Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Kofc4rRZdp.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.9596931280584595
Filename:	Kofc4rRZdp.exe
Filesize:	3049000
MD5:	243149fc79e420c9dfe7f0affa166238
SHA1:	8289040f7e4043f6b6320684a63f2019714aaab6
SHA256:	fee7bb0a897a66e0ff928aa8abc71ab11a59d960d88e10c1a05f60495c08522a
SHA512:	1722b5e597d14c6720d6b22b0e802fbfa84cf933e1676ecbb1b9c7087eab8f5d9810c80a139a057473022bc655a5c70870d00913fc3ab1791d7db739fc0994db
SSDEEP:	49152:XcL4/Td35hyvDldRgzCyymaTQ+EU6p/1mjAeOX5LL9ac1PvmaFq:XcL4tPyLldR1yOsnU6KaLhac1Hmag
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y....~..y....\|.!y....}..y..+.r..y..+....y..+....y..+....y.......y.......y...y...x..%....y..%....y..%.p..y..%....y.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
File is packed with WinRar	Data Obfuscation	Software Packing
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Might use command line arguments	System Summary
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\42ZqUg._

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\42ZqUg._
Category:	dropped
Dump:	42ZqUg._.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Kofc4rRZdp.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	7.9563253833154
Encrypted:	false
Ssdeep:	49152:PUlXiX5/dTY14YysazQG0gK5LHmjQeOXlVjZmk7PLOfy:qip/dTRYoMdgKcaVtmk7zOfy
Size:	2899968
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Kofc4rRZdp.exe

"C:\Users\user\Desktop\Kofc4rRZdp.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2520
Target ID:	0
Parent PID:	1028
Name:	Kofc4rRZdp.exe
Path:	C:\Users\user\Desktop\Kofc4rRZdp.exe
Commandline:	"C:\Users\user\Desktop\Kofc4rRZdp.exe"
Size:	3049000
MD5:	243149FC79E420C9DFE7F0AFFA166238
Time:	05:47:54
Date:	20/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	454656
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._

Details

Is windows:	true
Is dropped:	false
PID:	3220
Target ID:	1
Parent PID:	2520
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\regsvr32.exe
Commandline:	"C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._
Size:	20992
MD5:	878E47C8656E53AE8A8A21E927C6F7E0
Time:	05:47:54
Date:	20/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb50000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

2D97000

heap

page read and write

2D39000

heap

page read and write

762000

unkown

page read and write

4956000

direct allocation

page read and write

970000

heap

page read and write

549F000

stack

page read and write

2D44000

heap

page read and write

2D30000

heap

page read and write

2990000

heap

page readonly

2D6C000

heap

page read and write

4FA0000

trusted library allocation

page read and write

29ED000

stack

page read and write

920000

heap

page read and write

711000

unkown

page execute read

710000

unkown

page readonly

742000

unkown

page readonly

3241000

trusted library allocation

page read and write

2916000

stack

page read and write

2D50000

heap

page read and write

910000

heap

page read and write

960000

direct allocation

page execute and read and write

772C000

stack

page read and write

76EF000

stack

page read and write

2CD0000

heap

page read and write

2D84000

heap

page read and write

2D37000

heap

page read and write

2D39000

heap

page read and write

2D84000

heap

page read and write

4951000

direct allocation

page execute read

2CFB000

stack

page read and write

45A0000

direct allocation

page read and write

2FCD000

stack

page read and write

300E000

stack

page read and write

2D3A000

heap

page read and write

4A71000

direct allocation

page execute read

2D84000

heap

page read and write

2D5B000

heap

page read and write

4F90000

heap

page read and write

2D99000

heap

page read and write

782D000

stack

page read and write

3260000

heap

page read and write

2D36000

heap

page read and write

2D56000

heap

page read and write

2D6C000

heap

page read and write

4B68000

direct allocation

page read and write

2D3A000

heap

page read and write

2D39000

heap

page read and write

310E000

stack

page read and write

2D5B000

heap

page read and write

525E000

stack

page read and write

2D63000

heap

page read and write

29F0000

heap

page read and write

2D63000

heap

page read and write

76D000

unkown

page readonly

325A000

trusted library allocation

page read and write

4E50000

heap

page read and write

2C1E000

stack

page read and write

29A0000

heap

page read and write

74E000

unkown

page read and write

4FC0000

heap

page read and write

75E000

unkown

page read and write

2D27000

heap

page read and write

76C000

unkown

page readonly

75EE000

stack

page read and write

4FD0000

heap

page read and write

6C50000

trusted library allocation

page read and write

2D2A000

heap

page read and write

2B9E000

stack

page read and write

2D40000

heap

page read and write

2C5F000

stack

page read and write

2D6C000

heap

page read and write

2D74000

heap

page read and write

2D39000

heap

page read and write

74E000

unkown

page write copy

76C000

unkown

page write copy

742000

unkown

page readonly

4D27000

direct allocation

page read and write

2CEC000

stack

page read and write

97A000

heap

page read and write

3267000

heap

page read and write

2D2F000

heap

page read and write

2980000

heap

page read and write

89C000

stack

page read and write

535E000

stack

page read and write

2BDF000

stack

page read and write

539E000

stack

page read and write

2D00000

heap

page read and write

326B000

heap

page read and write

4FA0000

heap

page read and write

2D84000

heap

page read and write

4A7B000

direct allocation

page readonly

2D40000

heap

page read and write

2D41000

heap

page read and write

2D63000

heap

page read and write

85B000

stack

page read and write

2D76000

heap

page read and write

710000

unkown

page readonly

29A5000

heap

page read and write

2D6C000

heap

page read and write

2D08000

heap

page read and write

2DC0000

heap

page read and write

3214000

heap

page read and write

2D6C000

heap

page read and write

2D39000

heap

page read and write

711000

unkown

page execute read

4570000

heap

page read and write

2D62000

heap

page read and write

757000

unkown

page read and write

900000

heap

page read and write

2D99000

heap

page read and write

3210000

heap

page read and write

2D84000

heap

page read and write

There are 102 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Kofc4rRZdp.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportKofc4rRZdp.exe

Files

Processes

Memdumps

IOC Report
Kofc4rRZdp.exe