Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

File-11F_385347.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.686122497274493
Filename:	File-11F_385347.exe
Filesize:	23731296
MD5:	08ea1813d6b205c446e6ae655c4e6715
SHA1:	76f4d2af1c04ec157fc8a270da5980ee6bcb5def
SHA256:	12288224d26607b30d026a32faf2ac7b49fc32acc8950eeaf60b933f2e39f48f
SHA512:	a900bd2c4f33dc915fa27911620fafad76139da7c3d58ce3f40b7c2a1dcb11e893dc5b0cde7a74f93d6f1f5dc2ff949141b20f9c7d09a8bc3b9517f861c361e1
SSDEEP:	393216:m8bMktzgHgxUv/1n6b121UnyuecRZndSk9bGWqCgu5op+wiCYCr2sfqisfU:m8bMkM1n6b121UnyuLEkTqA5a+Nc2sf6
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......W..s... ... ... 4$. ... ..' ... ..! ... ..7 ... 4$. ... ... 9.. ..0 ... ..> ... ..& ... .. ... ..% ... Rich... ...............

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to read the PEB	Anti Debugging
Detected potential crypto function	System Summary
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Archive Collected Data
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe
Category:	dropped
Dump:	MPC-HC.1.9.13.x86.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\File-11F_385347.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.99861209953994
Encrypted:	true
Ssdeep:	393216:gE8nxnfUcXAbCaUQawechoJTIhxlpJYBAe:gvfAb2QnexshxlpKBp
Size:	16392237
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Chrome Cache Entry: 39

ASCII text, with very long lines (745)

downloaded

Details

File:	Chrome Cache Entry: 39
Category:	downloaded
Dump:	chromecache_39.8.dr
ID:	dr_2
Target ID:	8
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (745)
Entropy:	5.113927133166416
Encrypted:	false
Ssdeep:	12:uB3B0FZyBmTp73OerBHslriFTAYsSw7sZAnIIIIIII5wuCPXIwuGHHHHHHHYZw4w:O+IBmt7eMBHslgT9lCuABuoB7HHHHHHp
Size:	750
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\File-11F_385347.exe

"C:\Users\user\Desktop\File-11F_385347.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6404
Target ID:	0
Parent PID:	2580
Name:	File-11F_385347.exe
Path:	C:\Users\user\Desktop\File-11F_385347.exe
Commandline:	"C:\Users\user\Desktop\File-11F_385347.exe"
Size:	23731296
MD5:	08EA1813D6B205C446E6AE655C4E6715
Time:	19:27:04
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xab0000
Modulesize:	7462912
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///

Details

Is windows:	true
Is dropped:	false
PID:	3716
Target ID:	6
Parent PID:	2936
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	19:28:46
Date:	26/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	5304
Target ID:	8
Parent PID:	3716
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	19:28:46
Date:	26/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x600000
Modulesize:	155648
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNHIr7EGIjBbcI5gdfmKwCdV__yDFi29L_2EfWEBQ0qVQQiZdNjzBeDdBnmbFvPJWbk3gUOEyDUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

142.250.217.164

http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0

unknown

https://curl.se/docs/hsts.html

unknown

https://www.google.com/async/ddljson?async=ntp:2

142.250.217.164

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNLIr7EGIjCTne0bwf48RoRhZuPH4pFklPwwJFOSRYaI2xBpyQCasbMRMkTzYh04Cbc12bYZbG0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

142.250.217.164

https://sectigo.com/CPS0

unknown

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

142.250.217.164

http://ocsp.sectigo.com0M

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0

unknown

http://ocsp.sectigo.com0

unknown

https://curl.se/docs/http-cookies.html

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#

unknown

https://www.google.com/async/newtab_promos

142.250.217.164

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

142.250.217.164

http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#

unknown

https://curl.se/docs/alt-svc.html

unknown

https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3

unknown

https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3951714152424

104.26.5.9

There are 11 hidden URLs, click here to show them.

Domains

Name

Malicious

contentworldinc.com

104.26.5.9

Details

Name:	contentworldinc.com
IP:	104.26.5.9
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

www.google.com

142.250.217.164

Details

Name:	www.google.com
IP:	142.250.217.164
TargetID:	8
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

142.250.217.164

www.google.com

United States

239.255.255.250

unknown

Reserved

192.168.2.4

unknown

127.0.0.1

unknown

104.26.5.9

contentworldinc.com

United States

Details

IP:	104.26.5.9
TargetID:	0
Current Path:	C:\Users\user\Desktop\File-11F_385347.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	contentworldinc.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

