Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Original Doc Ref SN02853801324189923.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.373376085032679
Filename:	Original Doc Ref SN02853801324189923.exe
Filesize:	214528
MD5:	2b40b86c870ab6b0e9b08f26bd231e1a
SHA1:	78a6fc51761c25fe571fec37ca4beaa13d7b5d48
SHA256:	6c9c9bd77d704ca8c48a0125289e0e15e75f62f09d40ffad58a24bd96c3a57c0
SHA512:	ee585115ff7a99ff169915199cbc904529e53bf139d0423f28df5fd41714c01928150442fef33ae364ac6209c2bb62e285c1cf88b9202272cc0eec11780eb4d1
SSDEEP:	3072:UwdK6g8IT9xE5GWp1icKAArDZz4N9GhbkrNEk1ACBynjTy9d41bd0XF:VK6g8ITep0yN90QE44joX
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.k.n.k.n.k..^..i.k..^..`.k..^..(.k..^....k.n.j...k..^..g.k.Ig..o.k..^..o.k..^..o.k.Richn.k.................PE..L.....ST...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
PE file contains strange resources	System Summary
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation Security Software Discovery
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Sample is known by Antivirus	System Summary	Access Token Manipulation
Contains functionality to query system information	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to read ini properties file for application configuration	Persistence and Installation Behavior
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to register its own exception handler	Anti Debugging
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Might use command line arguments	System Summary	Command and Scripting Interpreter
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary	Security Software Discovery

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

PE32 executable (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Category:	modified
Dump:	Semiha.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.668317897407225
Encrypted:	false
Ssdeep:	1536:07p6t8RjmiqnYaH0+4wA0zGU31Uv2VXu0zyADDTr8srw6zbagP:5tGmpc18GYrewXD4sr/bFP
Size:	114688
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Machine Learning detection for dropped file	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to detect Any.run	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Abnormal high CPU Usage	System Summary
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads the hosts file	System Summary	Remote System Discovery
Spawns processes	System Summary	Process Injection
Uses an in-process (OLE) Automation server	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe

"C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6352
Target ID:	0
Parent PID:	6132
Name:	Original Doc Ref SN02853801324189923.exe
Path:	C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe
Commandline:	"C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe"
Size:	214528
MD5:	2B40B86C870AB6B0E9B08F26BD231E1A
Time:	14:22:02
Date:	20/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfc0000
Modulesize:	233472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Details

Is windows:	false
Is dropped:	true
PID:	6404
Target ID:	2
Parent PID:	6352
Name:	Semiha.exe
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Commandline:	C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Size:	114688
MD5:	AE871D1957030344D4CEFC7295A1E964
Time:	14:22:03
Date:	20/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	118784
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Generic Dropper	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe

C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe

Details

Is windows:	false
Is dropped:	true
PID:	5580
Target ID:	25
Parent PID:	6404
Name:	Semiha.exe
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Commandline:	C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Size:	114688
MD5:	AE871D1957030344D4CEFC7295A1E964
Time:	14:23:56
Date:	20/12/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff724940000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Generic Dropper	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\explorer.exe

C:\Windows\Explorer.EXE

Details

Is windows:	true
Is dropped:	false
PID:	3292
Target ID:	28
Parent PID:	5580
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\explorer.exe
Commandline:	C:\Windows\Explorer.EXE
Size:	3933184
MD5:	AD5296B280E8F522A8A897C96BAB0E1D
Time:	14:26:01
Date:	20/12/2021
Reason:	existingprocessinject
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff662bf0000
Modulesize:	3919872
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection

C:\Windows\System32\rundll32.exe

C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\

Details

Is windows:	true
Is dropped:	false
PID:	6612
Target ID:	5
Parent PID:	3292
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Size:	69632
MD5:	73C519F050C20580F8A62C849D49215A
Time:	14:22:14
Date:	20/12/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff60c4c0000
Modulesize:	90112
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

www.thesocialmediacreator.com/i638/

Details

Name:	www.thesocialmediacreator.com/i638/
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe
Source:	config extactor
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

https://doc-10-80-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8i4krmmckqtjah3e0j55ac599/1640006700000/05208698352720309252/*/1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl?e=download

