Adylkuzz.B.exe
This report is generated from a file or URL submitted to this webservice on May 17th 2017 16:28:49 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.50 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Reads terminal service related keys (often RDP related)
Tries to identify its external IP address
Uses network protocols on unusual ports - Persistence
-
Modifies firewall settings
Spawns a lot of processes - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Tries to identify its external IP address - Network Behavior
- Contacts 4 domains and 4 hosts. View all details
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 0b60463468b744f72f50c20f7f8e5ad0801e86123f22d770b8cef64c7ef53caa
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 15
-
Anti-Detection/Stealthyness
-
Terminates other processes using taskkill
- details
-
Process "taskkill.exe" with commandline "taskkill /f /im hdmanager.exe" (Show Process)
Process "taskkill.exe" with commandline "taskkill /f /im mmc.exe" (Show Process)
Process "taskkill.exe" with commandline "taskkill /f /im msiexev.exe" (Show Process) - source
- Monitored Target
- relevance
- 9/10
-
Terminates other processes using taskkill
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01" (SID: 2022482, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET TROJAN JS/Nemucod.M.gen downloading EXE payload" (SID: 2021954, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY Crypto Coin Miner Login" (SID: 2022886, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
-
46/61 Antivirus vendors marked sample as malicious (75% detection rate)
12/37 Antivirus vendors marked sample as malicious (32% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
46/61 Antivirus vendors marked sample as malicious (75% detection rate)
12/37 Antivirus vendors marked sample as malicious (32% detection rate) - source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
41/84 Antivirus vendors marked dropped file "carved_0.exe" as malicious (classified as "Trojan.Generic" with 48% detection rate)
33/59 Antivirus vendors marked dropped file "carved_1.exe" as malicious (classified as "Trojan.BitCoinMiner" with 55% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
- 45/83 Antivirus vendors marked spawned process "<Input Sample>" (PID: 2400) as malicious (classified as "Gen:Variant.Zusy" with 54% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "45.76.51.128" (ASN: , Owner: ): ...
URL: http://08.super5566.com/ (AV positives: 7/64 scanned on 05/17/2017 14:32:33)
URL: http://08.super5566.com/86.exe (AV positives: 9/65 scanned on 05/17/2017 08:57:03)
URL: http://08.super5566.com/install/106:0%20->%20127:2%20->%2065:0%20->%2067:0%20->%2080:0%20->%2081:0%20->%2082:0%20->%2094:0%20->%2095:0 (AV positives: 5/64 scanned on 05/17/2017 06:34:16)
URL: http://08.super5566.com/mine.txt (AV positives: 6/64 scanned on 05/17/2017 00:44:43)
URL: http://08.super5566.com/install/start (AV positives: 6/64 scanned on 05/17/2017 00:23:43)
File SHA256: e6680bf0d3b32583047e9304d1703c87878c7c82910fbe05efc8519d2ca2df71 (AV positives: 33/61 scanned on 05/17/2017 09:01:07)
Found malicious artifacts related to "45.77.28.163" (ASN: , Owner: ): ...
URL: http://a1.super5566.com/ (AV positives: 6/64 scanned on 05/17/2017 13:23:28)
URL: http://aa1.super5566.com/ (AV positives: 7/64 scanned on 05/17/2017 13:21:49)
URL: http://aa1.super5566.com/07.lua (AV positives: 5/64 scanned on 05/17/2017 06:34:32)
URL: http://a1.super5566.com/07.lua (AV positives: 5/64 scanned on 05/17/2017 00:37:06)
URL: http://aa1.super5566.com/tmp2.exe (AV positives: 6/64 scanned on 05/17/2017 00:27:43)
File SHA256: d2bb8e2f5219d608950239b65326df0b383c8a34e3d46c276d5ad33f7c59f860 (AV positives: 29/60 scanned on 05/17/2017 00:27:47)
File SHA256: a932454e5e6c4eaf3bfd9cd5866d38bffb65cbb6881f3d53ac91a09dd1e567c3 (AV positives: 31/61 scanned on 05/16/2017 17:04:54)
Found malicious artifacts related to "212.129.46.87" (ASN: 12876, Owner: ONLINE S.A.S.): ...
