Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

gjswzjReaderper-3.0.20.0830-setup.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.997633159974445
Filename:	gjswzjReaderper-3.0.20.0830-setup.exe
Filesize:	43905970
MD5:	a7c299857bd7e06b39e75c3fdd1cd79a
SHA1:	8943f80e37b700af13b85671b02c4a263010f3e0
SHA256:	64c208865c75b600548e0eeb11164f4ff3803a9af25f20a692ef4dca5db9e229
SHA512:	cea4347dd730a154ee8a02f1437ca7c1d9da4f22e29397918db70cd28a7f3d17bdfffa626bdd7c54d83399cf338e0da2615639a25d4adfb2c21ace2688eb9ba8
SSDEEP:	786432:RZZNvrFaGwhO6zptC/Kt7LQ2vdkTDZEJUa60ngNQBZyxdP22IcChO:RZZFROXpk/Kt7LbFY6Fn0eyxd+w
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7...7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................h.

Signature Hits	Behavior Group	Mitre Attack
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality to check free disk space	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query windows version	Language, Device and Operating System Detection
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\FindProcDLL.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\FindProcDLL.dll
Category:	dropped
Dump:	FindProcDLL.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.165077372684798
Encrypted:	false
Ssdeep:	384:jZoRF0XXUuJReQg0Tw67ADWBTgmldIogUD3GLgFmyaX/fVYcWJQCDmrinogRdBl:jZaF0HtTwuz9yu3KgwRX1nWJ1q+noI
Size:	28160
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\System.dll
Category:	dropped
Dump:	System.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.757244749345054
Encrypted:	false
Ssdeep:	192:sRer7uivwq1XpKs4FVWSjMd8tIg2cREbyCsZ8q2R4Sy+Xe:s67Xws4FVWig86/5eCBqSy+Xe
Size:	11264
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\modern-header.bmp

PC bitmap, Windows 3.x format, 150 x 57 x 8, resolution 2834 x 2834 px/m, cbSize 9744, bits offset 1078

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\modern-header.bmp
Category:	dropped
Dump:	modern-header.bmp.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe
Type:	PC bitmap, Windows 3.x format, 150 x 57 x 8, resolution 2834 x 2834 px/m, cbSize 9744, bits offset 1078
Entropy:	7.452812340709168
Encrypted:	false
Ssdeep:	192:6K3Taw+vLvvswRvyb7qY1eL5qDJD8CUNObWF/U0p3+i8Esub:6MOLzYQdqDJHsxcWPX
Size:	9744
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\modern-wizard.bmp

PC bitmap, Windows 3.x format, 164 x 314 x 24, image size 154488, resolution 3780 x 3780 px/m, cbSize 154542, bits offset 54

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\modern-wizard.bmp
Category:	dropped
Dump:	modern-wizard.bmp.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe
Type:	PC bitmap, Windows 3.x format, 164 x 314 x 24, image size 154488, resolution 3780 x 3780 px/m, cbSize 154542, bits offset 54
Entropy:	4.633178892228311
Encrypted:	false
Ssdeep:	192:k6bVxiCg74JgoLt6yNMgvPAeBgm32WE33XV6h5UXnuDGtTKtYcx9PvYRBMS+Z6bz:uty/hTaVEpMh7Zyk1p
Size:	154542
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\nsDialogs.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\nsDialogs.dll
Category:	modified
Dump:	nsDialogs.dll.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.131946648363094
Encrypted:	false
Ssdeep:	192:y1zQhZDqlJcKISw99ioU3MSfwLF/+nhHUisdz:ozoZDGKYw9goWyFGBU7z
Size:	9728
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\nsExec.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nse9EE9.tmp\nsExec.dll
Category:	dropped
Dump:	nsExec.dll.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.564304323649342
Encrypted:	false
Ssdeep:	96:/Uspq2y5jOEEQrhySvUgfj74/vvrTBzfYZA4YF3Telac1nIq/2:/erjOELhySv5f2vvBjiAflaB1nIq
Size:	6144
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe

"C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6076
Target ID:	0
Parent PID:	4056
Name:	gjswzjReaderper-3.0.20.0830-setup.exe
Path:	C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe
Commandline:	"C:\Users\user\Desktop\gjswzjReaderper-3.0.20.0830-setup.exe"
Size:	43905970
MD5:	A7C299857BD7E06B39E75C3FDD1CD79A
Time:	08:23:20
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1937408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /t /im gjswzjReader.exe

Details

Is windows:	true
Is dropped:	false
PID:	6156
Target ID:	3
Parent PID:	6076
Name:	taskkill.exe
Path:	C:\Windows\SysWOW64\taskkill.exe
Commandline:	taskkill /f /t /im gjswzjReader.exe
Size:	74240
MD5:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Time:	08:23:20
Date:	24/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x970000
Modulesize:	86016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6400
Target ID:	4
Parent PID:	6156
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:23:20
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://nsis.sf.net/NSIS_ErrorError

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

8EB000

heap

page read and write

2F7A000

heap

page read and write

314F000

stack

page read and write

900000

heap

page read and write

5E0000

heap

page read and write

890000

heap

page read and write

29C0000

heap

page read and write

4E9F000

stack

page read and write

2F60000

heap

page read and write

2F8D000

heap

page read and write

2F7A000

heap

page read and write

5D1000

unkown

page readonly

2F85000

heap

page read and write

904000

heap

page read and write

4F60000

heap

page read and write

408000

unkown

page readonly

2F94000

heap

page read and write

2E10000

heap

page read and write

28D0000

direct allocation

page read and write

2EA0000

heap

page read and write

412000

unkown

page read and write

6EE0D000

unkown

page read and write

916000

heap

page read and write

2FAB000

heap

page read and write

2B6C000

stack

page read and write

6C0000

heap

page read and write

911000

heap

page read and write

710000

heap

page read and write

218E000

stack

page read and write

914000

heap

page read and write

8BA000

heap

page read and write

2F7D000

heap

page read and write

2FBD000

heap

page read and write

2FA8000

heap

page read and write

2F88000

heap

page read and write

2F7E000

heap

page read and write

2A80000

heap

page read and write

4E5E000

stack

page read and write

4F1F000

stack

page read and write

2F94000

heap

page read and write

6EDF0000

unkown

page readonly

2A51000

unkown

page execute read

921000

heap

page read and write

2A56000

unkown

page readonly

2F5C000

heap

page read and write

2F5C000

heap

page read and write

10001000

unkown

page execute read

2E9E000

unkown

page read and write

2A91000

heap

page read and write

2284000

heap

page read and write

2A84000

heap

page read and write

4F30000

heap

page read and write

98000

stack

page read and write

2FA2000

heap

page read and write

911000

heap

page read and write

2FBF000

heap

page read and write

911000

heap

page read and write

2F91000

heap

page read and write

955000

heap

page read and write

5D1000

unkown

page readonly

900000

heap

page read and write

2F96000

heap

page read and write

2ED0000

heap

page read and write

2F87000

heap

page read and write

90F000

heap

page read and write

28F0000

heap

page read and write

31F6000

heap

page read and write

2BAC000

stack

page read and write

2F93000

heap

page read and write

28F4000

heap

page read and write

2F90000

heap

page read and write

41E000

unkown

page read and write

92F000

heap

page read and write

469000

unkown

page read and write

911000

heap

page read and write

2F7A000

heap

page read and write

8FB000

heap

page read and write

21DE000

stack

page read and write

2F48000

heap

page read and write

2FB9000

heap

page read and write

6EE0F000

unkown

page readonly

2A50000

unkown

page readonly

2270000

heap

page read and write

2F84000

heap

page read and write

2E5D000

unkown

page read and write

715000

heap

page read and write

911000

heap

page read and write

909000

heap

page read and write

2280000

heap

page read and write

954000

heap

page read and write

2F40000

heap

page read and write

27CE000

stack

page read and write

2F60000

heap

page read and write

4EDE000

stack

page read and write

911000

heap

page read and write

10005000

unkown

page readonly

2F1E000

stack

page read and write

40A000

unkown

page write copy

19A000

stack

page read and write

401000

unkown

page execute read

408000

unkown

page readonly

8B0000

heap

page read and write

8FB000

heap

page read and write

31F0000

heap

page read and write

8FB000

heap

page read and write

401000

unkown

page execute read

2F6A000

heap

page read and write

2FAA000

heap

page read and write

8FB000

heap

page read and write

31CF000

stack

page read and write

911000

heap

page read and write

400000

unkown

page readonly

2F89000

heap

page read and write

911000

heap

page read and write

935000

heap

page read and write

10000000

unkown

page readonly

2ED5000

heap

page read and write

2A53000

unkown

page readonly

2FA4000

heap

page read and write

40A000

unkown

page read and write

2F94000

heap

page read and write

2F82000

heap

page read and write

6EE06000

unkown

page readonly

318E000

stack

page read and write

28CF000

stack

page read and write

21E5000

heap

page read and write

2900000

direct allocation

page read and write

2FAE000

heap

page read and write

2FBA000

heap

page read and write

8BE000

heap

page read and write

2FB1000

heap

page read and write

10003000

unkown

page readonly

2F7A000

heap

page read and write

2F5E000

heap

page read and write

2F94000

heap

page read and write

910000

heap

page read and write

2A90000

heap

page read and write

717000

heap

page read and write

6EDF1000

unkown

page execute read

2F69000

heap

page read and write

911000

heap

page read and write

2F88000

heap

page read and write

911000

heap

page read and write

935000

heap

page read and write

2FA0000

heap

page read and write

911000

heap

page read and write

400000

unkown

page readonly

21E0000

heap

page read and write

There are 138 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
gjswzjReaderper-3.0.20.0830-setup.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportgjswzjReaderper-3.0.20.0830-setup.exe

Files

Processes

URLs

Memdumps

IOC Report
gjswzjReaderper-3.0.20.0830-setup.exe