Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Windows\System32\GroupPolicy\gpt.ini

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Windows\System32\GroupPolicy\gpt.ini
Category:	modified
Dump:	gpt.ini.11.dr
ID:	dr_4
Target ID:	11
Process:	C:\Users\user\Downloads\rufus-4.4.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.729218757631926
Encrypted:	false
Ssdeep:	3:1ELGUAgKLMzY+eWgTckbnnnVdO/ididid/V7WRERvI3o5a1gaEdpkSTtorFLsRov:1WsMzYHxbnnXO/GGG/W3o5Rnn3zy
Size:	203
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Modifies Group Policy settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Reads ini files	System Summary	File and Directory Discovery
Writes ini files	System Summary	File and Directory Discovery

C:\Users\user\AppData\Local\Temp\RufA552.tmp

Unicode text, UTF-8 text, with very long lines (555), with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RufA552.tmp
Category:	dropped
Dump:	RufA552.tmp.11.dr
ID:	dr_3
Target ID:	11
Process:	C:\Users\user\Downloads\rufus-4.4.exe
Type:	Unicode text, UTF-8 text, with very long lines (555), with CRLF line terminators
Entropy:	6.377687204868055
Encrypted:	false
Ssdeep:	12288:6sOjPHrtqzy96KTFpNIu/1/VvjIWjzYRpoeJoiWzFhYnUt35IApsS3siHgi0Lcyt:6se96Kl7PjIQne2iWzFhYUt3qGGnj
Size:	1110340
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\Downloads\Unconfirmed 379648.crdownload

PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\Downloads\Unconfirmed 379648.crdownload
Category:	dropped
Dump:	Unconfirmed 379648.crdownload.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy:	7.97162156729447
Encrypted:	false
Ssdeep:	24576:wOyBSB04yZT5Z6iqUbVEMs6MrhXlPrBnr/TwcEgzXIdVWLpuL94q:XgZT5ZSU1fUhXhrBnbTbaAIt
Size:	1432648
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\Downloads\a334bdac-aeb5-4013-986b-f4215f2d5b31.tmp

PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\Downloads\a334bdac-aeb5-4013-986b-f4215f2d5b31.tmp
Category:	dropped
Dump:	a334bdac-aeb5-4013-986b-f4215f2d5b31.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy:	7.952074021819274
Encrypted:	false
Ssdeep:	384:Fiy8iU5mJNaQl8PR5zxZwLsJ8trqv7c9u5tiRpl:Fg88Ql81we7+eovl
Size:	16384
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\Downloads\rufus-4.4.exe (copy)

PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\Downloads\rufus-4.4.exe (copy)
Category:	dropped
Dump:	Unconfirmed 379648.crdownload.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy:	7.97162156729447
Encrypted:	false
Ssdeep:	24576:wOyBSB04yZT5Z6iqUbVEMs6MrhXlPrBnr/TwcEgzXIdVWLpuL94q:XgZT5ZSU1fUhXhrBnbTbaAIt
Size:	1432648
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Changes autostart functionality of drives	Spreading	Replication Through Removable Media
Modifies Group Policy settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Contains functionality to communicate with device drivers	System Summary
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read device registry values (via SetupAPI)	Malware Analysis System Evasion	Query Registry
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Enables driver privileges	System Summary	LSASS Driver
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
May infect USB drives	Spreading	Replication Through Removable Media
Queries device information via Setup API	Language, Device and Operating System Detection	System Information Discovery
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	System Information Discovery
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Writes ini files	System Summary	File and Directory Discovery
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)	System Summary

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

RAGE Package Format (RPF),

dropped

Details

File:	C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Category:	dropped
Dump:	Registry.pol.11.dr
ID:	dr_5
Target ID:	11
Process:	C:\Users\user\Downloads\rufus-4.4.exe
Type:	RAGE Package Format (RPF),
Entropy:	3.28196439949633
Encrypted:	false
Ssdeep:	12:CfEEaW+ANbV67GmFA+EEbEW+ojWr+feSbMltBOhme:wElANp67K+EncdeRtBu
Size:	398
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Downloads\rufus-4.4.exe

"C:\Users\user\Downloads\rufus-4.4.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,4732492817931774946,1826627398002605485,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://therufus.org/download.php"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1676,4732492817931774946,1826627398002605485,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3444 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

URLs

Name

Malicious

https://therufus.org/download.php

https://tortoisesvn.net/

unknown

https://github.com/libtom/libtomcrypt

unknown

https://www.gnu.org/software/fdisk

unknown

https://www.gnu.org/software/grub

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0

unknown

http://ocsp.sectigo.com0

unknown

https://systeminformer.sourceforge.io/

unknown

https://svn.reactos.org/reactos/trunk

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#

unknown

https://github.com/cupofocha

unknown

https://www.busybox.net/

unknown

https://bit.ly/40qDtyF.

