Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Entropy:	7.7277869861460955
Filename:	Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Filesize:	21640831
MD5:	b543ca28c1fc8be534a8a701a0a96964
SHA1:	df7680b5721f14631bd12aa7511171e5dd36e2e9
SHA256:	bdb793b89f3ac3487cac8d5333d12ce2969c22de97941eab01a2c55b9f97b4f9
SHA512:	b8577e322ccb9fbf011a7965ac99cbdc941e5cf7c3acd8269de80f531b8afec85fb6526a29e2a6a8e746663d03fc15861066ad9fcdf44e8c7045e15ec9415ec4
SSDEEP:	393216:uxIq4jHe3fR8SVcvN5wGRwyz2yMBMG+tBZHlI7xseJWGhrr26oXoEoXom:4aHeCSVcvLwGWph+9FqxQGhboXoEoXom
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9.o.9.o.9.o..a..1.o..a..*.o.9.n...o.'...<.o.0...8.o.0.....o.0...8.o.'...8.o.0...8.o.Rich9.o.........PE..L....'dJ...........

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior
File is packed with WinRar	Data Obfuscation	Software Packing
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Writes ini files	System Summary	File and Directory Discovery
PE file contains a debug data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Executable creates window controls seldom found in malware	System Summary
Uses Rich Edit Controls	System Summary

C:\Users\user\AppData\Local\Temp\MSI9A55.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\MSI9A55.tmp
Category:	dropped
Dump:	MSI9A55.tmp.3.dr
ID:	dr_7
Target ID:	3
Process:	C:\Windows\SysWOW64\msiexec.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.499169965794945
Encrypted:	false
Size:	99648
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\RarSFX0\0x0409.ini

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\0x0409.ini
Category:	dropped
Dump:	0x0409.ini.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.486384074808718
Encrypted:	false
Size:	13660
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Writes ini files	System Summary	File and Directory Discovery

C:\Users\user\AppData\Local\Temp\RarSFX0\Data1.cab

Microsoft Cabinet archive data, many, 14538947 bytes, 19 files, at 0x5c +A "_05552B74CCDE077E19276A4B56E61CF6", iFolder 0x1 +A "_B05A2AB076DDA62641C63DBF405CBA38", 7 cffolders, ID 1111, number 1, 105 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\Data1.cab
Category:	dropped
Dump:	Data1.cab.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Type:	Microsoft Cabinet archive data, many, 14538947 bytes, 19 files, at 0x5c +A "_05552B74CCDE077E19276A4B56E61CF6", iFolder 0x1 +A "_B05A2AB076DDA62641C63DBF405CBA38", 7 cffolders, ID 1111, number 1, 105 datablocks, 0x1 compression
Entropy:	7.9977814426964215
Encrypted:	true
Size:	14538947
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.MSI

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Author: InstallShield Software Corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Template: Intel;1033, Last Saved By: InstallShield, Revision Number: {79A894FC-A5C1-4F47-BD8C-296A0B8F9A34}, Last Printed: Wed Mar 21 11:30:00 2018, Create Time/Date: Wed Mar 21 11:30:00 2018, Last Saved Time/Date: Wed Mar 21 11:30:00 2018, Number of Pages: 200, Number of Words: 0, Number of Characters: 0, Name of Creating Application: InstallShield 2009 - Express Edition 15, Security: 1

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.MSI
Category:	dropped
Dump:	Lakes Environmental WRPLOT View - Freeware V.8.0.2.MSI.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Author: InstallShield Software Corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Template: Intel;1033, Last Saved By: InstallShield, Revision Number: {79A894FC-A5C1-4F47-BD8C-296A0B8F9A34}, Last Printed: Wed Mar 21 11:30:00 2018, Create Time/Date: Wed Mar 21 11:30:00 2018, Last Saved Time/Date: Wed Mar 21 11:30:00 2018, Number of Pages: 200, Number of Words: 0, Number of Characters: 0, Name of Creating Application: InstallShield 2009 - Express Edition 15, Security: 1
Entropy:	4.043447572238817
Encrypted:	false
Size:	2834432
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.ini

Generic INItialization configuration [Startup]

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.ini
Category:	dropped
Dump:	Setup.ini.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Type:	Generic INItialization configuration [Startup]
Entropy:	5.443046971636431
Encrypted:	false
Size:	2934
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe

PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe
Category:	dropped
Dump:	instmsia.exe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
Entropy:	7.985483438485467
Encrypted:	false
Size:	1708856
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe

PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe
Category:	dropped
Dump:	instmsiw.exe.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
Entropy:	7.987680667971462
Encrypted:	false
Size:	1822520
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe
Category:	dropped
Dump:	setup.exe.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.6378258026818
Encrypted:	false
Size:	626784
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Files

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Files

IOC Report
Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe