Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ws_ftp le 508.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.171228185522057
Filename:	ws_ftp le 508.exe
Filesize:	748032
MD5:	64a58dd55cc3af76fea415ebdbec7af9
SHA1:	3ca099902c524527fecfb7f5e2bbc5d0e7c4a76b
SHA256:	9d23f416f03f351c8441fbe390893cacf00c3ec09beb7a8947023847d2428d2b
SHA512:	5daae789b606ffd6a40a408c969b4184e4eb367c5a779483814c7a112a2ef4a6f929f9448e6c81a7fc0ee577f5f8ffce46536d982709c8ec65a0d82d9724c6de
SSDEEP:	12288:QvHjaC8X3QI2u/t4UoaUPGE8cxgorFTtMwHhE9qZfdP1dr0jy5rlunptp4qm:yQA9u/t4ULcxgITK7qFdPbr0O5rlcH4
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~S...=...=...=..?7...=.p.3...=..?9...=.......=...<...=..?6...=.4.;...=.Rich..=.................PE..L...3..8...................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\Users\user\Desktop\SFS5D46.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\SFS5D46.tmp
Category:	dropped
Dump:	SFS5D46.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ws_ftp le 508.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.266125935401919
Encrypted:	false
Ssdeep:	12288:dvHjaC8X3QI2u/t4UoaUPGE8cxgorFTtMwHhE9qZfdP1dr0jy5rlunptp4qm:LQA9u/t4ULcxgITK7qFdPbr0O5rlcH4
Size:	727552
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\Desktop\SFS5D75.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\SFS5D75.tmp
Category:	dropped
Dump:	SFS5D75.tmp.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\SFS5D46.tmp
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.361872641098785
Encrypted:	false
Ssdeep:	12288:ovHjaC8X3QI2u/t4UoaUPGE8cxgorFTtMwHhE9qZfdP1dr0jy5rlunptp4qm:aQA9u/t4ULcxgITK7qFdPbr0O5rlcH4
Size:	707072
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Uses the system / local time for branch decision (may execute only at specific dates)	Malware Analysis System Evasion	System Time Discovery
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to read ini properties file for application configuration	Persistence and Installation Behavior
Creates temporary files	System Summary
Reads ini files	System Summary	File and Directory Discovery
Sample requires command line parameters (based on API chain)	System Summary	Command and Scripting Interpreter Native API
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ws_ftp le 508.exe

"C:\Users\user\Desktop\ws_ftp le 508.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6704
Target ID:	0
Parent PID:	2580
Name:	ws_ftp le 508.exe
Path:	C:\Users\user\Desktop\ws_ftp le 508.exe
Commandline:	"C:\Users\user\Desktop\ws_ftp le 508.exe"
Size:	748032
MD5:	64A58DD55CC3AF76FEA415EBDBEC7AF9
Time:	17:53:31
Date:	08/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	20480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\SFS5D46.tmp

"C:\Users\user\Desktop\SFS5D46.tmp"

Details

Is windows:	false
Is dropped:	true
PID:	6196
Target ID:	1
Parent PID:	6704
Name:	SFS5D46.tmp
Path:	C:\Users\user\Desktop\SFS5D46.tmp
Commandline:	"C:\Users\user\Desktop\SFS5D46.tmp"
Size:	727552
MD5:	EC184194C54DBAB8D0D84CEF50C3189A
Time:	17:53:31
Date:	08/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	20480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\SFS5D75.tmp

"C:\Users\user\Desktop\SFS5D75.tmp"

Details

Is windows:	false
Is dropped:	true
PID:	4600
Target ID:	2
Parent PID:	6196
Name:	SFS5D75.tmp
Path:	C:\Users\user\Desktop\SFS5D75.tmp
Commandline:	"C:\Users\user\Desktop\SFS5D75.tmp"
Size:	707072
MD5:	6993AF44351EE82C42D77CCF5D550A29
Time:	17:53:31
Date:	08/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	729088
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.ipswitch.com

unknown

https://buy.ipswitch.com/cgi-ole/buypro.showform/wsftppro/?000001767Ipswitch

unknown

Details

Name:	https://buy.ipswitch.com/cgi-ole/buypro.showform/wsftppro/?000001767Ipswitch
TargetID:	-1
From Memory:	true
Source:	SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

