lab-03-1.md

This post is part of the series of Practical Malware Analysis Exercises.

1) Imports and Strings?

No suggestive imports. Only import is Kernel32.ExitProcess.

String hints:

1. Some strings are suggestive of other libraries being used (ws2_32, ntdll, user32, advapi32).
2. The advapi32 and registry key strings indicate registry modifications.
3. The CurrentVersion\Run registry key indicates that something new will start with Windows.
4. The string vmx32to64.exe points to a possible malicious executable.
5. A URL there is a possibly used for exfiltration, downloads, or calling home.

Imports

kernel32.dll

1. ExitProcess

Strings

ws2_32
CONNECT %s:%i HTTP/1.0
advapi32
ntdll
user32
advpack
SOFTWARE\Classes\http\shell\open\commandV
Software\Microsoft\Active Setup\Installed Components\
test
www.practicalmalwareanalysis.com
admin
VideoDriver
WinVMX32-
vmx32to64.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders
AppData

2) Host Based Indicators?

• File: C:\WINDOWS\System32\vmx32to64.exe (d537acb8f56a1ce206bc35cf8ff959c0)
• Registry Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriver

Copied itself to system32 as vmx32to64.exe. Hashes match (d537acb8f56a1ce206bc35cf8ff959c0). Created a registry entry in CurrentVersion\Run for the created file, so it starts at boot.

3) Network Based Indicators?

• URL: www.practicalmalwareanalysis.com

Regular DNS queries to www.practicalmalwareanalysis.com. Once responded, repeatedly tries to connect via 443/tcp (https). inetsim says that it is receiving an unknown protocol. Custom authored?