0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e (SHA-256)
Malicious with 98% Confidence
SecondWrite’s DeepView Sandbox analyzed this file this week and declared it to be malicious.
DeepView unique and patented methods – specifically in this case, force code execution (FCE) – identified 6 indicators. At the time of its discovery, several market leading malware detection vendors had not identified this file as malicious. A link to the full report with descriptions and details is below.
Some key highlights and indicators follow. Those discovered by DeepView proprietary method are flagged with [FCE] for forced code execution.
Type of Malware: RAT
- [FCE] Creates known SpyNet files, registry changes and/or mutexes
- Installs itself for autorun at Windows startup
- [FCE] Executes one or more WMI queries
- Strings possibly contain hardcoded URLs
- A process created a hidden window
Evasiveness Indicators:
- [FCE] Attempts to identify installed AV products by registry key
- Attempts to repeatedly call a single API many times in order to delay analysis time
- Queries for the computer name
- Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
- Detects VMWare through the in instruction feature
Other Compelling Indicators:
- Executed a process and injected code into it, probably while unpacking
- Reads data out of its own binary image
MITRE ATT&CK Indicators:
| MITRE Tactic | MITRE Technique |
| Defense Evasion | Hidden Window Process Injection Software Packing |
| Discovery | Security Software Discovery |
| Persistence | Registry Run Keys / Startup Folder |
| Privilege Escalation | Process Injection |
Selection from The Report:
See Full Detailed Report:
Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.