Scribd Logo
Upload

Welcome to Scribd!

  • 102 views

    Global Verdict Report

    Uploaded by

    Anuar Valdivi
    The sample was found to be malware on Windows XP. It created and modified files, queried DNS, connected to remote hosts, created processes, and modified the Windows registry to establish persistence. Process activity included creating dw20.exe and sample.exe modifying configuration settings related to file locations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Global Verdict Report

    Uploaded by

    Anuar Valdivi
    102 views8 pages
    The sample was found to be malware on Windows XP. It created and modified files, queried DNS, connected to remote hosts, created processes, and modified the Windows registry to establish persistence. Process activity included creating dw20.exe and sample.exe modifying configuration settings related to file locations.

    Original Title

    global-verdict-report (2)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The sample was found to be malware on Windows XP. It created and modified files, queried DNS, connected to remote hosts, created processes, and modified the Windows registry to establish persistence. Process activity included creating dw20.exe and sample.exe modifying configuration settings related to file locations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    102 views8 pages

    Global Verdict Report

    Uploaded by

    Anuar Valdivi
    The sample was found to be malware on Windows XP. It created and modified files, queried DNS, connected to remote hosts, created processes, and modified the Windows registry to establish persistence. Process activity included creating dw20.exe and sample.exe modifying configuration settings related to file locations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 8

    WildFire Analysis Report

    WildFire Analysis Report 1


    1 File Information 2
    2 Static Analysis 2
    3 Dynamic Analysis 2
    3.1. VM1 (Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007) 2
    3.1.1. Behavioral Summary 2
    3.1.2. Network Activity 3
    3.1.3. Host Activity 3
    Process Activity 3
    Process Name - DW20.EXE 3
    Process Name - sample.exe 3
    Event Timeline 4
    3.2. VM2 (Windows 7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010) 6
    3.2.1. Behavioral Summary 6
    3.2.2. Network Activity 6
    3.2.3. Host Activity 7
    Process Activity 7
    Process Name - dw20.exe 7
    Process Name - sample.exe 7
    Event Timeline 7

    1/8
    1 File Information

    File Type PE

    File Signer

    SHA-256 4c95f16963a7ce9b0a25a41f4c002114dd70cb90c0ba958174ef72c4188effa1

    SHA-1 b9b4673c62c1c209fc9abe5714e96ee8aef3023b

    MD5 787f94c8ed14a54d3e0b8614c8d34b05

    File Size 92160bytes

    First Seen Timestamp 2021-07-27 23:20:02 UTC

    Verdict Malware

    Antivirus Coverage VirusTotal Information

    2 Static Analysis

    This sample was not found to contain any high-risk content during a pre-screening analysis of the sample.

    3 Dynamic Analysis

    3.1. VM1 (Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007)

    3.1.1. Behavioral Summary

    This sample was found to be malware on this virtual machine.

    Behavior Severity

    Created or modified a file in the Windows system folder


    The Windows system folder contains configuration files and executables that control the underlying functions of the
    system. Malware often modifies the contents of this folder to manipulate the system, establish persistence, and avoid
    detection.

    Created or modified a file


    Legitimate software creates or modifies files to preserve data across system restarts. Malware may create or modify files
    to deliver malicious payloads or maintain persistence on a system.

    Started a process
    A process running on the system may start additional processes to perform actions in the background. This behavior is
    common to legitimate software as well as malware.

    Sample tries to access the generic query interface to the DNS namespace.
    Sample tries to access the generic query interface to the DNS namespace.

    Modified the Windows Registry


    The Windows Registry houses system configuration settings and options, including information about installed
    applications, services, and drivers. Malware often modifies registry data to establish persistence on the system and avoid
    detection.

    2/8
    Sent email
    A common goal of malware is to send spam or emails with malicious attachments, allowing it to spread beyond, or move
    laterally within, the network.

    Attempted to sleep for a long period


    Malware analysis environments have a limited amount of time in which to execute code and deliver a verdict. To subvert
    this process, malware often delays execution, or "sleeps," for a long period, allowing it to avoid detection.

    3.1.2. Network Activity


    DNS Queries

    Domain Name Query Type DNS Response

    mail.apj.org.pe A 190.12.76.45

    apj.org.pe NS ns2.opticalip.com.pe

    apj.org.pe NS ns1.opticalip.com.pe

    Connections

    Host Port Protocol Country

    190.12.76.45 25 TCP PE

    3.1.3. Host Activity


    Process Activity

    Process Name - DW20.EXE

    (command: C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE)
    No activity recorded for this process.

