Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

qZJOfO5jjs.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.745431910288955
Filename:	qZJOfO5jjs.exe
Filesize:	3432448
MD5:	1938aba4971fdbe17cccaaebcd1a23b4
SHA1:	eee4b6f8b67887aba9cdcb1927497e0dded055c8
SHA256:	8e753a0bba630ae58d01e1553c4b0b0fe1a2a0011843f5fc0705a04e82fbe3eb
SHA512:	4565dddfd3fe581a0b3c62f8aff2366f3b8c89ba180e5285a32161d0b412c7b961a1e00619e812ea85c908542d0ef110c9824bdea22f41658d08854cbc298ef8
SSDEEP:	49152:o/5kQeKps4IuPilPyGo97uTfzfoDXm17k:EktKpsSPilPgMC
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......R..s..t ..t ..t y.. ..t y.~ ..t ..z :.t m.x ..t @.g :.t t.g ..t ..u ..t ..) ..t .~ ..t .. y.t ... f.t ..~ ..t ..t #.t ..r ..t

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a control a shell (cmd.exe)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Deletes files inside the Windows folder	System Summary	File Deletion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Security Software Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Sample file is different than original file name gathered from version info	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Security Software Discovery Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)	System Summary
Executable creates window controls seldom found in malware	System Summary

C:\Users\user\Desktop\myd3d.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\myd3d.dll
Category:	dropped
Dump:	myd3d.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\qZJOfO5jjs.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	4.009897656071835
Encrypted:	false
Ssdeep:	384:4GhcbAvTftjTQCmPn20fsV6ds8L7DS8MLl3jyoWX/T2uF+cA/8o7AASre+dEl:4JcvT1jcD+cds8LCdjg/T2t/8o7ot
Size:	45056
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\qZJOfO5jjs.exe

"C:\Users\user\Desktop\qZJOfO5jjs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	360
Target ID:	0
Parent PID:	1028
Name:	qZJOfO5jjs.exe
Path:	C:\Users\user\Desktop\qZJOfO5jjs.exe
Commandline:	"C:\Users\user\Desktop\qZJOfO5jjs.exe"
Size:	3432448
MD5:	1938ABA4971FDBE17CCCAAEBCD1A23B4
Time:	17:29:36
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	3772416
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c netsh advfirewall firewall delete rule name="benshan"

Details

Is windows:	true
Is dropped:	false
PID:	6112
Target ID:	2
Parent PID:	360
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /c netsh advfirewall firewall delete rule name="benshan"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	17:29:38
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Contains functionality to launch a control a shell (cmd.exe)	Remote Access Functionality	Command and Scripting Interpreter
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name="benshan"

Details

Is windows:	true
Is dropped:	false
PID:	2296
Target ID:	4
Parent PID:	6112
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh advfirewall firewall delete rule name="benshan"
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	17:29:39
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x1080000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3752
Target ID:	3
Parent PID:	6112
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	17:29:38
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://dywt.com.cnservice

unknown

http://www.openssl.org/support/faq.htmlRAND

unknown

http://cs-g2-crl.thawte.com/ThawteCSG2.crl0

unknown

http://crl.thawte.com/ThawtePCA.crl0

unknown

http://ocsp.thawte.com0

unknown

http://dywt.com.cn

unknown

http://www.openssl.org/support/faq.html

unknown

IPs

Domain

Country

Malicious

127.0.0.1

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib

1280x1024x32(BGR 0)

Memdumps

Base Address

Regiontype

Protect

Malicious

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2EBF000

stack

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

25F4000

heap

page read and write

817000

heap

page read and write

267E000

stack

page read and write

92000

stack

page read and write

2FC0000

trusted library allocation

page read and write

73B000

unkown

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

263E000

stack

page read and write

2600000

trusted library allocation

page read and write

723000

unkown

page write copy

A3E000

stack

page read and write

2600000

trusted library allocation

page read and write

2789000

heap

page read and write

CF0000

heap

page read and write

2600000

trusted library allocation

page read and write

25C0000

heap

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

83E000

heap

page read and write

2600000

trusted library allocation

page read and write

2570000

heap

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

783000

unkown

page readonly

2580000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

400000

unkown

page readonly

4F1000

unkown

page readonly

4FE000

unkown

page readonly

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2685000

heap

page read and write

255C000

heap

page read and write

71F000

unkown

page read and write

714000

unkown

page read and write

2600000

trusted library allocation

page read and write

2540000

direct allocation

page execute and read and write

2600000

trusted library allocation

page read and write

72F000

unkown

page read and write

820000

heap

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FBF000

stack

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2548000

direct allocation

page execute and read and write

2BC0000

heap

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

D33000

direct allocation

page execute and read and write

7A0000

heap

page read and write

712000

unkown

page write copy

712000

unkown

page write copy

D28000

direct allocation

page execute and read and write

2600000

trusted library allocation

page read and write

7B0000

heap

page read and write

2FC0000

trusted library allocation

page read and write

817000

heap

page read and write

2600000

trusted library allocation

page read and write

B3F000

stack

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

77B000

unkown

page read and write

2FC0000

trusted library allocation

page read and write

19C000

stack

page read and write

810000

heap

page read and write

781000

unkown

page read and write

2BC1000

heap

page read and write

4F1000

unkown

page readonly

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

783000

unkown

page readonly

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2680000

heap

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

817000

heap

page read and write

8C2000

heap

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

D10000

direct allocation

page execute and read and write

2600000

trusted library allocation

page read and write

72F000

unkown

page write copy

2FC0000

trusted library allocation

page read and write

8CE000

heap

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

25F0000

heap

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2590000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

748000

unkown

page read and write

2FC0000

trusted library allocation

page read and write

83A000

heap

page read and write

2780000

heap

page read and write

2FC0000

trusted library allocation

page read and write

815000

heap

page read and write

2FC0000

trusted library allocation

page read and write

2510000

direct allocation

page execute and read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

2FC0000

trusted library allocation

page read and write

830000

heap

page read and write

72B000

unkown

page read and write

401000

unkown

page execute read

2FC0000

trusted library allocation

page read and write

253E000

direct allocation

page execute and read and write

2BC1000

heap

page read and write

400000

unkown

page readonly

2CC3000

heap

page read and write

716000

unkown

page write copy

2600000

trusted library allocation

page read and write

2600000

trusted library allocation

page read and write

8BB000

heap

page read and write

4FE000

unkown

page readonly

2600000

trusted library allocation

page read and write

8BC000

heap

page read and write

D6E000

heap

page read and write

2FC0000

trusted library allocation

page read and write

401000

unkown

page execute read

2FC0000

trusted library allocation

page read and write

D2B000

direct allocation

page execute and read and write

2BC1000

heap

page read and write

754000

unkown

page read and write

253C000

direct allocation

page execute and read and write

D60000

heap

page read and write

There are 165 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
qZJOfO5jjs

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportqZJOfO5jjs

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
qZJOfO5jjs