Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Wind0ws7l0aderV3.4875.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.902132269958546
Filename:	Wind0ws7l0aderV3.4875.exe
Filesize:	4612608
MD5:	9631809ff9e66cc5809e51e2929dfbe8
SHA1:	4ee1085393d94978fc17b1453517f0aa7f40b8a3
SHA256:	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583
SHA512:	3e350e41e7a86756438762c0a6772e5781757bb941e8c88c58238e1f19e15a3eb743301119050b30476d69bc68568a0bad1cdd4560f1ecac2cf4c0c72c9d77d1
SSDEEP:	98304:k8sjkFhRWieWT0ywsagZ9VeXD3qJJXg2cMUGZWh:2jyhRPeWvnzwrivWh
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Drops PE files	Persistence and Installation Behavior
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\WindowsLoader.exe
Category:	dropped
Dump:	WindowsLoader.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	6.7402573000786825
Encrypted:	false
Ssdeep:	49152:cEYCFEvlmOmTgtFM3uK5m3imrHuiff+puWV355FXw/+zuWV355FXw/+DuWV355FP:cEYzEFTgtFM3ukm3imPnt
Size:	4021049
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to automate explorer (e.g. start an application)	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for dropped file	AV Detection
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a control a shell (cmd.exe)	Remote Access Functionality	Command and Scripting Interpreter
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Windows Management Instrumentation
Queries the product ID of Windows	Language, Device and Operating System Detection	System Information Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Spawns processes	System Summary	Process Injection
Uses an in-process (OLE) Automation server	System Summary
Executable creates window controls seldom found in malware	System Summary
Uses Rich Edit Controls	System Summary

C:\Users\user\AppData\Local\Temp\aut2507.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut2507.tmp
Category:	dropped
Dump:	aut2507.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
Type:	data
Entropy:	7.908466865020099
Encrypted:	false
Ssdeep:	49152:3h1opoI7NgzPKvrw8YUUPzXKVZEX+Cs0frmDzPTi:x1opLNgR8YD7Co+Cs4OzPTi
Size:	2010518
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe

Details

Is windows:	false
Is dropped:	false
PID:	7520
Target ID:	0
Parent PID:	2580
Name:	Wind0ws7l0aderV3.4875.exe
Path:	C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
Commandline:	C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
Size:	4612608
MD5:	9631809FF9E66CC5809E51E2929DFBE8
Time:	20:10:53
Date:	12/02/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6e0000
Modulesize:	4640768
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Details

Is windows:	false
Is dropped:	true
PID:	7536
Target ID:	1
Parent PID:	7520
Name:	WindowsLoader.exe
Path:	C:\Users\user\AppData\Local\Temp\WindowsLoader.exe
Commandline:	C:\Users\user\AppData\Local\Temp\WindowsLoader.exe
Size:	4021049
MD5:	323C0FD51071400B51EEDB1BE90A8188
Time:	20:10:54
Date:	12/02/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2240512
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

