Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Open.EXE

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.869085505362055
Filename:	Open.EXE
Filesize:	155136
MD5:	71b721a82f1db2747fad1df78e11f2ec
SHA1:	2239279c93ec64d077550d1f7072385d9b9763f3
SHA256:	7f79087dfc16b2b7fdb31c0d15f39fc35eeafe3542a4c81f007d51b8086aecf9
SHA512:	bd89c4061b3dfd6cf236af842e5b6f1617198806fe887339ef54e9ad44d69bb32c97744b888a42b85f2b8cc6a08e7dd66ddb4d4eafd1b69ff9e50e64b12582ea
SSDEEP:	3072:eahKyd2n31w5GWp1icKAArDZz4N9GhbkrNEkGXuk:eahOwp0yN90QEn
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

Signature Hits	Behavior Group	Mitre Attack
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API Access Token Manipulation
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to read ini properties file for application configuration	Persistence and Installation Behavior
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder Access Token Manipulation File and Directory Discovery
Creates temporary files	System Summary
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Open.cmd

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Open.cmd
Category:	dropped
Dump:	Open.cmd.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Open.EXE
Type:	ASCII text, with no line terminators
Entropy:	4.666470720147067
Encrypted:	false
Ssdeep:	3:IdEBEUoy5n+Aa769pB5QJzd:/BEFy5+Aa+zQd
Size:	67
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

cmd /c \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\Open.cmd

Details

Is windows:	true
Is dropped:	false
PID:	6964
Target ID:	1
Parent PID:	6792
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	cmd /c \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\Open.cmd
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	04:59:56
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff60b1e0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\Open.EXE

"C:\Users\user\Desktop\Open.EXE"

Details

Is windows:	false
Is dropped:	false
PID:	6792
Target ID:	0
Parent PID:	2580
Name:	Open.EXE
Path:	C:\Users\user\Desktop\Open.EXE
Commandline:	"C:\Users\user\Desktop\Open.EXE"
Size:	155136
MD5:	71B721A82F1DB2747FAD1DF78E11F2EC
Time:	04:59:56
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff73f980000
Modulesize:	176128
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3760
Target ID:	2
Parent PID:	6964
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	04:59:56
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Details

Is windows:	true
Is dropped:	false
PID:	6700
Target ID:	3
Parent PID:	2580
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	05:00:06
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6e5820000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

wextract_cleanup0

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value name:	wextract_cleanup0
Value data:	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

28C076E5000

heap

page read and write

28C07640000

heap

page read and write

28C0767B000

heap

page read and write

7FF73F98E000

unkown

page readonly

2A5BE4D0000

heap

page read and write

2A5BE8C0000

heap

page read and write

7FF73F98C000

unkown

page write copy

28C0767B000

heap

page read and write

28C07670000

heap

page read and write

7FF73F98C000

unkown

page read and write

2A5BE6E0000

heap

page read and write

28C0764D000

heap

page read and write

2A5BE6C0000

heap

page read and write

28C076BE000

heap

page read and write

28C07855000

heap

page read and write

28C0767B000

heap

page read and write

28C074C0000

heap

page read and write

28C076E6000

heap

page read and write

28C076E6000

heap

page read and write

28C07620000

heap

page read and write

28C07730000

heap

page read and write

7FF73F989000

unkown

page readonly

28C07850000

heap

page read and write

7FF73F989000

unkown

page readonly

7FF73F981000

unkown

page execute read

9C5251D000

stack

page read and write

28C07670000

heap

page read and write

28C076BB000

heap

page read and write

28C076E6000

heap

page read and write

2A5BE4F8000

heap

page read and write

7FF73F980000

unkown

page readonly

C4626FC000

stack

page read and write

28C07648000

heap

page read and write

9C528FF000

stack

page read and write

28C076E5000

heap

page read and write

7FF73F98E000

unkown

page readonly

28C0764D000

heap

page read and write

7FF73F981000

unkown

page execute read

28C0767B000

heap

page read and write

28C077A3000

heap

page read and write

7FF73F980000

unkown

page readonly

9C5287E000

stack

page read and write

2A5BFF50000

heap

page read and write

C46277E000

stack

page read and write

2A5BE4F0000

heap

page read and write

C4627FE000

stack

page read and write

28C0767B000

heap

page read and write

28C07628000

heap

page read and write

28C0785A000

heap

page read and write

9C5259E000

stack

page read and write

28C09E3A000

heap

page read and write

28C076CD000

heap

page read and write

28C0767D000

heap

page read and write

28C076C2000

heap

page read and write

28C077A0000

heap

page read and write

28C075A0000

heap

page read and write

28C07649000

heap

page read and write

28C0767B000

heap

page read and write

28C075C0000

heap

page read and write

28C09530000

trusted library allocation

page read and write

28C09D30000

heap

page read and write

28C07640000

heap

page read and write

9C5249B000

stack

page read and write

2A5BE8C5000

heap

page read and write

There are 54 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Open.EXE

Files

Processes

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOpen.EXE

Files

Processes

Registry

Memdumps

IOC Report
Open.EXE