Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PKO_TRANS_DETAILS_20211216_0809521.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.690014470947888
Filename:	PKO_TRANS_DETAILS_20211216_0809521.exe
Filesize:	147456
MD5:	1823b507e96d8138bada7c65d424abcc
SHA1:	e5d7884da7d17ba0ae592ff787e84ae665e21c3a
SHA256:	99b81b452d173986229ed512383e05214f35c819aa9da4c2a972bb05c880d536
SHA512:	66c962308ad08bf950dfd738de5585e79aa91a28379fe59ccfd78a578a7e629ff123b63d8509d3f0366089f3cca65e932bee3dee5d8a1744e1f3d8eca340d852
SSDEEP:	3072:U4PvIBPPFoSfth9WGq8Av35lbUTv9/alVVPx:U4PAsGU5+BaxPx
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\.......%.......Rich............................PE..L......U.....................`......$.............@

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Tries to detect Any.run	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Archive Collected Data
Abnormal high CPU Usage	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file contains strange resources	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Checks if the current process is being debugged	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries a list of all running drivers	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\~DF96836616C4B0B991.TMP

Composite Document File V2 Document, Cannot read section info

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DF96836616C4B0B991.TMP
Category:	dropped
Dump:	~DF96836616C4B0B991.TMP.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	2.45010052865662
Encrypted:	false
Ssdeep:	96:jaGu8uY05xb30uxH+iMa9eHC2K4veMC47+crGNa:jtjReMC49rAa
Size:	16384
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Roaming\u2trkkyb.crc\Chrome\Default\Cookies

SQLite 3.x database, last written using SQLite version 3035005

dropped

Details

File:	C:\Users\user\AppData\Roaming\u2trkkyb.crc\Chrome\Default\Cookies
Category:	dropped
Dump:	Cookies.11.dr
ID:	dr_2
Target ID:	11
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Type:	SQLite 3.x database, last written using SQLite version 3035005
Entropy:	3.758760013585961
Encrypted:	false
Ssdeep:	384:qGHsAH0UkOYBOYVOQ0fH8VnRMD+lEofbKWc9JqxYuiAAW2QBRW9TYVVox:pHO9FVISnSSlpDK9SiyBRCcS
Size:	73728
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Roaming\u2trkkyb.crc\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

SQLite 3.x database, user version 12, last written using SQLite version 3036000

modified

Details

File:	C:\Users\user\AppData\Roaming\u2trkkyb.crc\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
Category:	modified
Dump:	cookies.sqlite.11.dr
ID:	dr_3
Target ID:	11
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000
Entropy:	0.08231524779339361
Encrypted:	false
Ssdeep:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
Size:	98304
Whitelisted:	false
Reputation:	moderate

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.11.dr
ID:	dr_1
Target ID:	11
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.964735178725505
Encrypted:	false
Ssdeep:	3:IBVFBWAGRHneyy:ITqAGRHner
Size:	30
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe

"C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2888
Target ID:	2
Parent PID:	1828
Name:	PKO_TRANS_DETAILS_20211216_0809521.exe
Path:	C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe
Commandline:	"C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe"
Size:	147456
MD5:	1823B507E96D8138BADA7C65D424ABCC
Time:	13:19:35
Date:	16/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6124
Target ID:	10
Parent PID:	2888
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe"
Size:	108664
MD5:	914F728C04D3EDDD5FBA59420E74E56B
Time:	13:20:18
Date:	16/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x4a0000
Modulesize:	114688
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4076
Target ID:	11
Parent PID:	2888
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe"
Size:	108664
MD5:	914F728C04D3EDDD5FBA59420E74E56B
Time:	13:20:18
Date:	16/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7e0000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2412
Target ID:	12
Parent PID:	4076
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	875008
MD5:	81CA40085FC75BABD2C91D18AA9FFA68
Time:	13:20:19
Date:	16/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d9870000
Modulesize:	901120
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://drive.google.com/~

