Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.351689762780545
Filename:	Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Filesize:	209920
MD5:	72a345c95142aee60e7df54b570c2c6b
SHA1:	aa479735d39ced67594ff0b0d5f91679e506ac38
SHA256:	a7a0ada5969b3b343a5c2d17e1fe57f542a0f9cb94b98daf7a4922d8cdcd5e8d
SHA512:	597d7673d2d69598d31a2edc71651c285d3253af53c06653a4d1504db9c71575141ace6fbc2371acd0517d43ac0b135c0b213979b657a035cbb1744504d437c7
SSDEEP:	6144:DK6g8ITQp0yN90QEN3Gm7CTon9jiNLk/ybI:DKRy90v30O9TeI
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.k.n.k.n.k..^..i.k..^..`.k..^..(.k..^....k.n.j...k..^..g.k.Ig..o.k..^..o.k..^..o.k.Richn.k.................PE..L.....ST...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
PE file contains strange resources	System Summary
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Sample is known by Antivirus	System Summary	Access Token Manipulation
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to read ini properties file for application configuration	Persistence and Installation Behavior
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Creates temporary files	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to register its own exception handler	Anti Debugging
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Might use command line arguments	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Category:	dropped
Dump:	nongrav.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.642357579130979
Encrypted:	false
Ssdeep:	1536:hs45GgwFzTYSKUc//9qrMyk3+lGsc5iTq0wHmYt:hN+zTYS5acZk3+lGuqzH7t
Size:	102400
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Machine Learning detection for dropped file	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Modifies the context of a thread in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queues an APC in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to detect Any.run	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Abnormal high CPU Usage	System Summary
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads the hosts file	System Summary	Remote System Discovery
Spawns processes	System Summary	Process Injection
Uses an in-process (OLE) Automation server	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

"C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"

Details

Is windows:	false
Is dropped:	false
PID:	4360
Target ID:	0
Parent PID:	4884
Name:	Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Path:	C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Commandline:	"C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
Size:	209920
MD5:	72A345C95142AEE60E7DF54B570C2C6B
Time:	14:10:29
Date:	15/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf30000
Modulesize:	229376
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Details

Is windows:	false
Is dropped:	true
PID:	6136
Target ID:	1
Parent PID:	4360
Name:	nongrav.exe
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Size:	102400
MD5:	BEB33BD2BF3282F8C86081144236545D
Time:	14:10:30
Date:	15/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected Generic Dropper	Stealing of Sensitive Information
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sample file is different than original file name gathered from version info	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Details

Is windows:	false
Is dropped:	true
PID:	4520
Target ID:	15
Parent PID:	6136
Name:	nongrav.exe
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Size:	102400
MD5:	BEB33BD2BF3282F8C86081144236545D
Time:	14:12:08
Date:	15/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected Generic Dropper	Stealing of Sensitive Information
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sample file is different than original file name gathered from version info	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\explorer.exe

C:\Windows\Explorer.EXE

Details

Is windows:	true
Is dropped:	false
PID:	3352
Target ID:	21
Parent PID:	4520
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\explorer.exe
Commandline:	C:\Windows\Explorer.EXE
Size:	3933184
MD5:	AD5296B280E8F522A8A897C96BAB0E1D
Time:	14:13:52
Date:	15/12/2021
Reason:	existingprocessinject
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff720ea0000
Modulesize:	3919872
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspect Svchost Activity	System Summary
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queues an APC in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Svchost Process	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary

C:\Windows\SysWOW64\svchost.exe

Details

Is windows:	true
Is dropped:	false
PID:	6932
Target ID:	22
Parent PID:	3352
Name:	svchost.exe
Path:	C:\Windows\SysWOW64\svchost.exe
Commandline:	C:\Windows\SysWOW64\svchost.exe
Size:	44520
MD5:	FA6C268A5B5BDA067A901764D203D433
Time:	14:14:16
Date:	15/12/2021
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff70d6e0000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspect Svchost Activity	System Summary
Yara detected Generic Dropper	Stealing of Sensitive Information
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Svchost Process	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\rundll32.exe

C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Details

Is windows:	true
Is dropped:	false
PID:	1096
Target ID:	5
Parent PID:	3352
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Size:	69632
MD5:	73C519F050C20580F8A62C849D49215A
Time:	14:10:40
Date:	15/12/2021
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff734500000
Modulesize:	90112
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5168
Target ID:	23
Parent PID:	6932
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	/c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
Size:	232960
MD5:	F3BDBE3BB6F734E357235F4D5898582D
Time:	14:14:21
Date:	15/12/2021
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xd80000
Modulesize:	364544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4456
Target ID:	24
Parent PID:	5168
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	14:14:22
Date:	15/12/2021
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7f20f0000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

www.thesocialmediacreator.com/i638/

Details

Name:	www.thesocialmediacreator.com/i638/
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	config extactor
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download

172.217.168.1

Details

Name:	https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download
IP:	172.217.168.1
TargetID:	15
From Memory:	false
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Domains

Name

Malicious

drive.google.com

172.217.168.46

Details

Name:	drive.google.com
IP:	172.217.168.46
TargetID:	15
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

googlehosted.l.googleusercontent.com

172.217.168.1

Details

Name:	googlehosted.l.googleusercontent.com
IP:	172.217.168.1
TargetID:	15
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

doc-0c-ao-docs.googleusercontent.com

unknown

Details

Name:	doc-0c-ao-docs.googleusercontent.com
TargetID:	15
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

IPs

Domain

Country

Malicious

172.217.168.46

drive.google.com

United States

Details

IP:	172.217.168.46
TargetID:	15
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	drive.google.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.217.168.1

googlehosted.l.googleusercontent.com

United States

Details

IP:	172.217.168.1
TargetID:	15
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	googlehosted.l.googleusercontent.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce

wextract_cleanup0

Memdumps

Base Address

Regiontype

Protect

Malicious

67A000

unkown image

page execute and read and write

75FE000

unkown image

page execute and read and write

A0000

unkown image

page execute and read and write

2D20000

unkown image

page execute and read and write

1E760000

unkown image

page execute and read and write

35C0000

unkown

page read and write

75FE000

unkown image

page execute and read and write

3590000

unkown image

page execute and read and write

2AA0000

unkown

page execute and read and write

868E000

unkown

page read and write

2C9D000

unkown image

page readonly

7FF5AB843000

unkown image

page readonly

7FF53F8B0000

unkown image

page readonly

7FFB2000

unkown image

page readonly

71D7000

unkown image

page readonly

EF75000

unkown

page read and write

7FF563E67000

unkown image

page readonly

2B6C000

unkown image

page readonly

1050000

unkown image

page readonly

7FF563B5E000

unkown image

page readonly

7FF563E53000

unkown image

page readonly

7FF563970000

unkown image

page readonly

88CD000

unkown

page read and write

17D1E260000

unkown

page read and write

7FF563B6A000

unkown image

page readonly

7FF563982000

unkown image

page readonly

400000

unkown image

page execute and read and write

1ED4B000

unkown

page execute and read and write

7FF58CE29000

unkown image

page readonly

E50000

unkown image

page readonly

7FFC77825000

unkown image

page read and write

B7D000

heap default

page read and write

88E2000

unkown

page read and write

7FF58CDA5000

unkown image

page readonly

226AEA0F000

unkown

page read and write

1099CCB000

unkown

page read and write

7FEE0000

unkown image

page readonly

86C9000

unkown

page read and write

4330000

unkown

page read and write

7FF56372E000

unkown image

page readonly

7FF5AB700000

unkown image

page readonly

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

Domains

IPs

Registry

Memdumps