6E1000

unkown

page execute read

6C7000

heap

page read and write

26B7000

direct allocation

page readonly

8CA000

heap

page read and write

348F000

stack

page read and write

26E0000

direct allocation

page read and write

79E000

unkown

page read and write

145E000

heap

page read and write

630000

heap

page read and write

938000

heap

page read and write

144E000

heap

page read and write

8C0000

heap

page read and write

5C4000

unkown

page execute and read and write

29DE000

heap

page read and write

53D2000

heap

page read and write

269B000

direct allocation

page read and write

5FA000

unkown

page execute and read and write

61C000

unkown

page read and write

58B000

unkown

page execute and write copy

9A8000

heap

page read and write

540A000

heap

page read and write

1C2E000

stack

page read and write

2FD1000

heap

page read and write

948000

heap

page read and write

99A000

heap

page read and write

2707000

direct allocation

page read and write

610000

unkown

page execute and read and write

26F7000

direct allocation

page read and write

334F000

stack

page read and write

3906000

heap

page read and write

2701000

direct allocation

page execute read

3817000

heap

page read and write

310E000

stack

page read and write

270F000

direct allocation

page read and write

DA8000

direct allocation

page read and write

6E0000

unkown

page readonly

C40000

heap

page read and write

14A0000

heap

page read and write

3819000

heap

page read and write

29A6000

heap

page read and write

128E000

stack

page read and write

26D6000

direct allocation

page readonly

270B000

direct allocation

page read and write

2698000

direct allocation

page readonly

202E000

stack

page read and write

2140000

heap

page read and write

978000

heap

page read and write

617000

unkown

page execute and read and write

DA7000

direct allocation

page readonly

2730000

direct allocation

page execute and read and write

61A000

unkown

page execute and write copy

9AC000

heap

page read and write

400000

unkown

page readonly

927000

heap

page read and write

1463000

heap

page read and write

19B000

stack

page read and write

26FF000

direct allocation

page read and write

26D0000

direct allocation

page read and write

6A5000

heap

page read and write

958000

heap

page read and write

DAF000

direct allocation

page read and write

3816000

heap

page read and write

3811000

heap

page read and write

324E000

stack

page read and write

11BF000

stack

page read and write

6C0000

heap

page read and write

28FD000

heap

page read and write

6C5000

heap

page read and write

53DB000

heap

page read and write

10012000

direct allocation

page readonly

8CE000

heap

page read and write

2150000

heap

page read and write

10020000

direct allocation

page read and write

3904000

heap

page read and write

2720000

heap

page read and write

2691000

direct allocation

page execute read

9AB000

heap

page read and write

1451000

heap

page read and write

3800000

heap

page read and write

2FA3000

direct allocation

page read and write

2690000

direct allocation

page read and write

794000

unkown

page readonly

D60000

heap

page read and write

794000

unkown

page readonly

11CF000

stack

page read and write

10014000

direct allocation

page read and write

1430000

heap

page read and write

917000

heap

page read and write

1240000

heap

page read and write

144D000

heap

page read and write

6E0000

unkown

page readonly

145E000

heap

page read and write

26B0000

direct allocation

page read and write

6E1000

unkown

page execute read

1438000

heap

page read and write

2F90000

direct allocation

page read and write

DA1000

direct allocation

page execute read

509C000

heap

page read and write

5C2000

unkown

page execute and read and write

2710000

heap

page read and write

DC6000

heap

page read and write

76F000

unkown

page readonly

145E000

heap

page read and write

907000

heap

page read and write

1471000

heap

page read and write

7A2000

unkown

page write copy

14B0000

heap

page read and write

79E000

unkown

page write copy

2144000

heap

page read and write

12C0000

heap

page read and write

1490000

heap

page read and write

26A2000

direct allocation

page read and write

2A50000

heap

page read and write

26C1000

direct allocation

page read and write

320E000

stack

page read and write

BDA000

stack

page read and write

2FAE000

direct allocation

page read and write

26B1000

direct allocation

page execute read

7A7000

unkown

page readonly

2724000

heap

page read and write

145E000

heap

page read and write

1460000

heap

page read and write

29AF000

heap

page read and write

26D1000

direct allocation

page execute read

640000

heap

page read and write

7A7000

unkown

page readonly

145E000

heap

page read and write

61C000

unkown

page write copy

338E000

stack

page read and write

26B9000

direct allocation

page read and write

1420000

heap

page read and write

10001000

direct allocation

page execute read

26F1000

direct allocation

page execute read

76F000

unkown

page readonly

400000

unkown

page readonly

60A000

unkown

page execute and read and write

1451000

heap

page read and write

2FD0000

heap

page read and write

3832000

heap

page read and write

11DC000

stack

page read and write

26F5000

direct allocation

page readonly

30D0000

trusted library allocation

page read and write

DA0000

direct allocation

page read and write

370F000

stack

page read and write

382B000

heap

page read and write

28ED000

heap

page read and write

8A0000

heap

page read and write

26F0000

direct allocation

page read and write

2F91000

direct allocation

page execute read

26D8000

direct allocation

page read and write

6A0000

heap

page read and write

11FD000

stack

page read and write

3D3C000

heap

page read and write

DC0000

heap

page read and write

968000

heap

page read and write

1290000

heap

page read and write

360E000

stack

page read and write

5B0000

unkown

page execute and read and write

10000000

direct allocation

page read and write

3810000

heap

page read and write

95000

stack

page read and write

13DE000

stack

page read and write

401000

unkown

page execute and read and write

35CF000

stack

page read and write

2705000

direct allocation

page readonly

34CE000

stack

page read and write

2FA1000

direct allocation

page readonly

2700000

direct allocation

page read and write

There are 158 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Wind0ws7l0aderV3.4875.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportWind0ws7l0aderV3.4875.exe

Files

Processes

Memdumps

IOC Report
Wind0ws7l0aderV3.4875.exe