Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Documento_Remisorio_Activo_N#8475684756..exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.8732996504994155
Filename:	Documento_Remisorio_Activo_N#8475684756..exe
Filesize:	1313328
MD5:	636600655d1c0ebdf3073f0f6afb6509
SHA1:	34fff619fe1d3caac84ba88f30cc83ac0dab9f3f
SHA256:	46cfebde9e8cadfefc9c1324f9b250b9488c25c59212438de071ceec81b71967
SHA512:	db81237cefac5538bd14c6ef8542322452bd8ee31b2e54675bf964cc328be0c928e15fc4e1e4c7dd71612f50a524ac9085cdafbe2687c3d0db50e893fe2c895e
SSDEEP:	24576:nOZ4A1k8wwE6fibNsRt7Z+rJ+6rJlC9wtVUf6UCu8z35so2etaC:LA1iwiZqt7ZeI8JlC9wtVUf6UCu+yo2s
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W.............A..................................y............A.......A..........8...........................Rich...........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to infect the boot sector	Persistence and Installation Behavior, Boot Survival	Bootkit
Drops PE files to the document folder of the user	Persistence and Installation Behavior
Drops large PE files	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Compiles C# or VB.Net code	Data Obfuscation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
PE / OLE file has an invalid certificate	System Summary	File and Directory Discovery
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains functionality to check free disk space	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Security Software Discovery
Sample reads its own file content	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Documents\ChromeUpdate\cr0wdik.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Documents\ChromeUpdate\cr0wdik.exe
Category:	dropped
Dump:	cr0wdik.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	0.025967928040329075
Encrypted:	false
Size:	800000000
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Drops PE files to the document folder of the user	Persistence and Installation Behavior
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe

"C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe"

Details

Is windows:	false
Is dropped:	false
PID:	4980
Target ID:	0
Parent PID:	4004
Name:	Documento_Remisorio_Activo_N#8475684756..exe
Path:	C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe
Commandline:	"C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe"
Size:	1313328
MD5:	636600655D1C0EBDF3073F0F6AFB6509
Time:	14:22:12
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1335296
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Initial sample is a PE file and has a suspicious name	System Summary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Details

Is windows:	true
Is dropped:	false
PID:	712
Target ID:	3
Parent PID:	4980
Name:	csc.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Size:	2141552
MD5:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Time:	14:22:32
Date:	24/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xdc0000
Modulesize:	2158592
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected DcRat	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Compiles C# or VB.Net code	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

http://www.360totalsecurity.com/d/ts/%s/%s/channelOpen

unknown

http://ocsp.sectigo.com0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Source:	csc.exe, 00000003.00000002.3356996740.0000000006F81000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

http://s.360safe.com/safei18n/

unknown

https://sectigo.com/CPS0D

unknown

Domains

Name

Malicious

procesolargovalelapena222.dynuddns.net

45.95.169.113

Details

Name:	procesolargovalelapena222.dynuddns.net
IP:	45.95.169.113
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

45.95.169.113

procesolargovalelapena222.dynuddns.net

Croatia (LOCAL Name: Hrvatska)

Details

IP:	45.95.169.113
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Country:	Croatia (LOCAL Name: Hrvatska)
Countrycode:	HRV
ASN number:	42864
ASN name:	GIGANET-HUGigaNetInternetServiceProviderCoHU
Private:	false
Domain:	procesolargovalelapena222.dynuddns.net

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Muhandra

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	Muhandra
Value data:	C:\Users\user\Documents\ChromeUpdate\cr0wdik.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

AA2000

remote allocation

page execute and read and write

C02000

direct allocation

page execute and read and write

4D4000

unkown

page execute and read and write

A69000

stack

page read and write

6B70000

trusted library allocation

page read and write

510A000

trusted library allocation

page execute and read and write

51E3000

heap

page read and write

150F000

stack

page read and write

6C40000

heap

page execute and read and write

5107000

trusted library allocation

page execute and read and write

6C30000

trusted library allocation

page read and write

6B50000

trusted library allocation

page read and write

6B2D000

stack

page read and write

5430000

heap

page read and write

C90000

heap

page read and write

1E0000

heap

page read and write

5180000

heap

page read and write

6B60000

trusted library allocation

page read and write

9C000

stack

page read and write

AA0000

remote allocation

page execute and read and write

97BE000

stack

page read and write

511B000

trusted library allocation

page execute and read and write

6C50000

heap

page read and write

B46000

stack

page read and write

401000

unkown

page execute read

E10000

heap

page read and write

51E3000

heap

page read and write

51F2000

heap

page read and write

50F0000

trusted library allocation

page read and write

50ED000

trusted library allocation

page execute and read and write

6B30000

heap

page read and write

51E3000

heap

page read and write

51B8000

heap

page read and write

6B60000

trusted library allocation

page read and write

96BE000

stack

page read and write

51FF000

heap

page read and write

6C30000

trusted library allocation

page read and write

5410000

trusted library allocation

page execute and read and write

51E3000

heap

page read and write

917E000

stack

page read and write

BCE000

stack

page read and write

B8E000

stack

page read and write

400000

unkown

page readonly

50E4000

trusted library allocation

page read and write

51E3000

heap

page read and write

517E000

stack

page read and write

4A7000

unkown

page readonly

5209000

heap

page read and write

4D4000

unkown

page readonly

6B50000

trusted library allocation

page read and write

AAE000

remote allocation

page execute and read and write

1B0F000

stack

page read and write

86C000

stack

page read and write

6D70000

heap

page execute and read and write

5130000

trusted library allocation

page read and write

5110000

trusted library allocation

page read and write

97FE000

stack

page read and write

6BBE000

stack

page read and write

51AB000

heap

page read and write

34A0000

direct allocation

page read and write

5258000

heap

page read and write

6C30000

trusted library allocation

page read and write

C05000

heap

page read and write

6C30000

trusted library allocation

page read and write

6F7F000

stack

page read and write

51F8000

heap

page read and write

401000

unkown

page execute read

5188000

heap

page read and write

4CA000

unkown

page write copy

7F81000

trusted library allocation

page read and write

6C36000

trusted library allocation

page read and write

5420000

trusted library allocation

page read and write

4E1000

unkown

page readonly

6B50000

trusted library allocation

page read and write

BD0000

heap

page readonly

50E3000

trusted library allocation

page execute and read and write

C00000

direct allocation

page execute and read and write

6C10000

trusted library allocation

page read and write

51EF000

heap

page read and write

D60000

heap

page read and write

5214000

heap

page read and write

98FE000

stack

page read and write

6D50000

trusted library allocation

page read and write

5100000

trusted library allocation

page read and write

BE0000

heap

page read and write

E1A000

heap

page read and write

400000

unkown

page readonly

6F81000

trusted library allocation

page read and write

3490000

heap

page read and write

6C0E000

stack

page read and write

4EC000

unkown

page readonly

100000

heap

page read and write

4C9000

unkown

page write copy

4A7000

unkown

page readonly

5117000

trusted library allocation

page execute and read and write

51B6000

heap

page read and write

4EC000

unkown

page readonly

5102000

trusted library allocation

page read and write

6BC0000

heap

page read and write

6C51000

heap

page read and write

E1E000

heap

page read and write

6C30000

trusted library allocation

page read and write

AF0000

heap

page read and write

50D0000

trusted library allocation

page read and write

C0E000

direct allocation

page execute and read and write

4C9000

unkown

page read and write

C00000

heap

page read and write

There are 97 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Documento_Remisorio_Activo_N#8475684756..exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDocumento_Remisorio_Activo_N#8475684756..exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Documento_Remisorio_Activo_N#8475684756..exe