Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

XnUEBMnOEd.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.3793637809588075
Filename:	XnUEBMnOEd.exe
Filesize:	11776
MD5:	3cb61ce448a806e79ce88d06e992cc9d
SHA1:	0a5e460360364f1b5799df7a2168892c04156bca
SHA256:	c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4
SHA512:	4d36781c5986a89d3bea470341223245abbd5e71de8233f2b0a969f0a258dda908588efef34fb354684760c631acb723711108e58ec3d068222ffe692d121380
SSDEEP:	192:d6eQ8BFOXpVfXfGhegWJJfxMLkWScZqYSi/HB6U:d6eQ8nAnOgDTxMQWSc9/6U
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.h.be..be..be..E.}.le..k...ae..be..+e..k...ce..k...we..k...ae..k...ce..Richbe..........PE..L......f...........................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Drops PE files to the user root directory	Boot Survival	Masquerading
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Might use command line arguments	System Summary
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Uses new MSVCR Dlls	Compliance, System Summary

C:\Users\user\winsvc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\winsvc.exe
Category:	dropped
Dump:	winsvc.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\XnUEBMnOEd.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.3793637809588075
Encrypted:	false
Ssdeep:	192:d6eQ8BFOXpVfXfGhegWJJfxMLkWScZqYSi/HB6U:d6eQ8nAnOgDTxMQWSc9/6U
Size:	11776
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\XnUEBMnOEd.exe

"C:\Users\user\Desktop\XnUEBMnOEd.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6952
Target ID:	0
Parent PID:	2580
Name:	XnUEBMnOEd.exe
Path:	C:\Users\user\Desktop\XnUEBMnOEd.exe
Commandline:	"C:\Users\user\Desktop\XnUEBMnOEd.exe"
Size:	11776
MD5:	3CB61CE448A806E79CE88D06E992CC9D
Time:	10:47:46
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe60000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for sample	AV Detection
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\winsvc.exe

Details

Is windows:	false
Is dropped:	true
PID:	5608
Target ID:	1
Parent PID:	6952
Name:	winsvc.exe
Path:	C:\Users\user\winsvc.exe
Commandline:	C:\Users\user\winsvc.exe
Size:	11776
MD5:	3CB61CE448A806E79CE88D06E992CC9D
Time:	10:47:51
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x840000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates files inside the user directory	System Summary	Masquerading
Might use command line arguments	System Summary	Command and Scripting Interpreter
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\winsvc.exe

"C:\Users\user\winsvc.exe"

Details

Is windows:	false
Is dropped:	true
PID:	2484
Target ID:	2
Parent PID:	2580
Name:	winsvc.exe
Path:	C:\Users\user\winsvc.exe
Commandline:	"C:\Users\user\winsvc.exe"
Size:	11776
MD5:	3CB61CE448A806E79CE88D06E992CC9D
Time:	10:48:03
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x840000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates files inside the user directory	System Summary	Masquerading
Might use command line arguments	System Summary	Command and Scripting Interpreter
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\winsvc.exe

"C:\Users\user\winsvc.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5808
Target ID:	4
Parent PID:	2580
Name:	winsvc.exe
Path:	C:\Users\user\winsvc.exe
Commandline:	"C:\Users\user\winsvc.exe"
Size:	11776
MD5:	3CB61CE448A806E79CE88D06E992CC9D
Time:	10:48:11
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x840000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates files inside the user directory	System Summary	Masquerading
Might use command line arguments	System Summary	Command and Scripting Interpreter
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

URLs

Name

Malicious

http://twizt.net

unknown

http://twizt.net/Installedp

unknown

http://twizt.net/lslut.exewinsvc.exeb

unknown

http://twizt.net3(

unknown

http://twizt.netS(

unknown

http://twizt.net/lslut.exewinsvc.exe

unknown

http://fuckput.in/N

unknown

http://twizt.net/

unknown

http://twizt.net/lslut.exeWA

unknown

http://twizt.net/lslut.e(

unknown

http://twizt.net/InstalledopenMozilla/5.0

unknown

http://twizt.net/lslut.exe_Al

unknown

http://twizt.net/lslut.exegB$

unknown

http://twizt.net/lslut.exe8-

unknown

http://twizt.net/lslut.e

unknown

http://twizt.net/lslut.exewinsvc.exen

unknown

http://twizt.net/lsl

unknown

http://twizt.net/lslut.exe_E

unknown

http://twizt.net/Installed

185.215.113.66

http://twizt.net/lslut.exe

185.215.113.66

http://twizt.net/lslut.exe%s:Zone.Identifier%userprofile%%s

unknown

http://fuckput.in/

unknown

There are 12 hidden URLs, click here to show them.

