- Process explorer
- Malcode Analyst Pack
1. What are this malware’s imports and strings?
The malware seems to be obfuscated.
Check the strings
2. What are the malware’s host-based indicators?
Start up Process Explorer , ProcMon , ApateDNS and execute the malware.
Observe the lower pane view in handles and a mutant is found
Observe the dll and we can see the following additional dlls.
Head to Procmon and filter out the malware with additional filters operations for WriteFile and Regsetvalue.
The malware writes a mutual file call vm32to64.exe which has the same bytes as the malware.
A registry is set to run the malware file
The malware is trying to connect to the webserver and sends the following data.
Leave a Reply