    Process Name - sample.exe

    (command: C:\Documents and Settings\Administrator\sample.exe)

    Process Activity

    Child Process Action

    C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE,dw20.exe -x -s 800 Create

    File Activity

    File Action Size(B) File Type Hash

    md5:4e23b28b044f3
    520001b6884ffade55
    1
    sha1:c27a2b9dc5179
    af2704e08b5beafd0c
    C:\Documents and Settings\Administrator\Local Settings\Application
    Create 68456 unknown 382680263
    Data\GDIPFONTCACHEV1.DAT
    sha256:4d7a5a7e371
    98e22bdd872d332d0
    7227e28b92f148389
    3dc38c54c6dccd61f0
    e

    Registry Activity

    Registry Key Value Action

    3/8
    \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-
    500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell C:\Documents and Settings\Administrator\Application Data Set
    Folders\AppData

    \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-
    C:\Documents and Settings\Administrator\Local Settings\Temporary
    500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Set
    Internet Files
    Folders\Cache

    \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-
    C:\Documents and Settings\Administrator\Local Settings\Application
    500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Set
    Data
    Folders\Local AppData

    \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333- C:\Documents and Settings\Administrator\Local Settings\Application


    Set
    500\Software\Microsoft\GDIPlus\FontCachePath Data

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\E C:\Documents and Settings\Administrator\Local Settings\Application


    Create
    xplorer\User Shell Folders Data

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\E C:\Documents and Settings\Administrator\Local Settings\Application


    Create
    xplorer\Shell Folders Data

    HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotific C:\Documents and Settings\Administrator\Local Settings\Application


    Create
    ation\Default Data

    C:\Documents and Settings\Administrator\Local Settings\Application


    HKEY_CURRENT_USER\Software\Microsoft\GDIPlus Create
    Data

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Par C:\Documents and Settings\Administrator\Local Settings\Application


    Create
    ameters Data

    Created Mutexes

    Mutex Name

    CTF.LBES.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    CTF.Compart.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    CTF.Asm.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    CTF.Layouts.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    CTF.TMD.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    CTF.TimListCache.FMPDefaultS-1-5-21-515967899-776561741-1417001333-500MUTEX.DefaultS-1-5-21-515967899-776561741-1417001333-500

    Global\.net data provider for sqlserver

    Global\.net data provider for oracle

    Global\.net clr networking

    Event Timeline

    1 Created Process C:\Documents and Settings\Administrator\sample.exe

    Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-


    2 500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData to value C:\Documents and
    Settings\Administrator\Application Data

    3 Created mutex CTF.LBES.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    4 Created mutex CTF.Compart.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    5 Created mutex CTF.Asm.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    6 Created mutex CTF.Layouts.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    7 Created mutex CTF.TMD.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

    Created mutex CTF.TimListCache.FMPDefaultS-1-5-21-515967899-776561741-1417001333-500MUTEX.DefaultS-1-5-21-


    8
    515967899-776561741-1417001333-500

    4/8
    Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-
    9 500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache to value C:\Documents and
    Settings\Administrator\Local Settings\Temporary Internet Files

    Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-


    10 500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData to value C:\Documents and
    Settings\Administrator\Local Settings\Application Data

    11 Created file C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

    Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\GDIPlus\FontCachePath to


    12
    value C:\Documents and Settings\Administrator\Local Settings\Application Data

    13 Created mutex Global\.net data provider for sqlserver

    14 Created mutex Global\.net data provider for sqlserver

    15 Created mutex Global\.net data provider for sqlserver

    16 Created mutex Global\.net data provider for sqlserver

    17 Created mutex Global\.net data provider for sqlserver

    18 Created mutex Global\.net data provider for sqlserver

    19 Created mutex Global\.net data provider for sqlserver

    20 Created mutex Global\.net data provider for sqlserver

    21 Created mutex Global\.net data provider for sqlserver

    22 Created mutex Global\.net data provider for sqlserver

    23 Created mutex Global\.net data provider for sqlserver

    24 Created mutex Global\.net data provider for oracle

    25 Created mutex Global\.net data provider for oracle

    26 Created mutex Global\.net data provider for oracle

    27 Created mutex Global\.net data provider for oracle

    28 Created mutex Global\.net data provider for oracle

    29 Created mutex Global\.net data provider for oracle

    30 Created mutex Global\.net data provider for oracle

    31 Created mutex Global\.net data provider for oracle

    32 Created mutex Global\.net data provider for oracle

    33 Created mutex Global\.net data provider for oracle

    34 Created mutex Global\.net data provider for oracle

    35 Created mutex Global\.net clr networking

    36 Created mutex Global\.net clr networking

    37 Created mutex Global\.net clr networking

    38 Created mutex Global\.net clr networking

    39 Created mutex Global\.net clr networking

    40 Created mutex Global\.net clr networking

    41 Created mutex Global\.net clr networking

    42 Created mutex Global\.net clr networking

    43 Created mutex Global\.net clr networking

    5/8
    44 Created mutex Global\.net clr networking

    45 Created mutex Global\.net clr networking

    46 Created Process C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE

    3.2. VM2 (Windows 7 x64 SP1, Adobe Reader 11, Flash 11, Office
    2010)

    3.2.1. Behavioral Summary

    This sample was found to be malware on this virtual machine.

