Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

O8ZHhytWhn.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.421564704960313
Filename:	O8ZHhytWhn.exe
Filesize:	71168
MD5:	b39febf7440b58a6cd15ae9f01916f98
SHA1:	66984e561fc5feead5ef9790f79bffd7778ac1e2
SHA256:	9c689986ca8e0b4fd93657ad9ed5c37994ccf591c90d5fba85684f2d0f49e1b9
SHA512:	3080283a04ddf66d59cf8309fb2fb1720a094fdfd408b74d8483e1e6f8712b236f8b6f62335e8bdab060ef993e4cdf92822c6cd83483a1876450ba0447e90796
SSDEEP:	1536:7ZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:7BounVyFHpfMqqDL2/Lkvd
Preview:	MZ......................@...............................................!..L.!This .j0.#.m cannot be run in DOS mode....$.........Tg..:4..:4..:4...4..:4...4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Antivirus / Scanner detection for submitted sample	AV Detection
Contains functionality to determine the online IP of the system	Networking	System Network Configuration Discovery System Network Connections Discovery
Found Tor onion address	Networking	Proxy
Uses nslookup.exe to query domains	Networking
Machine Learning detection for sample	AV Detection
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Performs many domain queries via nslookup	Networking	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Yara signature match	System Summary
Antivirus or Machine Learning detection for unpacked file	AV Detection	Software Packing
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	File and Directory Discovery
Drops PE files	Persistence and Installation Behavior
Contains functionality to read the PEB	Anti Debugging
Contains functionality to enumerate device drivers	Malware Analysis System Evasion	Process Discovery
Checks for available system drives (often done to infect USB drives)	Spreading	Replication Through Removable Media
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	System Network Configuration Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Uses an in-process (OLE) Automation server	System Summary
Creates files inside the user directory	System Summary	Masquerading
Contains functionality to check free disk space	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Program exit points	Malware Analysis System Evasion
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
URLs found in memory or binary data	Networking
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Reads the hosts file	System Summary	Remote System Discovery Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Data Encrypted for Impact
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\wjaoab.exe
Category:	dropped
Dump:	wjaoab.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\O8ZHhytWhn.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.4214958624218355
Encrypted:	false
Ssdeep:	1536:KZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2Lkvd9:8BounVyFHpfMqqDL2/Lkvd
Size:	71168
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Gandcrab	Spam, unwanted Advertisements and Ransom Demands
Yara detected ReflectiveLoader	Data Obfuscation
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a
Category:	dropped
Dump:	eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\O8ZHhytWhn.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2222
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\O8ZHhytWhn.exe

"C:\Users\user\Desktop\O8ZHhytWhn.exe"