Domains

Name

Malicious

twizt.net

185.215.113.66

Details

Name:	twizt.net
IP:	185.215.113.66
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.215.113.66

twizt.net

Portugal

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows Service

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	Windows Service
Value data:	C:\Users\user\winsvc.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

37DF000

stack

page read and write

172E000

stack

page read and write

580000

heap

page read and write

BE0000

heap

page read and write

841000

unkown

page execute read

841000

unkown

page execute read

30BE000

stack

page read and write

303E000

stack

page read and write

570000

heap

page read and write

339F000

stack

page read and write

845000

unkown

page readonly

843000

unkown

page readonly

17AD000

stack

page read and write

359F000

stack

page read and write

841000

unkown

page execute read

11E8000

heap

page read and write

F7E000

stack

page read and write

176E000

stack

page read and write

BBB000

heap

page read and write

155F000

stack

page read and write

F6A000

stack

page read and write

AC5000

heap

page read and write

11AC000

heap

page read and write

A90000

heap

page read and write

113E000

stack

page read and write

2DFD000

stack

page read and write

FEE000

stack

page read and write

E60000

unkown

page readonly

94E000

stack

page read and write

843000

unkown

page readonly

39C000

stack

page read and write

50C000

stack

page read and write

FAD000

stack

page read and write

12F6000

stack

page read and write

2F3D000

stack

page read and write

9A8000

heap

page read and write

840000

unkown

page readonly

2EFD000

stack

page read and write

159E000

stack

page read and write

2CBE000

stack

page read and write

843000

unkown

page readonly

11A6000

heap

page read and write

845000

unkown

page readonly

2C7E000

stack

page read and write

1450000

heap

page read and write

1440000

heap

page read and write

830000

heap

page read and write

BEA000

heap

page read and write

843000

unkown

page readonly

156E000

stack

page read and write

2DBF000

stack

page read and write

6FB000

stack

page read and write

AC0000

heap

page read and write

1025000

heap

page read and write

381D000

stack

page read and write

94A000

stack

page read and write

9A0000

heap

page read and write

700000

heap

page read and write

391E000

stack

page read and write

E65000

unkown

page readonly

FE0000

heap

page read and write

C40000

heap

page read and write

FD0000

heap

page read and write

841000

unkown

page execute read

11C2000

heap

page read and write

1600000

heap

page read and write

840000

unkown

page readonly

98E000

stack

page read and write

E60000

unkown

page readonly

12FB000

stack

page read and write

B8A000

heap

page read and write

369C000

stack

page read and write

820000

heap

page read and write

F6C000

stack

page read and write

17B0000

heap

page read and write

845000

unkown

page readonly

BD0000

heap

page read and write

6F6000

stack

page read and write

349F000

stack

page read and write

843000

unkown

page readonly

B6C000

stack

page read and write

E65000

unkown

page readonly

81D000

stack

page read and write

946000

stack

page read and write

840000

unkown

page readonly

E61000

unkown

page execute read

A20000

heap

page read and write

F90000

heap

page read and write

840000

unkown

page readonly

15EE000

stack

page read and write

B8E000

heap

page read and write

E61000

unkown

page execute read

1170000

heap

page read and write

A8E000

stack

page read and write

BCF000

heap

page read and write

E63000

unkown

page readonly

1608000

heap

page read and write

840000

unkown

page readonly

841000

unkown

page execute read

845000

unkown

page readonly

B9F000

stack

page read and write

1620000

heap

page read and write

845000

unkown

page readonly

11DB000

heap

page read and write

840000

unkown

page readonly

136E000

stack

page read and write

117E000

heap

page read and write

117A000

heap

page read and write

BD0000

heap

page read and write

140E000

stack

page read and write

F66000

stack

page read and write

2F9F000

stack

page read and write

B4E000

stack

page read and write

15C0000

heap

page read and write

841000

unkown

page execute read

1000000

heap

page read and write

1020000

heap

page read and write

845000

unkown

page readonly

36DE000

stack

page read and write

15AE000

stack

page read and write

31BE000

stack

page read and write

146E000

stack

page read and write

E63000

unkown

page readonly

B80000

heap

page read and write

843000

unkown

page readonly

E3E000

stack

page read and write

There are 116 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XnUEBMnOEd.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXnUEBMnOEd.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
XnUEBMnOEd.exe