URL: http://xmr.crypto-pool.fr/ (AV positives: 1/65 scanned on 04/11/2017 02:53:56)
URL: http://xmr.crypto-pool.fr:3333/ (AV positives: 1/64 scanned on 02/20/2017 17:31:14)
File SHA256: fd38dcbe0705ee2a0fcc83deb70b14d5f0e8f8a92a4ee2146e3f36e0442bc0b3 (AV positives: 21/61 scanned on 05/07/2017 17:23:34)
File SHA256: 4f1b149c6e40443ba2a613e656fa72e31a9586a4fe35992eb6ee41deb33dd4da (AV positives: 23/62 scanned on 05/06/2017 05:03:49)
File SHA256: 81379c0f50f26367a20e59dccc54e2c013dddb1301f41c6bb8a8b3ecdd0a9fdd (AV positives: 34/62 scanned on 04/04/2017 17:58:13) - source
- Network Traffic
- relevance
- 10/10
-
Tries to identify its external IP address
- details
- "icanhazip.com"
- source
- Network Traffic
- relevance
- 6/10
-
Malicious artifacts seen in the context of a contacted host
-
System Security
-
Modifies firewall settings
- details
-
Process "netsh.exe" with commandline "netsh advfirewall firewall delete rule name="Chrome"" (Show Process)
Process "netsh.exe" with commandline "netsh advfirewall firewall delete rule name="Windriver"" (Show Process)
Process "netsh.exe" with commandline "netsh advfirewall firewall add rule name="Chrome" dir=in program="%PROGRAMFILES%\Google\Chrome\Application\chrome.txt" action=allow" (Show Process)
Process "netsh.exe" with commandline "netsh advfirewall firewall add rule name="Windriver" dir=in program="%PROGRAMFILES%\Hardware Driver Management\windriver.exe" action=allow" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Modifies firewall settings
-
Unusual Characteristics
-
Entrypoint in PE header is within an uncommon section
- details
- "Adylkuzz.B.exe.bin" has an entrypoint in section ".8011"
- source
- Static Parser
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c taskkill /f /im hdmanager.exe" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /f /im hdmanager.exe" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c taskkill /f /im mmc.exe" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /f /im mmc.exe" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c sc stop WELM" (Show Process)
Spawned process "sc.exe" with commandline "sc stop WELM" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c sc delete WELM" (Show Process)
Spawned process "sc.exe" with commandline "sc delete WELM" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add policy name=netbc" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add policy name=netbc" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add filterlist name=block" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add filterlist name=block" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add filteraction name=block action=block" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add filteraction name=block action=block" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static set policy name=netbc assign=y" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static set policy name=netbc assign=y" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c taskkill /f /im msiexev.exe" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /f /im msiexev.exe" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Chrome"" (Show Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall firewall delete rule name="Chrome"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Windriver"" (Show Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall firewall delete rule name="Windriver"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall add rule name="Chrome" dir=in program="%PROGRAMFILES%\Google\Chrome\Application\chrome.txt" action=allow" (Show Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall firewall add rule name="Chrome" dir=in program="%PROGRAMFILES%\Google\Chrome\Application\chrome.txt" action=allow" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall add rule name="Windriver" dir=in program="%PROGRAMFILES%\Hardware Driver Management\windriver.exe" action=allow" (Show Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall firewall add rule name="Windriver" dir=in program="%PROGRAMFILES%\Hardware Driver Management\windriver.exe" action=allow" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Entrypoint in PE header is within an uncommon section
-
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 24
-
