Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

uk1HIyOQbk.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	5.723174445954432
Filename:	uk1HIyOQbk.exe
Filesize:	132096
MD5:	4ef284c7f56474536bfb5d1527132def
SHA1:	67acd4f8d3dac7319f780ee902fb5ce0a823cbca
SHA256:	f2c8303d2447229782a7072ac4eca105c984494d92b0b783e12749dc779a18b5
SHA512:	66eeb418547e932f778323a6036ecb85e7cbc639576c817125b23c5bb9a4ec1871bbcdf635bb7ea301ccf5e2fe772044213382b9f5b345ad7a83d870c1162832
SSDEEP:	3072:+hyUfzbspKNMOccF6l3iMAelbWTz6KLYXDMx960:+hyUMyMOUIGbWtS
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...y..e.........."...................... .....@..... .......................@............@...@......@............... .....

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uk1HIyOQbk.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uk1HIyOQbk.exe.log
Category:	dropped
Dump:	uk1HIyOQbk.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\uk1HIyOQbk.exe
Type:	CSV text
Entropy:	5.370111951859942
Encrypted:	false
Ssdeep:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
Size:	1281
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\uk1HIyOQbk.exe

"C:\Users\user\Desktop\uk1HIyOQbk.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6840
Target ID:	0
Parent PID:	2580
Name:	uk1HIyOQbk.exe
Path:	C:\Users\user\Desktop\uk1HIyOQbk.exe
Commandline:	"C:\Users\user\Desktop\uk1HIyOQbk.exe"
Size:	132096
MD5:	4EF284C7F56474536BFB5D1527132DEF
Time:	08:58:52
Date:	29/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	147456
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

URLs

Name

Malicious

https://www.upload.ee

unknown

Details

Name:	https://www.upload.ee
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\uk1HIyOQbk.exe
Source:	uk1HIyOQbk.exe, 00000000.00000002.1661402521.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.upload.ee

unknown

Details

Name:	http://www.upload.ee
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\uk1HIyOQbk.exe
Source:	uk1HIyOQbk.exe, 00000000.00000002.1661402521.0000000003701000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\uk1HIyOQbk.exe
Source:	uk1HIyOQbk.exe, 00000000.00000002.1661402521.00000000036E9000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.upload.ee/files/16412149/RouletteBotPro_x64.exe.html?msg=sess_error

unknown

Details

Name:	https://www.upload.ee/files/16412149/RouletteBotPro_x64.exe.html?msg=sess_error
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\uk1HIyOQbk.exe
Source:	uk1HIyOQbk.exe, 00000000.00000002.1661402521.0000000003721000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.upload.ee/download/16412149/89c46e99b3111e814466/RouletteBotPro_x64.exe

51.91.30.159

Details

Name:	https://www.upload.ee/download/16412149/89c46e99b3111e814466/RouletteBotPro_x64.exe
IP:	51.91.30.159
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\uk1HIyOQbk.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
URLs found in memory or binary data	Networking

Domains

Name

Malicious

www.upload.ee

51.91.30.159

Details

Name:	www.upload.ee
IP:	51.91.30.159
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

51.91.30.159

www.upload.ee

France

Details

IP:	51.91.30.159
TargetID:	0
Current Path:	C:\Users\user\Desktop\uk1HIyOQbk.exe
Country:	France
Countrycode:	FRA
ASN number:	16276
ASN name:	OVHFR
Private:	false
Domain:	www.upload.ee

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\uk1HIyOQbk_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

36DF000

trusted library allocation

page read and write

13668000

trusted library allocation

page read and write

7FFD9B7AD000

trusted library allocation

page execute and read and write

7FFD9B7B0000

trusted library allocation

page read and write

17CE000

stack

page read and write

1FC50000

trusted library allocation

page read and write

7FFD9B793000

trusted library allocation

page execute and read and write

A50000

heap

page read and write

7FFD9B940000

trusted library allocation

page execute and read and write

1CD1E000

stack

page read and write

3250000

heap

page execute and read and write

31E0000

heap

page read and write

8B2000

heap

page read and write

1D920000

heap

page read and write

36D3000

trusted library allocation

page read and write

1C2000

unkown

page readonly

1FB43000

heap

page read and write

1D98F000

heap

page read and write

36F8000

trusted library allocation

page read and write

89A000

heap

page read and write

7FFD9B794000

trusted library allocation

page read and write

7FFD9B7B4000

trusted library allocation

page read and write

1FB40000

heap

page read and write

1366D000

trusted library allocation

page read and write

3661000

trusted library allocation

page read and write

13C5000

heap

page read and write

EFE000

stack

page read and write

36E6000

trusted library allocation

page read and write

876000

heap

page read and write

AF5000

heap

page read and write

AF0000

heap

page read and write

3738000

trusted library allocation

page read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

3701000

trusted library allocation

page read and write

8E0000

heap

page read and write

7FFD9B846000

trusted library allocation

page read and write

36E2000

trusted library allocation

page read and write

1C0000

unkown

page readonly

3715000

trusted library allocation

page read and write

36E9000

trusted library allocation

page read and write

36D6000

trusted library allocation

page read and write

1D9B5000

heap

page read and write

13661000

trusted library allocation

page read and write

3713000

trusted library allocation

page read and write

970000

heap

page read and write

1D989000

heap

page read and write

7FFD9B933000

trusted library allocation

page read and write

3725000

trusted library allocation

page read and write

1D953000

heap

page read and write

36D9000

trusted library allocation

page read and write

7FFD9B7BB000

trusted library allocation

page execute and read and write

7FFD9B84C000

trusted library allocation

page execute and read and write

8E8000

heap

page read and write

1D955000

heap

page read and write

1D997000

heap

page read and write

13663000

trusted library allocation

page read and write

A90000

heap

page read and write

365F000

stack

page read and write

7FFD9B850000

trusted library allocation

page execute and read and write

7FFD9B840000

trusted library allocation

page read and write

1D11D000

stack

page read and write

8FC000

heap

page read and write

7FF4DC5E0000

trusted library allocation

page execute and read and write

13CE000

heap

page read and write

8B5000

heap

page read and write

1D985000

heap

page read and write

1C51E000

stack

page read and write

AE0000

trusted library allocation

page read and write

36DC000

trusted library allocation

page read and write

1D51E000

stack

page read and write

1310000

trusted library allocation

page read and write

8A4000

heap

page read and write

A70000

heap

page read and write

7FFD9B7A3000

trusted library allocation

page read and write

870000

heap

page read and write

958000

heap

page read and write

7FFD9B7EC000

trusted library allocation

page execute and read and write

12FE000

stack

page read and write

1E220000

heap

page read and write

1E21E000

stack

page read and write

1DE1E000

stack

page read and write

832000

stack

page read and write

1BDDC000

stack

page read and write

87C000

heap

page read and write

13B0000

heap

page execute and read and write

7FFD9B876000

trusted library allocation

page execute and read and write

3721000

trusted library allocation

page read and write

7FFD9B8B0000

trusted library allocation

page execute and read and write

1C91E000

stack

page read and write

3090000

heap

page read and write

7FFD9B7A8000

trusted library allocation

page read and write

1D91E000

stack

page read and write

13C0000

heap

page read and write

7FFD9B7BD000

trusted library allocation

page execute and read and write

There are 84 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
uk1HIyOQbk.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportuk1HIyOQbk.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
uk1HIyOQbk.exe