Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

init_DB.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.6912976821659225
Filename:	init_DB.exe
Filesize:	91648
MD5:	f2663571882c3baa5633db216443cc0a
SHA1:	85a1283578cef91b29c155c8179733332d48b7c9
SHA256:	de3dfcb68228e7f64f30e64980ad8da6629da73b10d5172762aba76721372b7c
SHA512:	de33378c6653c1a485ed9b64f31e3b0c35f8a6ff0a13fab25a264e08764d583294aea5031c881b0672379d627004a39838fda5021bbbe26f23dd7ffb8523c98d
SSDEEP:	1536:L7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfQwObOE:H7DhdC6kzWypvaQ0FxyNTBfQt7
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....N...............0....@........................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Executes batch files	System Summary	Scripting
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat
Category:	dropped
Dump:	1415.bat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\init_DB.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.497029541798505
Encrypted:	false
Ssdeep:	12:NSN1IX9Cyt0yuSu9Cyt0/n2PaBt2am79Cyt0PbA1:QNmEyJuKy2nVNyqbA1
Size:	525
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\init_DB.exe

"C:\Users\user\Desktop\init_DB.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1344
Target ID:	0
Parent PID:	4084
Name:	init_DB.exe
Path:	C:\Users\user\Desktop\init_DB.exe
Commandline:	"C:\Users\user\Desktop\init_DB.exe"
Size:	91648
MD5:	F2663571882C3BAA5633DB216443CC0A
Time:	08:22:13
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Babadeda	Data Obfuscation
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Executes batch files	System Summary	Scripting
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4564
Target ID:	2
Parent PID:	1344
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:22:13
Date:	23/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6784
Target ID:	3
Parent PID:	1344
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	08:22:13
Date:	23/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff662c30000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

unkown

page readonly

5B0000

heap

page read and write

19D000

stack

page read and write

5EE000

heap

page read and write

413000

unkown

page readonly

8DF000

stack

page read and write

20C7000

heap

page read and write

430000

heap

page read and write

413000

unkown

page readonly

417000

unkown

page write copy

2140000

heap

page read and write

1D0000

heap

page read and write

20B0000

heap

page read and write

419000

unkown

page readonly

55E000

stack

page read and write

5EA000

heap

page read and write

400000

unkown

page readonly

20C0000

heap

page read and write

401000

unkown

page execute read

5E0000

heap

page read and write

510000

heap

page read and write

20C4000

heap

page read and write

417000

unkown

page read and write

401000

unkown

page execute read

A80000

heap

page read and write

2260000

heap

page read and write

59E000

stack

page read and write

419000

unkown

page readonly

9B000

stack

page read and write

7DF000

stack

page read and write

There are 20 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
init_DB.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportinit_DB.exe

Files

Processes

Memdumps

IOC Report
init_DB.exe