Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

G47wmLn8uy.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.9046699069840765
Filename:	G47wmLn8uy.exe
Filesize:	167936
MD5:	9a1518ed709f916360e56b5ac7d76995
SHA1:	7c85312d66edf5b02ebd6c25cfe9c036a3471263
SHA256:	2a0878c196278384aab473c92977d236680c788b4e5ae0cc1f415a075a6fa9e2
SHA512:	8f99b5b19d72548340c8bfc3ce6460d73c055b556daa956739cdeb67c2d0db56688e9f017deb2a94f29a298da959d479f3c8dc20123eac6762c69103cd004b13
SSDEEP:	1536:FrdvP8OOzT80mFxgs0HtyWPK0xljCwioDoWjJNa+I37KTqPRzV5pkNXuUAnq:ddvP81zTGUjKWMoDhjJNS7hPHUAnq
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\.......%.......Rich............................PE..L.....pV.................`...P......\........p....@

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file contains strange resources	System Summary
Contains functionality to read the PEB	Anti Debugging
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Contains functionality to call native functions	System Summary
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Abnormal high CPU Usage	System Summary
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary	System Information Discovery
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)	System Summary
Uses an in-process (OLE) Automation server	System Summary
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery

C:\Users\user\AppData\Local\Temp\~DFAFA5F207726209AF.TMP

Composite Document File V2 Document, Cannot read section info

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DFAFA5F207726209AF.TMP
Category:	dropped
Dump:	~DFAFA5F207726209AF.TMP.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\G47wmLn8uy.exe
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	0.9730200708513237
Encrypted:	false
Ssdeep:	24:r/hDKifA3RuOH/3+aVR4J5lBefVYyDnKoKgQBX2:rJKifAhx5853weyDKoKgQB
Size:	16384
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\G47wmLn8uy.exe

"C:\Users\user\Desktop\G47wmLn8uy.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6320
Target ID:	0
Parent PID:	1556
Name:	G47wmLn8uy.exe
Path:	C:\Users\user\Desktop\G47wmLn8uy.exe
Commandline:	"C:\Users\user\Desktop\G47wmLn8uy.exe"
Size:	167936
MD5:	9A1518ED709F916360E56B5AC7D76995
Time:	15:55:19
Date:	14/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	180224
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\subideal\Eyeliners

HARNISKKLDT

Memdumps

Base Address

Regiontype

Protect

Malicious

4D10000

unkown

page execute and read and write

7FF5A7368000

unkown image

page readonly

2D5AF38D000

unkown

page read and write

7FF50ACB4000

unkown image

page readonly

7DF51E112000

unkown image

page readonly

7FF51B1E2000

unkown image

page readonly

2D5AF38E000

unkown

page read and write

610000

heap private

page read and write

1DEE284B000

unkown

page read and write

DF6C67F000

stack

page read and write

1E2C4230000

unkown image

page readonly

7FF5A73CC000

unkown image

page readonly

1DEE2900000

unkown

page read and write

2D5AF202000

unkown

page read and write

2D5AF391000

unkown

page read and write

2D5AEA00000

unkown

page read and write

7FF5842C8000

unkown image

page readonly

2050000

unkown

page read and write

2D5AF366000

unkown

page read and write

7FF5A72A1000

unkown image

page readonly

1DEE2886000

unkown

page read and write

1D790B30000

unkown image

page readonly

2B59000

heap private

page read and write

2D5AF35D000

unkown

page read and write

7FF51B107000

unkown image

page readonly

1E2C3DB0000

unkown image

page readonly

2D5AEA48000

unkown

page read and write

2D5AF802000

unkown

page read and write

7FF5841C4000

unkown image

page readonly

29A000

unkown

page read and write

1D51E83C000

unkown

page read and write

1E2C3E86000

heap default

page read and write

7FF51B11F000

unkown image

page readonly

2D5AF366000

unkown

page read and write

7FF50A820000

unkown image

page readonly

7DF5BC5D0000

unkown image

page readonly

2D5AF120000

unkown

page read and write

1D790E00000

unkown image

page readonly

19C000

unkown

page read and write

7FF51B0FB000

unkown image

page readonly

7FF50ABAD000

unkown image

page readonly

2D5AF388000

unkown

page read and write

7FF50AC4C000

unkown image

page readonly

7FF51B158000

unkown image

page readonly

2D5AF364000

unkown

page read and write

2D5AE8A0000

heap private

page read and write

1D791402000

unkown

page read and write

7FF509008000

unkown image

page readonly

1D51ED80000

unkown image

page readonly

7FF50AAB1000

unkown image

page readonly

7FF5A7026000

unkown image

page readonly

20B0000

heap private

page read and write

2D5AF38E000

unkown

page read and write

2C336CC000

unkown

page read and write

1D790C7B000

unkown

page read and write

7FF5A744A000

unkown image

page readonly

1D51E640000

heap private

page read and write

1D790C50000

unkown

page read and write

2D5AF397000

unkown

page read and write

1DEE2879000

unkown

page read and write

2C33CF7000

stack

page read and write

1D790C13000

unkown

page read and write

2D5AF380000

unkown

page read and write

7FF51B0DC000

unkown image

page readonly

2204000

heap private

page read and write

7FF5A6DB3000

unkown image

page readonly

234D07B000

unkown

page read and write

2060000

unkown

page execute read

7FF50ACBF000

unkown image

page readonly

1DEE2650000

unkown image

page read and write

2D5AF802000

unkown

page read and write

7FF5A7465000

unkown image

page readonly

2D5AF38E000

unkown

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

Registry

Memdumps