HTTP://www.ipswitch.com

unknown

Details

Name:	HTTP://www.ipswitch.com
TargetID:	-1
From Memory:	true
Source:	SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.ipswitch.com/downloads/ws_ftp_PRO.html

unknown

Details

Name:	http://www.ipswitch.com/downloads/ws_ftp_PRO.html
TargetID:	-1
From Memory:	true
Source:	SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.ipswitch.comopenHTTP://www.ipswitch.comWS_FTPhttp://www.ipswitch.com/downloads/ws_ftp_PRO

unknown

Details

Name:	http://www.ipswitch.comopenHTTP://www.ipswitch.comWS_FTPhttp://www.ipswitch.com/downloads/ws_ftp_PRO
TargetID:	-1
From Memory:	true
Source:	SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.ipswitch.com/products/ws_ftp/

unknown

Details

Name:	http://www.ipswitch.com/products/ws_ftp/
TargetID:	-1
From Memory:	true
Source:	SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.ipswitch.com/products/ws_ftp/DLG_NOT_AUTHRemoveDIRWS_FTPINSTOPTSWS_FTPWS_FTP.exe%s

unknown

Details

Name:	http://www.ipswitch.com/products/ws_ftp/DLG_NOT_AUTHRemoveDIRWS_FTPINSTOPTSWS_FTPWS_FTP.exe%s
TargetID:	-1
From Memory:	true
Source:	SFS5D46.tmp, 00000001.00000002.1904844086.0000000000770000.00000004.00000020.00020000.00000000.sdmp, SFS5D75.tmp, 00000002.00000002.1903895489.0000000000410000.00000004.00000001.01000000.00000005.sdmp, SFS5D75.tmp, 00000002.00000000.1617571641.0000000000410000.00000008.00000001.01000000.00000005.sdmp, ws_ftp le 508.exe, SFS5D75.tmp.1.dr, SFS5D46.tmp.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

770000

heap

page read and write

7DE000

stack

page read and write

415000

unkown

page read and write

410000

unkown

page read and write

55E000

stack

page read and write

401000

unkown

page execute read

415000

unkown

page write copy

402000

unkown

page readonly

410000

heap

page read and write

1F0000

heap

page read and write

8E0000

heap

page read and write

865000

heap

page read and write

45E000

stack

page read and write

40F000

unkown

page readonly

401000

unkown

page execute read

2B70000

trusted library allocation

page read and write

403000

unkown

page read and write

400000

unkown

page readonly

22B0000

heap

page read and write

19B000

stack

page read and write

416000

unkown

page write copy

670000

heap

page read and write

690000

heap

page read and write

79F000

stack

page read and write

9D000

stack

page read and write

402000

unkown

page readonly

5DE000

stack

page read and write

401000

unkown

page execute read

8AE000

stack

page read and write

410000

unkown

page write copy

84A000

heap

page read and write

22B5000

heap

page read and write

660000

heap

page read and write

5C0000

heap

page read and write

510000

heap

page read and write

61E000

stack

page read and write

67E000

heap

page read and write

186000

stack

page read and write

84E000

heap

page read and write

8DF000

stack

page read and write

3370000

trusted library allocation

page read and write

403000

unkown

page write copy

400000

unkown

page readonly

900000

heap

page read and write

400000

unkown

page readonly

401000

unkown

page execute read

417000

unkown

page readonly

A3F000

stack

page read and write

881000

heap

page read and write

186000

stack

page read and write

670000

heap

page read and write

403000

unkown

page read and write

404000

unkown

page readonly

4E0000

heap

page read and write

400000

unkown

page readonly

49E000

heap

page read and write

403000

unkown

page write copy

1F0000

heap

page read and write

24D0000

heap

page read and write

402000

unkown

page readonly

24D4000

heap

page read and write

417000

unkown

page readonly

404000

unkown

page readonly

402000

unkown

page readonly

24F0000

heap

page read and write

881000

heap

page read and write

A70000

heap

page read and write

99000

stack

page read and write

9D000

stack

page read and write

A0F000

stack

page read and write

22B9000

heap

page read and write

590000

heap

page read and write

400000

unkown

page readonly

2390000

heap

page read and write

65F000

stack

page read and write

40F000

unkown

page readonly

401000

unkown

page execute read

49A000

heap

page read and write

404000

unkown

page readonly

67A000

heap

page read and write

426000

unkown

page readonly

840000

heap

page read and write

881000

heap

page read and write

490000

heap

page read and write

426000

unkown

page readonly

400000

unkown

page readonly

79F000

stack

page read and write

867000

heap

page read and write

404000

unkown

page readonly

1F0000

heap

page read and write

401000

unkown

page execute read

There are 81 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ws_ftp le 508.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportws_ftp le 508.exe

Files

Processes

URLs

Memdumps

IOC Report
ws_ftp le 508.exe