172.217.168.1

Details

Name:	https://doc-10-80-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8i4krmmckqtjah3e0j55ac599/1640006700000/05208698352720309252/*/1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl?e=download
IP:	172.217.168.1
TargetID:	25
From Memory:	false
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://www.autoitscript.com/autoit3/J

unknown

Details

Name:	http://www.autoitscript.com/autoit3/J
TargetID:	28
From Memory:	true
Current Path:	C:\Windows\explorer.exe
Source:	explorer.exe, 0000001C.00000000.747255053.0000000006870000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000002.767904819.0000000006870000.00000004.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://doc-10-80-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8

unknown

Details

Name:	https://doc-10-80-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8
TargetID:	25
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source:	Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://doc-10-80-docs.googleusercontent.com/

unknown

Details

Name:	https://doc-10-80-docs.googleusercontent.com/
TargetID:	25
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source:	Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://doc-10-80-docs.googleusercontent.com/g

unknown

Details

Name:	https://doc-10-80-docs.googleusercontent.com/g
TargetID:	25
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source:	Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://doc-10-80-docs.googleusercontent.com/z

unknown

Details

Name:	https://doc-10-80-docs.googleusercontent.com/z
TargetID:	25
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source:	Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://csp.withgoogle.com/csp/report-to/gse_l9ocaq

unknown

Details

Name:	https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
TargetID:	25
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Source:	Semiha.exe, 00000019.00000003.741011877.0000000000981000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

drive.google.com

172.217.168.46

Details

Name:	drive.google.com
IP:	172.217.168.46
TargetID:	25
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

googlehosted.l.googleusercontent.com

172.217.168.1

Details

Name:	googlehosted.l.googleusercontent.com
IP:	172.217.168.1
TargetID:	25
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

doc-10-80-docs.googleusercontent.com

unknown

Details

Name:	doc-10-80-docs.googleusercontent.com
TargetID:	25
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

172.217.168.46

drive.google.com

United States

Details

IP:	172.217.168.46
TargetID:	25
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	drive.google.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.217.168.1

googlehosted.l.googleusercontent.com

United States

Details

IP:	172.217.168.1
TargetID:	25
Current Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	googlehosted.l.googleusercontent.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce

wextract_cleanup0

Memdumps

Base Address

Regiontype

Protect

Malicious

29E0000

unkown

page execute and read and write

560000

unkown

page execute and read and write

1E460000

unkown image

page execute and read and write

560000

unkown

page execute and read and write

4680000

unkown

page read and write

7FF5B69C6000

unkown image

page readonly

7FF5B694C000

unkown image

page readonly

7FFB2000

unkown image

page readonly

7FF559AC9000

unkown image

page readonly

7DF497FA0000

unkown image

page readonly

21A24013000

unkown

page read and write

7FFF97C40000

unkown image

page readonly

7FF566F21000

unkown image

page readonly

1C8D318A000

unkown

page read and write

7FFB0000

unkown image

page readonly

1BF9FCE0000

unkown

page read and write

1040000

unkown image

page readonly

1C8D26B0000

heap default

page read and write

4840000

unkown

page read and write

31CD279000

stack

page read and write

7FF566AFB000

unkown image

page readonly

1C8D2680000

unkown image

page readonly

4FD0000

unkown image

page readonly

1C8D3188000

unkown

page read and write

F936000

unkown

page read and write

25978F20000

unkown image

page readonly

1C8D3100000

unkown

page read and write

270C7457000

unkown

page read and write

1F0000

unkown

page read and write

B2E8000

unkown

page read and write

2590EA13000

unkown

page read and write

7FF540DD5000

unkown image

page readonly

7DF56E4C2000

unkown image

page readonly

4FC0000

unkown image

page readonly

2590EFA0000

unkown image

page readonly

2BBF000

unkown image

page readonly

7FF5D1F43000

unkown image

page readonly

7FF5777BC000

unkown image

page readonly

E30000

unkown image

page readonly

7FF5D1AF9000

unkown image

page readonly

1C8D28EF000

unkown

page read and write

1010000

unkown image

page readonly

BD6A000

unkown

page read and write

7FF566AAA000

unkown image

page readonly

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

Domains

IPs

Registry

Memdumps