Anti-Detection/Stealthyness
-
Queries process information
- details
- "<Input Sample>" queried SystemProcessInformation at 00039003-00002400-00000105-89232901
- source
- API Call
- relevance
- 4/10
-
Queries process information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .8011 with unusual entropies 7.97167011538
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Contains ability to measure performance
- details
- rdtsc (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"taskkill.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"sc.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"netsh.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"taskkill.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"netsh.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to measure performance
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection" (SID: 2017398, Rev: 3, Severity: 2) categorized as "Attempted Information Leak"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Opened the service control manager
- details
-
"<Input Sample>" called "OpenSCManager" requesting access rights "SC_MANAGER_ALL_ACCESS" (0xf003f)
"sc.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"netsh.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_ALL_ACCESS" (0xf003f) - source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"<Input Sample>" called "OpenService" to access the "" service
"<Input Sample>" called "OpenService" to access the "" service
"sc.exe" called "OpenService" to access the "WELM" service requesting "SERVICE_STOP" (0X20) access rights
"sc.exe" called "OpenService" to access the "WELM" service
"netsh.exe" called "OpenService" to access the "policyagent" service
"netsh.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_CONFIG" (0X1) access rights
"netsh.exe" called "OpenService" to access the "NapAgent" service
"netsh.exe" called "OpenService" to access the "NapAgent" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"netsh.exe" called "ControlService" and sent control code "0X24" to the service "NapAgent"
"netsh.exe" called "ControlService" and sent control code "0X120" to the service "NapAgent"
"netsh.exe" called "ControlService" and sent control code "0X81" to the service "PolicyAgent" - source
- API Call
- relevance
- 10/10
-
Opened the service control manager
-
Installation/Persistance
-
Drops executable files
- details
-
"carved_0.exe" has type "PE32 executable (console) Intel 80386 (stripped to external PDB) for MS Windows"
"carved_1.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"45.76.51.128"
"104.20.17.242"
"45.77.28.163" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "C:\Adylkuzz.B.exe" with delete access
"<Input Sample>" opened "%WINDIR%\Fonts\msiexev.exe" with delete access - source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "Adylkuzz.B.exe.bin" claimed CRC 1510110 while the actual is CRC 1505786
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetModuleHandleA
GetModuleFileNameW
LoadLibraryA
Sleep - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "taskkill.exe" wrote bytes "4053157758581677186a1677653c17770000000000bfb7750000000056ccb775000000007ccab7750000000037683b756a2c1777d62d17770000000020693b750000000029a6b77500000000a48d3b7500000000f70eb77500000000" to virtual address "0x75AE1000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
- "cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Timestamp in PE header is very old or in the future
- details
- "Adylkuzz.B.exe.bin" claims program is from Thu Jan 1 00:00:00 1970
- source
- Static Parser
- relevance
- 10/10
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 12
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll at 7581-955-00423101
SetUnhandledExceptionFilter@KERNEL32.dll at 7581-1565-00422646 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.dll at 7581-747-0041C306
GetSystemTimeAsFileTime@KERNEL32.dll at 7581-994-0041C34D
GetSystemTime@KERNEL32.dll at 7581-842-0041153D - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
-
"xmr.crypto-pool.fr"
"aa1.super5566.com"
"08.super5566.com"
"icanhazip.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"45.76.51.128:80"
"188.138.33.220:61833"
"45.77.28.163:80"
"212.129.46.87:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb"
- source
- String
