Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

DPT_590327839_027838893200_____________________________.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.919451048170663
Filename:	DPT_590327839_027838893200_____________________________.exe
Filesize:	1088512
MD5:	a41d666268109b71eeab533caf08d5ec
SHA1:	62694b120d65962dbdefc457bfafa092a3e6a018
SHA256:	92d6b2ccfc3f6f350b4c5f989022abda28a982e9fe0bb4121ad4092802e1a758
SHA512:	1e6ddcea2dd5f3660d3ab639fe86def6cd44c4c1545de76805482b54905372b62383eb1f9fc03a2579a1dc8edf253340e28560eff8eb87724e4799d7b8192462
SSDEEP:	24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaLzS77o5:ph+ZkldoPK8YaLzr
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (may stop execution after accessing registry keys)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\aut9B87.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut9B87.tmp
Category:	dropped
Dump:	aut9B87.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
Type:	data
Entropy:	7.9513960654096225
Encrypted:	false
Ssdeep:	3072:dE/FzLym8bR1dI0NGQ+XWJtATH0NU+luEsdINu:duyL91dIbXCqLdEu
Size:	132180
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut9BE5.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut9BE5.tmp
Category:	dropped
Dump:	aut9BE5.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
Type:	data
Entropy:	7.59578339129546
Encrypted:	false
Ssdeep:	192:m+cK6f01Ehm0qek9Gh0qWbK307N+P7EqP008IuLrQpbrSKD0O7t:976Mkm7ek9y0pbK307Nkgq+XQpbrXDPx
Size:	9922
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\electicism

ASCII text, with very long lines (29744), with no line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\electicism
Category:	modified
Dump:	electicism.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
Type:	ASCII text, with very long lines (29744), with no line terminators
Entropy:	3.546555146881828
Encrypted:	false
Ssdeep:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbQE+I+h6584vfF3if6gL:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Ra
Size:	29744
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\intemeration

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\intemeration
Category:	dropped
Dump:	intemeration.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
Type:	data
Entropy:	7.117364737785545
Encrypted:	false
Ssdeep:	3072:tPvRL4Y7QIgpCenQO8gPS/dDzYnLIrkJ+gfFMEZBe26gtR5bJbesEVyxk9Z8bCNt:tnRLj7KpCenB8gPS/dDzYnpESU26gtf6
Size:	167936
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe

"C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6764
Target ID:	0
Parent PID:	4056
Name:	DPT_590327839_027838893200_____________________________.exe
Path:	C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
Commandline:	"C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"
Size:	1088512
MD5:	A41D666268109B71EEAB533CAF08D5EC
Time:	08:31:34
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfc0000
Modulesize:	1114112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspicious Double Extension File Execution	System Summary
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1020
Target ID:	2
Parent PID:	6764
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	08:31:35
Date:	23/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd50000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