unknown

https://tortoisegit.org/

unknown

https://kolibrios.org/

unknown

https://winscp.net/

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#

unknown

https://svn.reactos.org/reactos/trunk/reactos/dll/win32/fmifs

unknown

https://rufus.ie).

unknown

https://rufus.ie/Fido.verz1https://github.com/pbatard/FidoWARNING:

unknown

https://sourceforge.net/projects/smartmontools

unknown

https://www.gnu.org/licenses/gpl-3.0.htmlD

unknown

https://github.com/weidai11/cryptopp/

unknown

https://spclient.wg.spotify.com/v1/live-tile-xml?region=GB&language=en-US

35.186.224.25

http://e2fsprogs.sourceforge.net/

unknown

https://github.com/pbatard/rufus/issues

unknown

https://7-zip.org/openESPWarning:

unknown

https://www.gnupg.org/

unknown

https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e

unknown

http://ms-sys.sourceforge.net/

unknown

https://rufus.ie/Fido.ver

unknown

https://github.com/SiderealArt

unknown

https://www.reactos.org/

unknown

http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm

unknown

https://rufus.ieopen321Failed

unknown

https://rufus.ieRufusRunning

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0

unknown

https://rufus.ie/CheckForBetashttps://rufus.ieUsing

unknown

https://rufus.ie/

unknown

https://sectigo.com/CPS0

unknown

https://github.com/kokke/tiny-regex-c

unknown

https://rufus.ie

unknown

http://halamix2.pl

unknown

https://www.gnu.org/software/wget

unknown

https://therufus.org/download.php

104.21.65.18

https://github.com/pbatard/rufus/releases/download/v4.4/rufus-4.4.exe

140.82.113.3

https://github.com/pbatard/rufus/wiki/FAQ#bsods-with-windows-to-go-drives-created-from-windows-10-18

unknown

https://rufus.ie/files

unknown

https://goo.gl/QTobxX.;

unknown

https://axialis.com/

unknown

https://www.freedos.org/

unknown

https://github.com/pbatard/bled

unknown

https://github.com/pbatard/rufus/blob/master/res/loc/ChangeLog.txt

unknown

https://syslinux.org/

unknown

https://rufus.ie/files%s/%s-%s/%sGrub2%s

unknown

https://www.codeguru.com/forum/showthread.php?p=1951973

unknown

http://ocsp.sectigo.com0$

unknown

https://github.com/pbatard/uefi-ntfs.

unknown

https://github.com/u-boot/u-boot

unknown

https://github.com/pbatard/Fido

unknown

https://github.com/chenall/grub4dos

unknown

https://github.com/Chocobo1

unknown

https://un.akeo.ie

unknown

http://fsf.org/

unknown

http://freedos.sourceforge.net/freecom

unknown

https://7-zip.org/

unknown

https://goo.gl/QTobxX.

unknown

https://www.gnu.org/software/libcdio

unknown

There are 57 hidden URLs, click here to show them.

Domains

Name

Malicious

github.com

140.82.113.3

Details

Name:	github.com
IP:	140.82.113.3
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

therufus.org

104.21.65.18

Details

Name:	therufus.org
IP:	104.21.65.18
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

www.google.com

142.251.16.99

Details

Name:	www.google.com
IP:	142.251.16.99
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

objects.githubusercontent.com

185.199.110.133

Details

Name:	objects.githubusercontent.com
IP:	185.199.110.133
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

192.168.11.20

unknown

Details

IP:	192.168.11.20
TargetID:	0
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Sends SSDP (simple service discovery protocol) broadcast queries	Networking	Network Service Discovery
Uses secure TLS version for HTTPS connections	Compliance, Networking

140.82.113.3

github.com

United States

239.255.255.250

unknown

Reserved

Details

IP:	239.255.255.250
TargetID:	0
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Country:	Reserved
Countrycode:	ZZZ
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Sends SSDP (simple service discovery protocol) broadcast queries	Networking	Network Service Discovery

104.21.65.18

therufus.org

United States

142.251.16.99

www.google.com

United States

185.199.110.133

objects.githubusercontent.com

Netherlands

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{DE605FE2-09C4-4631-B97D-8938F5DCD9EB}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableRealtimeMonitoring

Details

TargetID:	11
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{DE605FE2-09C4-4631-B97D-8938F5DCD9EB}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
Value name:	DisableRealtimeMonitoring
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{DE605FE2-09C4-4631-B97D-8938F5DCD9EB}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoDriveTypeAutorun

HKEY_CURRENT_USER\SOFTWARE\Akeo Consulting\Rufus

Locale

HKEY_CURRENT_USER\SOFTWARE\Akeo Consulting\Rufus

CommCheck64

HKEY_CURRENT_USER\SOFTWARE\Akeo Consulting\Rufus

UpdateCheckInterval

Memdumps

Base Address

Regiontype

Protect

Malicious

26DEBF33000

heap

page read and write

7FF6ED40A000

unkown

page execute and read and write

264E1548000

heap

page read and write

7FF6ED6B4000

unkown

page read and write

26DEBF2E000

heap

page read and write

CAE553C000

stack

page read and write

1A331485000

heap

page read and write

7FF6ED5DD000

unkown

page execute and read and write

26DEBE97000

heap

page read and write

7FF6ED5B4000

unkown

page execute and read and write

C8A0DFE000

stack

page read and write

C89FDF8000

stack

page read and write

26DEBE80000

heap

page read and write

7FF6ED3FE000

unkown

page execute and read and write

26DEC0C5000

heap

page read and write

264E1C70000

heap

page read and write

26DEBF3B000

heap

page read and write

8CC76FE000

stack

page read and write

26DEBF3B000

heap

page read and write

264E13F0000

heap

page read and write

26DF15C0000

trusted library section

page read and write

C8A0BFF000

stack

page read and write

26DEBF36000

heap

page read and write

8CC797F000

stack

page read and write

7FF6ED2E0000

unkown

page readonly

264E12B0000

heap

page read and write

26DEBF38000

heap

page read and write

26DEDBF1000

heap

page read and write

7FF6ED3F5000

unkown

page execute and read and write

26DEBEEE000

heap

page read and write

264E1512000

heap

page read and write

CAE5A7E000

stack

page read and write

CAE59FE000

stack

page read and write

264E1532000

heap

page read and write

1A331480000

heap

page read and write

26DEBF0D000

heap

page read and write

26DEBF36000

heap

page read and write

26DEDD30000

trusted library allocation

page read and write

26DEF340000

trusted library allocation

page read and write

26DEBFF0000

heap

page read and write

1A331300000

heap

page read and write

CAE55BE000

stack

page read and write

26DEC0C0000

heap

page read and write

CAE597D000

stack

page read and write

7FF6ED3FA000

unkown

page execute and read and write

C8A03FE000

stack

page read and write

26DEBCE0000

heap

page read and write

26DEDD30000

trusted library allocation

page read and write

26DEBF36000

heap

page read and write

26DEDBF4000

heap

page read and write

26DEBF15000

heap

page read and write

8CC777E000

stack

page read and write

264E1C75000

heap

page read and write

26DEBEEE000

heap

page read and write

7FF6ED6B4000

unkown

page write copy

264E14F8000

heap

page read and write

1A331333000

heap

page read and write

26DEDE20000

heap

page read and write

1A331309000

heap

page read and write

8CC767C000

stack

page read and write

7FF6ED3DF000

unkown

page execute and read and write

C8A07FE000

stack

page read and write

7FF6ED563000

unkown

page execute and write copy

7FF6ED2E0000

unkown

page readonly

26DEBF38000

heap

page read and write

1A3310E0000

heap

page read and write

C8A05FE000

stack

page read and write

264E1518000

heap

page read and write

264E14F0000

heap

page read and write

1A33132B000

heap

page read and write

CAE5BFE000

stack

page read and write

26DEBF2E000

heap

page read and write

7FF6ED2E1000

unkown

page execute and read and write

26DEBF38000

heap

page read and write

8CC77FE000

stack

page read and write

26DF15A0000

trusted library section

page read and write

26DEBF0E000

heap

page read and write

264E1B90000

heap

page read and write

26DEBF1B000

heap

page read and write

26DEDBDF000

heap

page read and write

C8A09FF000

stack

page read and write

26DEDD20000

heap

page read and write

264E1536000

heap

page read and write

7FF6ED3EA000

unkown

page execute and read and write

26DEDD30000

trusted library allocation

page read and write

26DEDD30000

trusted library allocation

page read and write

7FF6ED3F2000

unkown

page execute and read and write

26DEDD30000

trusted library allocation

page read and write

7FF6ED3E7000

unkown

page execute and read and write

CAE587E000

stack

page read and write

7FF6ED6B0000

unkown

page execute and read and write

C8A01FD000

stack

page read and write

26DEDD30000

trusted library allocation

page read and write

26DEDD24000

heap

page read and write

26DEBE89000

heap

page read and write

C89FFFE000

stack

page read and write

26DEBF80000

heap

page read and write

26DEDBD6000

heap

page read and write

CAE58FE000

stack

page read and write

26DF15B0000

trusted library section

page read and write

CAE5B7F000

stack

page read and write

8CC78FE000

stack

page read and write

CAE5AFB000

stack

page read and write

26DEFBD0000

heap

page read and write

264E1551000

heap

page read and write

264E1530000

heap

page read and write

7FF6ED5B2000

unkown

page execute and read and write

1A331220000

heap

page read and write

8CC79FA000

stack

page read and write

1A331400000

heap

page read and write

There are 100 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://therufus.org/download.php

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://therufus.org/download.php

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
https://therufus.org/download.php