14D8000

heap

page read and write

5BF8000

heap

page read and write

1161000

unkown

page readonly

151E000

heap

page read and write

152C000

heap

page read and write

55B1000

heap

page read and write

1507000

heap

page read and write

1543000

heap

page read and write

5AF0000

heap

page read and write

57B0000

direct allocation

page read and write

3610000

trusted library allocation

page read and write

16CF000

stack

page read and write

3000000

remote allocation

page read and write

418E000

stack

page read and write

3000000

remote allocation

page read and write

A6E000

stack

page read and write

13A4000

heap

page read and write

11A7000

unkown

page read and write

1526000

heap

page read and write

AB0000

unkown

page readonly

4290000

direct allocation

page read and write

11A8000

unkown

page write copy

3FD0000

heap

page read and write

55B0000

heap

page read and write

11AA000

unkown

page read and write

4050000

heap

page read and write

11B2000

unkown

page readonly

5BF9000

heap

page read and write

11B2000

unkown

page readonly

11A7000

unkown

page write copy

56B0000

heap

page read and write

1530000

heap

page read and write

AB1000

unkown

page execute read

5BB0000

heap

page read and write

5AF0000

heap

page read and write

3F51000

heap

page read and write

1530000

heap

page read and write

1542000

heap

page read and write

152D000

heap

page read and write

5AF0000

heap

page read and write

5BF8000

heap

page read and write

1161000

unkown

page readonly

1553000

heap

page read and write

5E9000

stack

page read and write

12CF000

stack

page read and write

1530000

heap

page read and write

3E51000

heap

page read and write

3F50000

heap

page read and write

3020000

heap

page read and write

3000000

remote allocation

page read and write

305E000

heap

page read and write

5A30000

heap

page read and write

5BF0000

heap

page read and write

2FF0000

heap

page read and write

3F51000

heap

page read and write

152C000

heap

page read and write

59B0000

heap

page read and write

40D0000

heap

page read and write

153E000

heap

page read and write

152C000

heap

page read and write

55B1000

heap

page read and write

1515000

heap

page read and write

151B000

heap

page read and write

3010000

heap

page read and write

152C000

heap

page read and write

4150000

direct allocation

page read and write

59F0000

heap

page read and write

55B1000

heap

page read and write

3ED0000

heap

page read and write

152C000

heap

page read and write

1530000

heap

page read and write

14FC000

heap

page read and write

3055000

heap

page read and write

1526000

heap

page read and write

3E50000

heap

page read and write

AB1000

unkown

page execute read

3F65000

heap

page read and write

4011000

heap

page read and write

14FC000

heap

page read and write

3014000

heap

page read and write

950000

heap

page read and write

3E90000

heap

page read and write

13A0000

heap

page read and write

4090000

heap

page read and write

3FD0000

heap

page read and write

59B1000

heap

page read and write

AB0000

unkown

page readonly

55B1000

heap

page read and write

3F90000

heap

page read and write

130E000

stack

page read and write

3059000

heap

page read and write

1521000

heap

page read and write

13A4000

heap

page read and write

5BF8000

heap

page read and write

3F90000

heap

page read and write

5A70000

heap

page read and write

1542000

heap

page read and write

2F6F000

stack

page read and write

153F000

heap

page read and write

14D0000

heap

page read and write

5AF0000

heap

page read and write

14F8000

heap

page read and write

1557000

heap

page read and write

55B1000

heap

page read and write

5BF8000

heap

page read and write

5AB0000

heap

page read and write

AAE000

stack

page read and write

5B30000

heap

page read and write

4010000

heap

page read and write

5DB0000

direct allocation

page read and write

1581000

heap

page read and write

1507000

heap

page read and write

14AE000

stack

page read and write

5BF8000

heap

page read and write

153D000

heap

page read and write

152C000

heap

page read and write

5AF0000

heap

page read and write

8FB000

stack

page read and write

1526000

heap

page read and write

1518000

heap

page read and write

153D000

heap

page read and write

11B0000

unkown

page readonly

3F90000

heap

page read and write

2FE0000

heap

page read and write

5FF0000

direct allocation

page read and write

1557000

heap

page read and write

1310000

heap

page read and write

1526000

heap

page read and write

55C0000

heap

page read and write

3050000

heap

page read and write

4091000

heap

page read and write

3F51000

heap

page read and write

56B0000

trusted library allocation

page read and write

5BF8000

heap

page read and write

5BF8000

heap

page read and write

11B0000

unkown

page readonly

428F000

stack

page read and write

152C000

heap

page read and write

3F90000

heap

page read and write

152D000

heap

page read and write

5BF8000

heap

page read and write

3ED1000

heap

page read and write

5A31000

heap

page read and write

5BB1000

heap

page read and write

5AB1000

heap

page read and write

3F90000

heap

page read and write

5BF8000

heap

page read and write

5AF0000

heap

page read and write

1553000

heap

page read and write

3F91000

heap

page read and write

139E000

stack

page read and write

There are 141 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
File-11F_385347.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportFile-11F_385347.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
File-11F_385347.exe