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7" - source
- Created Mutant
- relevance
- 3/10
-
Runs shell commands
- details
-
"%WINDIR%\system32\cmd.exe /c taskkill /f /im hdmanager.exe" on 2017-5-17.07:31:00.730
"%WINDIR%\system32\cmd.exe /c taskkill /f /im mmc.exe" on 2017-5-17.07:31:41.260
"%WINDIR%\system32\cmd.exe /c sc stop WELM" on 2017-5-17.07:32:22.713
"%WINDIR%\system32\cmd.exe /c sc delete WELM" on 2017-5-17.07:32:22.883
"%WINDIR%\system32\cmd.exe /c netsh ipsec static add policy name=netbc" on 2017-5-17.07:32:23.103
"%WINDIR%\system32\cmd.exe /c netsh ipsec static add filterlist name=block" on 2017-5-17.07:33:03.814
"%WINDIR%\system32\cmd.exe /c netsh ipsec static add filteraction name=block action=block" on 2017-5-17.07:33:44.365
"%WINDIR%\system32\cmd.exe /c netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445" on 2017-5-17.07:34:24.986
"%WINDIR%\system32\cmd.exe /c netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block" on 2017-5-17.07:35:05.547
"%WINDIR%\system32\cmd.exe /c netsh ipsec static set policy name=netbc assign=y" on 2017-5-17.07:35:46.187
"%WINDIR%\system32\cmd.exe /c taskkill /f /im msiexev.exe" on 2017-5-17.07:36:27.700
"%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Chrome"" on 2017-5-17.07:37:08.661
"%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Windriver"" on 2017-5-17.07:37:49.532
"%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall add rule name="Chrome" dir=in program="%PROGRAMFILES%\Google\Chrome\Application\chrome.txt" action=allow" on 2017-5-17.07:38:30.303
"%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall add rule name="Windriver" dir=in program="%PROGRAMFILES%\Hardware Driver Management\windriver.exe" action=allow" on 2017-5-17.07:39:11.555 - source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c taskkill /f /im hdmanager.exe" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /f /im hdmanager.exe" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c taskkill /f /im mmc.exe" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /f /im mmc.exe" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c sc stop WELM" (Show Process)
Spawned process "sc.exe" with commandline "sc stop WELM" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c sc delete WELM" (Show Process)
Spawned process "sc.exe" with commandline "sc delete WELM" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add policy name=netbc" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add policy name=netbc" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add filterlist name=block" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add filterlist name=block" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add filteraction name=block action=block" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add filteraction name=block action=block" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh ipsec static set policy name=netbc assign=y" (Show Process)
Spawned process "netsh.exe" with commandline "netsh ipsec static set policy name=netbc assign=y" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"carved_0.exe" has type "PE32 executable (console) Intel 80386 (stripped to external PDB) for MS Windows"
"carved_1.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\system32\tzres.dll"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\tzres.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07"
Pattern match: "http://pki-ocsp.symauth.com0"
Pattern match: "pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "Adylkuzz.B.exe.bin" was detected as "Morphine v1.2 (DLL)"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
Adylkuzz.B.exe
- Filename
- Adylkuzz.B.exe
- Size
- 1.4MiB (1450500 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
- Architecture
- WINDOWS
- SHA256
- 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233
- MD5
- f2e1d236c5d2c009e1749fc6479a9ede
- SHA1
- 262c22ffd66c33da641558f3da23f7584881a782
- ssdeep
- 24576:6EpKGrwKydag/jU7IZK8LNmf2+r+eauoUWg6ye2tX9t5WR4MJh:6nGrwKtg7U7I88Zi2/xxyeAt06a
- imphash
- 4ec91799cda08417c14bae94b6a450c8
- authentihash
- 307e1326f079a7f6fc212435be092ea86f71277d2516a629bbcc2879d74e1b2c
- Compiler/Packer
- Morphine v1.2 (DLL)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 31 processes in total.