    Behavior Severity

    Created or modified a file


    Legitimate software creates or modifies files to preserve data across system restarts. Malware may create or modify files
    to deliver malicious payloads or maintain persistence on a system.

    Started a process
    A process running on the system may start additional processes to perform actions in the background. This behavior is
    common to legitimate software as well as malware.

    Sample tries to access the generic query interface to the DNS namespace.
    Sample tries to access the generic query interface to the DNS namespace.

    Modified the Windows Registry


    The Windows Registry houses system configuration settings and options, including information about installed
    applications, services, and drivers. Malware often modifies registry data to establish persistence on the system and avoid
    detection.

    Attempted to sleep for a long period


    Malware analysis environments have a limited amount of time in which to execute code and deliver a verdict. To subvert
    this process, malware often delays execution, or "sleeps," for a long period, allowing it to avoid detection.

    Sent email
    A common goal of malware is to send spam or emails with malicious attachments, allowing it to spread beyond, or move
    laterally within, the network.

    3.2.2. Network Activity


    DNS Queries

    Domain Name Query Type DNS Response

    msftncsi.com NS ns4-205.azure-dns.info

    msftncsi.com NS ns3-205.azure-dns.org

    dns.msftncsi.com AAAA fd3e:4f5a:5b81::1

    apj.org.pe NS ns2.opticalip.com.pe

    msftncsi.com NS ns1-205.azure-dns.com

    apj.org.pe NS ns1.opticalip.com.pe

    mail.apj.org.pe A 190.12.76.45

    msftncsi.com NS ns2-205.azure-dns.net

    dns.msftncsi.com A 131.107.255.255

    Connections

    Host Port Protocol Country

    190.12.76.45 25 TCP PE

    6/8
    3.2.3. Host Activity
    Process Activity

    Process Name - dw20.exe

    (command: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe)
    No activity recorded for this process.

    Process Name - sample.exe

    (command: C:\Users\Administrator\sample.exe)

    Process Activity

    Child Process Action

    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe,dw20.exe -x -s 192 Create

    File Activity

    File Action Size(B) File Type Hash

    md5:97d492b140588
    aeb62f229bd889f9cd
    1
    sha1:2c03e725082f6
    59f6fc2c2cbe6dd2f76
    C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT Create 108840 unknown 4383fddf
    sha256:4b1c3959300
    a9019199f8f6de5184
    4741be95e5461b0b1
    87e23f65d2096515b
    2

    Registry Activity

    Registry Key Value Action

    HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotific
    Create
    ation\Default

    Created Mutexes

    Mutex Name

    Global\.net data provider for sqlserver

    Global\.net data provider for oracle

    Global\.net clr networking

    Event Timeline

    1 Created Process C:\Users\Administrator\sample.exe

    2 Created file C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

    3 Created mutex Global\.net data provider for sqlserver

    4 Created mutex Global\.net data provider for sqlserver

    5 Created mutex Global\.net data provider for sqlserver

    6 Created mutex Global\.net data provider for sqlserver

    7 Created mutex Global\.net data provider for sqlserver

    7/8
    8 Created mutex Global\.net data provider for sqlserver

    9 Created mutex Global\.net data provider for sqlserver

    10 Created mutex Global\.net data provider for sqlserver

    11 Created mutex Global\.net data provider for sqlserver

    12 Created mutex Global\.net data provider for sqlserver

    13 Created mutex Global\.net data provider for sqlserver

    14 Created mutex Global\.net data provider for oracle

    15 Created mutex Global\.net data provider for oracle

    16 Created mutex Global\.net data provider for oracle

    17 Created mutex Global\.net data provider for oracle

    18 Created mutex Global\.net data provider for oracle

    19 Created mutex Global\.net data provider for oracle

    20 Created mutex Global\.net data provider for oracle

    21 Created mutex Global\.net data provider for oracle

    22 Created mutex Global\.net data provider for oracle

    23 Created mutex Global\.net data provider for oracle

    24 Created mutex Global\.net data provider for oracle

    25 Created mutex Global\.net clr networking

    26 Created mutex Global\.net clr networking

    27 Created mutex Global\.net clr networking

    28 Created mutex Global\.net clr networking

    29 Created mutex Global\.net clr networking

    30 Created mutex Global\.net clr networking

    31 Created mutex Global\.net clr networking

    32 Created mutex Global\.net clr networking

    33 Created mutex Global\.net clr networking

    34 Created mutex Global\.net clr networking

    35 Created mutex Global\.net clr networking

    36 Created Process C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe

    8/8

    You might also like