Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

BUgAyPXboK.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	4.804404197820735
Filename:	BUgAyPXboK.exe
Filesize:	75264
MD5:	dde91b6947d2b726e5bb8f5852cecb76
SHA1:	7d2467c4e65238599c5fd05641c628fb4252c7ca
SHA256:	eae8d675873bd846302263fdca95db805b560d3406ec964f76b2d4123f78b59a
SHA512:	d7c5a4ae4e4a641d0ec8c821ef6356d17b35fd52999b95c0b1b882587a7fb536407012203468644577ea6daeda913d1603d2c59034555ec1bce43973592704e8
SSDEEP:	1536:kgSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:kMSjOnrmBbMqqMmr3IdE8we0Avu5r++N
Preview:	MZ......................@...............................................!..L.!This ...X.1m cannot be run in DOS mode....$.......AU@..4...4...4..Ce...4..Ce...4...f...4...4...4...L...4...4/..4...f...4...f...4...f...4..Rich.4..................PE..L...].vZ...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Antivirus / Scanner detection for submitted sample	AV Detection
Contains functionality to determine the online IP of the system	Networking	System Network Connections Discovery
Found Tor onion address	Networking	Proxy
Uses nslookup.exe to query domains	Networking	System Network Configuration Discovery
Machine Learning detection for sample	AV Detection
May check the online IP address of the machine	Networking
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Yara signature match	System Summary
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
Detected potential crypto function	System Summary	Process Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	Native API File and Directory Discovery
Drops PE files	Persistence and Installation Behavior
Contains functionality to enumerate device drivers	Malware Analysis System Evasion	Process Discovery
Checks for available system drives (often done to infect USB drives)	Spreading	Replication Through Removable Media Peripheral Device Discovery
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Uses an in-process (OLE) Automation server	System Summary
Creates files inside the user directory	System Summary	Masquerading
Contains functionality to check free disk space	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Program exit points	Malware Analysis System Evasion
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
URLs found in memory or binary data	Networking
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Reads the hosts file	System Summary	Remote System Discovery Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Archive Collected Data Data Encrypted for Impact
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Roaming\Microsoft\ykbxzh.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\ykbxzh.exe
Category:	dropped
Dump:	ykbxzh.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\BUgAyPXboK.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	4.804310863125555
Encrypted:	false
Ssdeep:	1536:4gSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:4MSjOnrmBbMqqMmr3IdE8we0Avu5r++N
Size:	75264
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Gandcrab	Spam, unwanted Advertisements and Ransom Demands
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a
Category:	dropped
Dump:	21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\BUgAyPXboK.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2221
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\BUgAyPXboK.exe

"C:\Users\user\Desktop\BUgAyPXboK.exe"