-
Adylkuzz.B.exe
(PID: 2400)
45/83
-
cmd.exe
%WINDIR%\system32\cmd.exe /c taskkill /f /im hdmanager.exe
(PID: 2464)
- taskkill.exe taskkill /f /im hdmanager.exe (PID: 2424)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c taskkill /f /im mmc.exe
(PID: 2440)
- taskkill.exe taskkill /f /im mmc.exe (PID: 2512)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c sc stop WELM
(PID: 2584)
- sc.exe sc stop WELM (PID: 2580)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c sc delete WELM
(PID: 2576)
- sc.exe sc delete WELM (PID: 1968)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh ipsec static add policy name=netbc
(PID: 1552)
- netsh.exe netsh ipsec static add policy name=netbc (PID: 1460)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh ipsec static add filterlist name=block
(PID: 3280)
- netsh.exe netsh ipsec static add filterlist name=block (PID: 2728)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh ipsec static add filteraction name=block action=block
(PID: 2732)
- netsh.exe netsh ipsec static add filteraction name=block action=block (PID: 2672)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
(PID: 2808)
- netsh.exe netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445 (PID: 2816)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
(PID: 2128)
- netsh.exe netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block (PID: 2620)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh ipsec static set policy name=netbc assign=y
(PID: 2548)
- netsh.exe netsh ipsec static set policy name=netbc assign=y (PID: 2908)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c taskkill /f /im msiexev.exe
(PID: 2872)
- taskkill.exe taskkill /f /im msiexev.exe (PID: 2844)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Chrome"
(PID: 3364)
- netsh.exe netsh advfirewall firewall delete rule name="Chrome" (PID: 3444)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Windriver"
(PID: 3512)
- netsh.exe netsh advfirewall firewall delete rule name="Windriver" (PID: 3272)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall add rule name="Chrome" dir=in program="%PROGRAMFILES%\Google\Chrome\Application\chrome.txt" action=allow
(PID: 3428)
- netsh.exe netsh advfirewall firewall add rule name="Chrome" dir=in program="%PROGRAMFILES%\Google\Chrome\Application\chrome.txt" action=allow (PID: 3316)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh advfirewall firewall add rule name="Windriver" dir=in program="%PROGRAMFILES%\Hardware Driver Management\windriver.exe" action=allow
(PID: 3616)
- netsh.exe netsh advfirewall firewall add rule name="Windriver" dir=in program="%PROGRAMFILES%\Hardware Driver Management\windriver.exe" action=allow (PID: 3564)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c taskkill /f /im hdmanager.exe
(PID: 2464)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
xmr.crypto-pool.fr | - | - | - |
aa1.super5566.com | 45.77.28.163 | - | United States |
08.super5566.com | - | - | - |
icanhazip.com | 104.20.17.242 | - | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
45.76.51.128 |
80
TCP |
adylkuzz.b.exe PID: 2400 wuauser.exe PID: 2976 |
United States |
45.77.28.163 |
80
TCP |
wuauser.exe PID: 2976 |
United States |
212.129.46.87 |
443
TCP |
msiexev.exe PID: 3756 |
France
ASN: 12876 (ONLINE S.A.S.) |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 104.20.17.242:80 (TCP) | Attempted Information Leak | ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection | 2017398 |
local -> 45.76.51.128:80 (TCP) | A Network Trojan was detected | ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01 | 2022482 |
45.76.51.128 -> local:61835 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
45.76.51.128 -> local:61835 (TCP) | A Network Trojan was detected | ET TROJAN JS/Nemucod.M.gen downloading EXE payload | 2021954 |
45.77.28.163 -> local:61839 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
local -> 212.129.46.87:443 (TCP) | A Network Trojan was detected | ET POLICY Crypto Coin Miner Login | 2022886 |
local -> 212.129.46.87:443 (TCP) | A Network Trojan was detected | ET POLICY Crypto Coin Miner Login | 2022886 |
Extracted Strings
Extracted Files
-
Malicious 2
-
-
carved_0.exe
- Size
- 912KiB (933376 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
- AV Scan Result
- Labeled as "Trojan.Generic" (41/84)
- Context
- 08.super5566.com
- MD5
- f8159e8a136bfbc0e7e399cdf048b4e0
- SHA1
- 4e165fca1b1bf1a1f735cada3f54815a5bd12a78
- SHA256
- e6680bf0d3b32583047e9304d1703c87878c7c82910fbe05efc8519d2ca2df71
-
carved_1.exe
- Size
- 257KiB (263037 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.BitCoinMiner" (33/59)
- Context
- aa1.super5566.com
- MD5
- 2d001c3d5e3509a7e7d4a72aa6e423ce
- SHA1
- e3d1e1bb37e2f40fa1cd57def08cad39853847e5
- SHA256
- a7000b2618512f1cb24b51f4ae2f34d332b746183dfad6483aba04571ba8b2f9
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-75" are available in the report
- Not all sources for signature ID "api-76" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-1" are available in the report
- Not all sources for signature ID "target-25" are available in the report
Anonymous commented 3 years ago updated
Anonymous commented 4 months ago updated