Users\user\Saved Games C:\Users\user\Saved Games\desktop.ini C:\Windows\System32\shdocvw.dll C:\Windows\AppPatch\sysmain.sdb C:\Windows\System32\ C:\Windows\SysWOW64\shdocvw.dll C:\Windows READ REGISTRY KEYS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles Page 7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon