Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.92798924547791
Filename:	Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Filesize:	574472
MD5:	34730f3da822589c3b36ec7197ede429
SHA1:	666691e4d03bb9d885184e80d5ec5639ef56a886
SHA256:	deb91032be610ab0761ed5e1076877458b9adbbbf79ae250672fc1c2f5fc8d0a
SHA512:	5eba3f2ef8b28939fd81dff93ceffcd88635f99821ba67302b490644082e18389384fcf9dda98da5b93e5949f2d257274fee082c3e1ee4dede39e3486e37220a
SSDEEP:	12288:EYIPXjVIGzJReCstSBtlhZPhYriyAkwTiaM5ykR:EYIPLtailrPhYuowTiD
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... ...............0.................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Machine Learning detection for sample	AV Detection
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Access Token Manipulation
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	Ingress Tool Transfer
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to steal Mail credentials (via file registry)	Stealing of Sensitive Information	Credentials in Registry
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates processes with suspicious names	Persistence and Installation Behavior
Detected potential crypto function	System Summary	Access Token Manipulation Encrypted Channel
Enables debug privileges	Anti Debugging
Found potential string decryption / allocating functions	System Summary
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
One or more processes crash	System Summary
PE / OLE file has an invalid certificate	System Summary	File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	Access Token Manipulation
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SIV50C2VQTB0P0PT_c32e84ebc64fed548d6828e72decc9907242fb41_3d54c267_e087f265-1305-4ae3-80f3-8ef54b7d0dee\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SIV50C2VQTB0P0PT_c32e84ebc64fed548d6828e72decc9907242fb41_3d54c267_e087f265-1305-4ae3-80f3-8ef54b7d0dee\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.2005771929252098
Encrypted:	false
Ssdeep:	192:/i0nQPf+0BU/SaGOJo1ZrFcadzuiFjbZ24IO8TO:9nQPNBU/SahPadzuiFHY4IO8TO
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63DD.tmp.dmp

Mini DuMP crash report, 15 streams, Thu Apr 25 07:41:56 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER63DD.tmp.dmp
Category:	dropped
Dump:	WER63DD.tmp.dmp.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Thu Apr 25 07:41:56 2024, 0x1205a4 type
Entropy:	4.271778087216056
Encrypted:	false
Ssdeep:	3072:NVdJgt/jMYLtrvXMyDU4uEqnaj5wTLTg6ZMAbnEU9H:NVU1YYFfMyDU4P9YTgi
Size:	333270
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6555.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6555.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER6555.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_6
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.707189967409724
Encrypted:	false
Ssdeep:	192:R6l7wVeJ4I6CC6Y92SU9NBTUgmfZUxprnk89bsLsfekm:R6lXJ36CC6Y8SU9TogmfGbBsQf0
Size:	8496
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6575.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6575.tmp.xml
Category:	dropped
Dump:	WER6575.tmp.xml.6.dr
ID:	dr_7
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.54495953392849
Encrypted:	false
Ssdeep:	48:cvIwWl8zsfJg77aI9orWpW8VYTPYm8M4JzOD7kFKrrX+q8vHOD7W1sEKd:uIjfBI7Sa7VWSJzErrXKHF1sEKd
Size:	4850
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe.log
Category:	modified
Dump:	Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\188E93\31437F.lck

very short file (no magic)

dropped

Details

File:	C:\Users\user\AppData\Roaming\188E93\31437F.lck
Category:	dropped
Dump:	31437F.lck.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:U:U
Size:	1
Whitelisted:	true
Reputation:	high

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Type:	data
Entropy:	1.0424600748477153
Encrypted:	false
Ssdeep:	3:/lbq:4
Size:	46
Whitelisted:	false
Reputation:	high

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.466018011526116
Encrypted:	false
Ssdeep:	6144:jIXfpi67eLPU9skLmb0b4sWSPKaJG8nAgejZMMhA2gX4WABl0uN1dwBCswSbB:0XD94sWlLZMM6YFHP+B
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe

"C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5516
Target ID:	0
Parent PID:	2580
Name:	Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Path:	C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Commandline:	"C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe"
Size:	574472
MD5:	34730F3DA822589C3B36EC7197EDE429
Time:	09:41:52
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc90000
Modulesize:	589824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe

"C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3196
Target ID:	2
Parent PID:	5516
Name:	Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Path:	C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Commandline:	"C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe"
Size:	574472
MD5:	34730F3DA822589C3B36EC7197EDE429
Time:	09:41:55
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x330000
Modulesize:	589824
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe

"C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6536
Target ID:	3
Parent PID:	5516
Name:	Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Path:	C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Commandline:	"C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe"
Size:	574472
MD5:	34730F3DA822589C3B36EC7197EDE429
Time:	09:41:55
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa00000
Modulesize:	589824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 1376

Details

Is windows:	true
Is dropped:	false
PID:	7208
Target ID:	6
Parent PID:	5516
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 1376
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	09:41:55
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xbb0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.top/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.trade/alien/fre.php

http://45.77.223.48/~blog/?ajax=ee

45.77.223.48

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://www.fontbureau.com/designers?

unknown

http://www.ibsensoftware.com/

unknown

http://www.tiro.com

unknown

http://upx.sf.net

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

https://www.chiark.greenend.org.uk/~sgtatham/putty/0

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://www.sakkal.com

unknown

There are 23 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

45.77.223.48

unknown

United States

Details

IP:	45.77.223.48
TargetID:	3
Current Path:	C:\Users\user\Desktop\Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe
Country:	United States
Countrycode:	USA
ASN number:	20473
ASN name:	AS-CHOOPAUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

ProgramId

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

FileId

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

LowerCaseLongPath

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

LongPathHash

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

Name

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

OriginalFileName

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

Publisher

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

Version

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

BinFileVersion

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

BinaryType

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

ProductName

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

ProductVersion

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

LinkDate

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

BinProductVersion

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

AppxPackageFullName

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

AppxPackageRelativeId

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

Size

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

Language

\REGISTRY\A\{355664cc-30fa-5001-cf8f-baf7494a6839}\Root\InventoryApplicationFile\awb# 1294440291;|a535341c17150b8d

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 11 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

FC8000

heap

page read and write

9480000

trusted library section

page read and write

40C9000

trusted library allocation

page read and write

313D000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

4C4D000

trusted library allocation

page read and write

4AB7000

trusted library allocation

page read and write

1110000

heap

page read and write

2DB6000

trusted library allocation

page execute and read and write

582B000

stack

page read and write

1310000

heap

page read and write

1300000

trusted library allocation

page read and write

55A0000

trusted library allocation

page execute and read and write

5BCE000

stack

page read and write

5590000

heap

page execute and read and write

DA9000

stack

page read and write

30BF000

stack

page read and write

5690000

trusted library allocation

page read and write

2EB0000

trusted library allocation

page read and write

C90000

unkown

page readonly

1303000

trusted library allocation

page read and write

7B81000

trusted library allocation

page read and write

125E000

stack

page read and write

150E000

stack

page read and write

7AA7000

heap

page read and write

5520000

trusted library allocation

page read and write

3366000

trusted library allocation

page read and write

2DC2000

trusted library allocation

page read and write

7560000

trusted library allocation

page read and write

497E000

trusted library allocation

page read and write

969E000

stack

page read and write

130D000

trusted library allocation

page execute and read and write

2EC0000

heap

page read and write

8010000

trusted library allocation

page read and write

3070000

trusted library allocation

page read and write

586E000

stack

page read and write

2DC0000

trusted library allocation

page read and write

D1C000

unkown

page readonly

336C000

trusted library allocation

page read and write

58EE000

stack

page read and write

B80000

heap

page read and write

32D9000

trusted library allocation

page read and write

35F2000

trusted library allocation

page read and write

B85000

heap

page read and write

2E90000

trusted library allocation

page execute and read and write

947E000

stack

page read and write

3368000

trusted library allocation

page read and write

5AA0000

trusted library allocation

page read and write

12E0000

trusted library allocation

page read and write

5580000

heap

page read and write

2E2E000

stack

page read and write

B9A0000

trusted library allocation

page read and write

2F6F000

stack

page read and write

59FD000

stack

page read and write

FBE000

stack

page read and write

2E70000

heap

page read and write

2FBE000

stack

page read and write

7B60000

trusted library allocation

page execute and read and write

5679000

trusted library allocation

page read and write

1140000

heap

page read and write

33D0000

trusted library allocation

page read and write

4A0000

remote allocation

page execute and read and write

12FD000

trusted library allocation

page execute and read and write

131A000

heap

page read and write

40C1000

trusted library allocation

page read and write

7C80000

trusted library allocation

page execute and read and write

1120000

heap

page read and write

2DAF000

stack

page read and write

102D000

heap

page read and write

FC0000

heap

page read and write

56F3000

heap

page read and write

7C90000

trusted library allocation

page execute and read and write

128F000

stack

page read and write

13E8000

heap

page read and write

56E0000

heap

page read and write

4930000

trusted library allocation

page read and write

12F4000

trusted library allocation

page read and write

12C0000

heap

page read and write

7BCE000

stack

page read and write

5AC5000

heap

page read and write

BE0000

heap

page read and write

7960000

heap

page read and write

7BE0000

trusted library section

page read and write

F40000

heap

page read and write

5A80000

trusted library allocation

page read and write

EFB000

stack

page read and write

7A60000

heap

page read and write

1344000

heap

page read and write

C92000

unkown

page readonly

B4D9000

trusted library allocation

page read and write

3362000

trusted library allocation

page read and write

58AE000

stack

page read and write

30D0000

heap

page read and write

2DE0000

trusted library allocation

page read and write

635F000

stack

page read and write

5670000

trusted library allocation

page read and write

3347000

trusted library allocation

page read and write

6470000

heap

page read and write

7BD0000

trusted library allocation

page read and write

B1C000

stack

page read and write

12F3000

trusted library allocation

page execute and read and write

3126000

trusted library allocation

page read and write

7FB0000

trusted library section

page read and write

56A0000

trusted library allocation

page read and write

5650000

trusted library allocation

page read and write

1145000

heap

page read and write

56C0000

trusted library section

page readonly

7AA2000

heap

page read and write

FEE000

heap

page read and write

13DA000

heap

page read and write

12A0000

heap

page read and write

2EA0000

trusted library allocation

page read and write

B930000

heap

page read and write

3360000

trusted library allocation

page read and write

2DB0000

trusted library allocation

page read and write

49CC000

trusted library allocation

page read and write

56D0000

heap

page read and write

1337000

heap

page read and write

51B9000

stack

page read and write

7C10000

trusted library allocation

page read and write

6460000

heap

page read and write

7A7C000

heap

page read and write

7D9E000

stack

page read and write

5A90000

trusted library allocation

page execute and read and write

2DBA000

trusted library allocation

page execute and read and write

645E000

stack

page read and write

58F0000

heap

page read and write

7C70000

trusted library allocation

page read and write

12A8000

heap

page read and write

1350000

heap

page read and write

3091000

trusted library allocation

page read and write

3096000

trusted library allocation

page read and write

B90000

heap

page read and write

3172000

trusted library allocation

page read and write

5AB0000

trusted library allocation

page execute and read and write

B8CE000

heap

page read and write

2DB2000

trusted library allocation

page read and write

64AB000

heap

page read and write

309D000

trusted library allocation

page read and write

1352000

heap

page read and write

300E000

stack

page read and write

56F0000

heap

page read and write

937E000

stack

page read and write

10F7000

stack

page read and write

30B0000

heap

page execute and read and write

3364000

trusted library allocation

page read and write

5680000

trusted library allocation

page execute and read and write

30C0000

heap

page read and write

F50000

heap

page read and write

5AC0000

heap

page read and write

5515000

trusted library allocation

page read and write

64A7000

heap

page read and write

94A0000

heap

page read and write

7582000

trusted library allocation

page read and write

30C1000

trusted library allocation

page read and write

2DCB000

trusted library allocation

page execute and read and write

5510000

trusted library allocation

page read and write

2E6B000

stack

page read and write

308E000

trusted library allocation

page read and write

8015000

trusted library allocation

page read and write

129E000

stack

page read and write

5500000

trusted library allocation

page read and write

4C67000

trusted library allocation

page read and write

5540000

trusted library allocation

page read and write

7B70000

trusted library section

page read and write

33D2000

trusted library allocation

page read and write

7A68000

heap

page read and write

BDE000

stack

page read and write

2DC7000

trusted library allocation

page execute and read and write

12F0000

trusted library allocation

page read and write

7ACA000

heap

page read and write

131E000

heap

page read and write

336A000

trusted library allocation

page read and write

313A000

trusted library allocation

page read and write

2FCE000

stack

page read and write

There are 165 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportAwb# 1294440291; 2 ki_n; G.W 3.30 KG.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exe