Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

952cgs4G29.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.3887604891879395
Filename:	952cgs4G29.exe
Filesize:	64512
MD5:	446035c77554b10722a6482a9a08d592
SHA1:	0bded2287c79aa77bf4be8a59567e6aa2ec1b001
SHA256:	6c3e5106d3a3beebcae780dac855de2932c7df511ac3fb0fe0fe218f4fa7878a
SHA512:	f56ce2880ea024d3b507f9968f3e6570fbe6031885a181fb0c2f60596733e9e06f3ad2fe7506a97bdd4687541b24dfc8c570a742c0155ac72e8fe57301330b2b
SSDEEP:	1536:qmfW6qHdykrVMKuJUYFVBE2UbtAPCZQHL4B2arPlTGdx:qme6qHdykGKuJUYFTUbt5Qssadux
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vjzd............................^.... ... ....@.. .......................`............`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture Security Software Discovery
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Security Software Discovery
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Yara signature match	System Summary
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F8008506.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\952cgs4G29.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Entropy:	7.99584879649948
Encrypted:	true
Ssdeep:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
Size:	69993
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F80085060.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\952cgs4G29.exe
Type:	data
Entropy:	3.227769006306415
Encrypted:	false
Ssdeep:	6:kKuvXlEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:uXlbkPlE99SNxAhUeVLVt
Size:	330
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\952cgs4G29.exe

"C:\Users\user\Desktop\952cgs4G29.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6552
Target ID:	0
Parent PID:	2580
Name:	952cgs4G29.exe
Path:	C:\Users\user\Desktop\952cgs4G29.exe
Commandline:	"C:\Users\user\Desktop\952cgs4G29.exe"
Size:	64512
MD5:	446035C77554B10722A6482A9A08D592
Time:	22:21:51
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd40000
Modulesize:	90112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://crl.micro

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\952cgs4G29.exe
Source:	952cgs4G29.exe, 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

rootsaul.duckdns.org

45.128.96.204

Details

Name:	rootsaul.duckdns.org
IP:	45.128.96.204
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

bg.microsoft.map.fastly.net

199.232.214.172

IPs

Domain

Country

Malicious

45.128.96.204

rootsaul.duckdns.org

Germany

Details

IP:	45.128.96.204
TargetID:	0
Current Path:	C:\Users\user\Desktop\952cgs4G29.exe
Country:	Germany
Countrycode:	DEU
ASN number:	34373
ASN name:	XXLNETNL
Private:	false
Domain:	rootsaul.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

D42000

unkown

page readonly

30F1000

trusted library allocation

page read and write

5D3E000

stack

page read and write

5AFF000

stack

page read and write

1240000

heap

page read and write

5776000

heap

page read and write

318B000

trusted library allocation

page read and write

5DB5000

trusted library allocation

page read and write

5C3D000

stack

page read and write

668D000

stack

page read and write

5D49000

trusted library allocation

page read and write

2E8E000

stack

page read and write

2FB0000

trusted library allocation

page read and write

5D4B000

trusted library allocation

page read and write

5D50000

trusted library allocation

page read and write

5E60000

heap

page read and write

59FC000

stack

page read and write

1697000

heap

page read and write

D52000

unkown

page readonly

60EE000

stack

page read and write

71EE000

stack

page read and write

2E20000

trusted library allocation

page read and write

563E000

heap

page read and write

2E2B000

trusted library allocation

page execute and read and write

70EC000

stack

page read and write

5613000

heap

page read and write

2E40000

trusted library allocation

page read and write

2DF3000

trusted library allocation

page execute and read and write

564C000

heap

page read and write

5636000

heap

page read and write

5600000

heap

page read and write

DEC000

stack

page read and write

40F7000

trusted library allocation

page read and write

1367000

heap

page read and write

5D40000

trusted library allocation

page read and write

2E1A000

trusted library allocation

page execute and read and write

30EE000

stack

page read and write

40F9000

trusted library allocation

page read and write

562E000

heap

page read and write

2E27000

trusted library allocation

page execute and read and write

1179000

heap

page read and write

2DB0000

heap

page read and write

658C000

stack

page read and write

1150000

heap

page read and write

D40000

unkown

page readonly

2E10000

trusted library allocation

page read and write

5DA6000

trusted library allocation

page read and write

1340000

heap

page read and write

55F0000

heap

page execute and read and write

2DF4000

trusted library allocation

page read and write

684D000

stack

page read and write

5D84000

trusted library allocation

page read and write

1250000

heap

page read and write

7F590000

trusted library allocation

page execute and read and write

2FE0000

heap

page read and write

57E0000

heap

page read and write

11CC000

heap

page read and write

2EF0000

heap

page execute and read and write

1158000

heap

page read and write

1260000

heap

page read and write

2E16000

trusted library allocation

page execute and read and write

66CE000

stack

page read and write

1204000

heap

page read and write

5E80000

heap

page read and write

5FEE000

stack

page read and write

2DAD000

stack

page read and write

2DF0000

trusted library allocation

page read and write

644E000

stack

page read and write

2ECC000

stack

page read and write

6E6E000

stack

page read and write

6F6E000

stack

page read and write

63CE000

stack

page read and write

13AE000

stack

page read and write

5DFE000

stack

page read and write

2E12000

trusted library allocation

page read and write

5E10000

trusted library allocation

page read and write

5700000

heap

page read and write

640F000

stack

page read and write

2E00000

trusted library allocation

page read and write

10F9000

stack

page read and write

5D94000

trusted library allocation

page read and write

2FB7000

trusted library allocation

page read and write

57E7000

heap

page read and write

2DFD000

trusted library allocation

page execute and read and write

670E000

stack

page read and write

5E90000

heap

page read and write

2DE0000

trusted library allocation

page read and write

556E000

stack

page read and write

5E70000

heap

page read and write

2EE0000

trusted library allocation

page read and write

1690000

heap

page read and write

55EE000

stack

page read and write

51ED000

stack

page read and write

5DA9000

trusted library allocation

page read and write

5E5D000

stack

page read and write

2ED0000

trusted library allocation

page execute and read and write

1187000

heap

page read and write

5629000

heap

page read and write

57E4000

heap

page read and write

2F08000

trusted library allocation

page read and write

654E000

stack

page read and write

1185000

heap

page read and write

167C000

stack

page read and write

55AE000

stack

page read and write

40F1000

trusted library allocation

page read and write

1360000

heap

page read and write

1255000

heap

page read and write

674C000

stack

page read and write

2E22000

trusted library allocation

page read and write

5BFD000

stack

page read and write

14AE000

stack

page read and write

There are 101 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
952cgs4G29.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report952cgs4G29.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
952cgs4G29.exe