unknown

https://ffT40WCIhVVniAbESQ.comt-

unknown

http://127.0.0.1:HTTP/1.1

unknown

http://DynDns.comDynDNS

unknown

http://repository.certum.pl/ctnca.cer09

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

unknown

http://crl.certum.pl/ctnca.crl0k

unknown

http://yandex.crl.certum.pl/ycasha2.crl0q

unknown

https://ffT40WCIhVVniAbESQ.com

unknown

https://support.google.com/chrome/?p=plugin_flash

unknown

https://doc-00-10-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/1h4vdo343qt36t0eav1jpdhsqf81bcjc/1639657200000/05069790638565246300/*/1byST7n55z6cYoUjFqb0Ef6QjVn6HNywC?e=download

142.250.185.129

https://www.certum.pl/CPS0

unknown

http://smtp.yandex.com

unknown

http://yandex.ocsp-responder.com03

unknown

http://subca.ocsp-certum.com0.

unknown

http://repository.certum.pl/ca.cer09

unknown

http://crls.yandex.net/certum/ycasha2.crl0-

unknown

http://eVxhAq.com

unknown

https://drive.google.com/

unknown

http://subca.ocsp-certum.com01

unknown

http://crl.certum.pl/ca.crl0h

unknown

http://www.certum.pl/CPS0

unknown

https://doc-00-10-docs.googleusercontent.com/

unknown

http://repository.certum.pl/ycasha2.cer0

unknown

https://csp.withgoogle.com/csp/report-to/gse_l9ocaq

unknown

https://doc-00-10-docs.googleusercontent.com/2

unknown

https://doc-00-10-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/1h4vdo34

unknown

There are 17 hidden URLs, click here to show them.

Domains

Name

Malicious

smtp.yandex.ru

77.88.21.158

Details

Name:	smtp.yandex.ru
IP:	77.88.21.158
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

drive.google.com

216.58.212.174

Details

Name:	drive.google.com
IP:	216.58.212.174
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

googlehosted.l.googleusercontent.com

142.250.185.129

Details

Name:	googlehosted.l.googleusercontent.com
IP:	142.250.185.129
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

doc-00-10-docs.googleusercontent.com

unknown

Details

Name:	doc-00-10-docs.googleusercontent.com
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

smtp.yandex.com

unknown

IPs

Domain

Country

Malicious

142.250.185.129

googlehosted.l.googleusercontent.com

United States

Details

IP:	142.250.185.129
TargetID:	11
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	googlehosted.l.googleusercontent.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

77.88.21.158

smtp.yandex.ru

Russian Federation

Details

IP:	77.88.21.158
TargetID:	11
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	13238
ASN name:	YANDEXRU
Private:	false
Domain:	smtp.yandex.ru

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

216.58.212.174

drive.google.com

United States

Details

IP:	216.58.212.174
TargetID:	11
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	drive.google.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

1DD01000

unkown

page read and write

BC0000

unkown

page execute and read and write

2B70000

unkown

page execute and read and write

1CC31000

unkown

page read and write

1DBB0000

unkown

page read and write

550000

unkown image

page readonly

1CC31000

unkown

page read and write

64E000

unkown

page read and write

F50000

stack

page read and write

1CC31000

unkown

page read and write

1DBB0000

unkown

page read and write

64E000

unkown

page read and write

64E000

unkown

page read and write

1CC31000

unkown

page read and write

1CC31000

unkown

page read and write

213A0000

unkown

page read and write

1CC31000

unkown

page read and write

1DBB0000

unkown

page read and write

1CC31000

unkown

page read and write

1CC31000

unkown

page read and write

1CC31000

unkown

page read and write

1CC31000

unkown

page read and write

235DA06C000

unkown

page read and write

F91000

stack

page read and write

E45000

heap default

page read and write

F90000

stack

page read and write

64E000

unkown

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

Domains

IPs

Memdumps