Xcitium Cloud Verdict

Lowering of HIPS/ PFW/ Operating System Security Settings

Attempts to disable Windows Defender Show sources

registry_write

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

Attempts to disable Windows Auto Updates Show sources

registry_write

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Attempts to block SafeBoot use by removing registry keys Show sources

registry_delete

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option

Packer

The binary likely contains encrypted or compressed data. Show sources

packer_section

name: .bqazz, entropy: 7.88, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x000a5000, virtual_size: 0x000a4ed0

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Data Obfuscation

Drops a binary and executes it Show sources

file_dropped	C:\Users\user\AppData\Local\Temp\IXP002.TMP\p2889321.exe
file_dropped	C:\Users\user\AppData\Local\Temp\IXP001.TMP\s6358817.exe
file_dropped	C:\Users\user\AppData\Local\Temp\IXP001.TMP\z7869856.exe
file_dropped	C:\Users\user\AppData\Local\Temp\IXP002.TMP\r4984541.exe

Persistence and Installation Behavior

Installs itself for autorun at Windows startup Show sources

registry_write	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1
data	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\"
registry_write	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
data	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
registry_write	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2
data	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\"

Operating System Destruction

At least one process apparently crashed during execution Show sources

api_dll_loaded

faultrep.dll

Malware Analysis System Evasion

A process attempted to delay the analysis task. Show sources

api_process_name	WMIADAP.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds
api_process_name	WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds
api_process_name	s6358817.exe tried to sleep 305 seconds, actually delayed analysis time by 0 seconds

Attempts to repeatedly call a single API many times in order to delay analysis time Show sources

api_process_name

services.exe (460) called API GetSystemTimeAsFileTime 16967340 times

Spoofs its process name and/or associated pathname to appear as a legitimate process Show sources

modified_path	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	modified_name	p2889321.exe	original_name	p2889321.exe	original_path	C:\Users\user\AppData\Local\Temp\IXP002.TMP\p2889321.exe
modified_path	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	modified_name	s6358817.exe	original_name	s6358817.exe	original_path	C:\Users\user\AppData\Local\Temp\IXP001.TMP\s6358817.exe

HIPS/ PFW/ Operating System Protection Evasion

Attempts to stop active services Show sources

service_stop	WinDefend
service_stop	wuauserv

File Name: bdbdc0e68f0175414075ae9841781c51ce3784d7

File Type: PE32 executable (console) Intel 80386, for MS Windows

SHA1: bdbdc0e68f0175414075ae9841781c51ce3784d7

MD5: a494133a749128886cf99016e767f5dc