2500000

direct allocation

page read and write

402000

system

page execute and read and write

FC1000

unkown

page execute read

1088000

unkown

page readonly

187F000

heap

page read and write

150C000

stack

page read and write

1434000

trusted library allocation

page read and write

1258000

heap

page read and write

44A9000

direct allocation

page read and write

1720000

trusted library allocation

page execute and read and write

451E000

direct allocation

page read and write

70416000

unkown

page readonly

11F5000

heap

page read and write

1289000

heap

page read and write

1976000

heap

page read and write

4303000

direct allocation

page read and write

44A9000

direct allocation

page read and write

5AFE000

stack

page read and write

1979000

heap

page read and write

70401000

unkown

page execute read

44A9000

direct allocation

page read and write

564E000

stack

page read and write

191A000

heap

page read and write

19BA000

heap

page read and write

41E0000

direct allocation

page read and write

18A6000

heap

page read and write

56CE000

stack

page read and write

186A000

heap

page read and write

17BF000

stack

page read and write

2534000

heap

page read and write

1879000

heap

page read and write

DE9000

stack

page read and write

1430000

trusted library allocation

page read and write

1869000

heap

page read and write

5C90000

trusted library allocation

page read and write

41E0000

direct allocation

page read and write

19BA000

heap

page read and write

451E000

direct allocation

page read and write

1852000

heap

page read and write

127A000

heap

page read and write

7041D000

unkown

page read and write

4279000

trusted library allocation

page read and write

19AA000

heap

page read and write

55C0000

heap

page execute and read and write

1313000

heap

page read and write

1800000

heap

page read and write

1098000

unkown

page readonly

18A6000

heap

page read and write

131E000

heap

page read and write

FC0000

unkown

page readonly

2580000

heap

page read and write

65B0000

trusted library allocation

page read and write

6570000

trusted library allocation

page execute and read and write

1462000

trusted library allocation

page read and write

41E0000

direct allocation

page read and write

44AD000

direct allocation

page read and write

32C6000

trusted library allocation

page read and write

303E000

trusted library allocation

page read and write

1878000

heap

page read and write

303B000

trusted library allocation

page read and write

1150000

heap

page read and write

4380000

direct allocation

page read and write

132B000

heap

page read and write

3329000

trusted library allocation

page read and write

1760000

trusted library allocation

page read and write

17FC000

stack

page read and write

560C000

stack

page read and write

4380000

direct allocation

page read and write

1210000

heap

page read and write

3051000

trusted library allocation

page read and write

1150000

heap

page read and write

1730000

trusted library allocation

page read and write

3080000

heap

page read and write

6373000

heap

page read and write

1088000

unkown

page readonly

55B7000

trusted library allocation

page read and write

108A000

unkown

page readonly

19AA000

heap

page read and write

17CF000

stack

page read and write

143D000

trusted library allocation

page execute and read and write

19BA000

heap

page read and write

55A0000

trusted library allocation

page read and write

3056000

trusted library allocation

page read and write

FC1000

unkown

page execute read

3098000

trusted library allocation

page read and write

1750000

trusted library allocation

page read and write

2530000

heap

page read and write

44AD000

direct allocation

page read and write

14CE000

stack

page read and write

44A9000

direct allocation

page read and write

F7A000

stack

page read and write

FC0000

unkown

page readonly

44A9000

direct allocation

page read and write

4303000

direct allocation

page read and write

6670000

heap

page read and write

1852000

heap

page read and write

119E000

stack

page read and write

400000

system

page execute and read and write

1098000

unkown

page readonly

70400000

unkown

page readonly

305D000

trusted library allocation

page read and write

1460000

trusted library allocation

page read and write

1286000

heap

page read and write

42C000

system

page execute and read and write

1820000

heap

page read and write

146B000

trusted library allocation

page execute and read and write

145A000

trusted library allocation

page execute and read and write

3042000

trusted library allocation

page read and write

1843000

heap

page read and write

1250000

heap

page read and write

44AD000

direct allocation

page read and write

3036000

trusted library allocation

page read and write

6460000

heap

page read and write

451E000

direct allocation

page read and write

7F670000

trusted library allocation

page execute and read and write

18A5000

heap

page read and write

20EE000

stack

page read and write

24F0000

direct allocation

page execute and read and write

107F000

unkown

page read and write

185B000

heap

page read and write

332E000

trusted library allocation

page read and write

195A000

heap

page read and write

4380000

direct allocation

page read and write

1740000

trusted library allocation

page read and write

1510000

heap

page read and write

1420000

trusted library allocation

page read and write

199A000

heap

page read and write

18A7000

heap

page read and write

58FF000

stack

page read and write

1879000

heap

page read and write

5C87000

trusted library allocation

page read and write

451E000

direct allocation

page read and write

18C6000

heap

page read and write

1852000

heap

page read and write

3344000

trusted library allocation

page read and write

18A6000

heap

page read and write

1979000

heap

page read and write

190A000

heap

page read and write

104F000

unkown

page readonly

6560000

trusted library allocation

page execute and read and write

57FC000

stack

page read and write

42B5000

trusted library allocation

page read and write

1879000

heap

page read and write

44A9000

direct allocation

page read and write

19A8000

heap

page read and write

1945000

heap

page read and write

107F000

unkown

page write copy

3240000

heap

page execute and read and write

1827000

heap

page read and write

451E000

direct allocation

page read and write

3030000

trusted library allocation

page read and write

17DB000

stack

page read and write

4303000

direct allocation

page read and write

1083000

unkown

page write copy

1450000

trusted library allocation

page read and write

185B000

heap

page read and write

1853000

heap

page read and write

197B000

heap

page read and write

1456000

trusted library allocation

page execute and read and write

4303000

direct allocation

page read and write

199A000

heap

page read and write

451E000

direct allocation

page read and write

3251000

trusted library allocation

page read and write

41E0000

direct allocation

page read and write

10F8000

stack

page read and write

1480000

trusted library allocation

page read and write

4251000

trusted library allocation

page read and write

1075000

unkown

page readonly

1780000

heap

page read and write

1075000

unkown

page readonly

56F0000

heap

page read and write

322E000

stack

page read and write

41E0000

direct allocation

page read and write

44AD000

direct allocation

page read and write

65A0000

heap

page read and write

4303000

direct allocation

page read and write

1897000

heap

page read and write

1979000

heap

page read and write

32B9000

trusted library allocation

page read and write

104F000

unkown

page readonly

304A000

trusted library allocation

page read and write

44AD000

direct allocation

page read and write

41E0000

direct allocation

page read and write

44AD000

direct allocation

page read and write

7041F000

unkown

page readonly

4303000

direct allocation

page read and write

1888000

heap

page read and write

333E000

trusted library allocation

page read and write

1140000

heap

page read and write

24EE000

stack

page read and write

18A6000

heap

page read and write

4380000

direct allocation

page read and write

5CA0000

trusted library allocation

page read and write

56F3000

heap

page read and write

5C80000

trusted library allocation

page read and write

11A0000

heap

page read and write

113E000

stack

page read and write

304E000

trusted library allocation

page read and write

302E000

stack

page read and write

1467000

trusted library allocation

page execute and read and write

1452000

trusted library allocation

page read and write

6360000

heap

page read and write

4380000

direct allocation

page read and write

55B0000

trusted library allocation

page read and write

11F0000

heap

page read and write

4380000

direct allocation

page read and write

108A000

unkown

page readonly

144D000

trusted library allocation

page execute and read and write

32C0000

trusted library allocation

page read and write

10F0000

heap

page read and write

1433000

trusted library allocation

page execute and read and write

1440000

trusted library allocation

page read and write

There are 202 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
DPT_590327839_027838893200_____________________________.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDPT_590327839_027838893200_____________________________.exe

Files

Processes

Memdumps

IOC Report
DPT_590327839_027838893200_____________________________.exe