0.drįile read: C:\Windows \System32\ drivers\et c\hosts Static PE information: Resource n ame: RT_IC ON type: G LS_BINARY_ LSB_FIRST Source: DSME_YERI8 436495740_ PURCHASE-C ONTRACT,pd f.exe Mutant created: \Sessions\ 1\BaseName dObjects\F 7EE0CF1CF9 3AA2F06F12 A09įound potential string decryption / allocating functionsĬode function: String fun ction: 004 1219C appe ars 45 tim esĬode function: String fun ction: 004 05B6F appe ars 41 tim es Source: C:\Users\u ser\xchvjh fginsfdhgj yghjlkhgh\ xchvjhfgin sfdhgjyghj lkhgh.exeĬode function: 3_2_02360B 87 NtProte ctVirtualM emory,Ĭode function: 4_2_00540B 87 NtProte ctVirtualM emory, Source: C:\Users\u ser\Deskto p\DSME_YER I843649574 0_PURCHASE -CONTRACT, pdf.exeĭropped file: Set WshShe ll = Creat eObject("W Script.She ll")Ĭontains functionality to call native functionsĬode function: 0_2_02BF0B 87 NtProte ctVirtualM emory, Potential malicious VBS script found (suspicious strings)
Static PE information: Filename: DSME_YERI8 436495740_ PURCHASE-C ONTRACT,pd f.exe Initial sample is a PE file and has a suspicious name Matched rule: Auto-gener ated rule - file sca n copy.pdf. Malicious sample detected (through community Yara rule) Standard Non-Application Layer Protocol 1Įxfiltration Over Command and Control Channel Report size getting too big, too many NtReadVirtualMemory calls found.ĭeobfuscate/Decode Files or Information 1.Report size getting too big, too many NtQueryValueKey calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.Report size getting too big, too many NtOpenKeyEx calls found.
Report size exceeded maximum capacity and may have missing behavior information.Excluded domains from analysis (whitelisted):, , wu.ec.,, ,, , wu.,, au.net,, , wu.,.Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe.
0 kommentar(er)
