Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Order_002376662-579588_Date 24082022.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.509543109745029
Filename:	Order_002376662-579588_Date 24082022.exe
Filesize:	195584
MD5:	8c2a59bd88b7e2c26045a604ed544288
SHA1:	7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256:	0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
SHA512:	ca6d126b62418c1c9fe6b6c0b0418a7253b6200a179af844bd80f67c055375c51d9b268242ea9ff3e15b0c3d867d84c19508229580605cbaac8460fa9a9bec17
SSDEEP:	3072:RNzPHk9MpcDj6OzDjWubsfxAjaWde+mzaOyrxmIW//z7GfvGxkTjk3kfSD:RhRupsfKW7+me6//z7GvQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...*.uY.................b.........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API Security Software Discovery System Information Discovery
Uses 32bit PE files	Compliance, System Summary
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
PE file contains strange resources	System Summary
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Creates files inside the system directory	System Summary	Masquerading
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
PE / OLE file has an invalid certificate	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample is known by Antivirus	System Summary	Windows Service Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion	Windows Service
URLs found in memory or binary data	Networking
Creates files inside the user directory	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to check free disk space	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Creates a software uninstall entry	Compliance, System Summary	Windows Service

C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll
Category:	modified
Dump:	System.dll.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.767999234165119
Encrypted:	false
Ssdeep:	192:cPtkumJX7zBE2kGwfy9S9VkPsFQ1MZ1c:N7O2k5q9wA1MZa
Size:	11264
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab

ASCII text, with very long lines, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab
Category:	dropped
Dump:	Forhaanet.Nab.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	ASCII text, with very long lines, with no line terminators
Entropy:	3.9994965063204706
Encrypted:	false
Ssdeep:	768:K3xU0sST74YF3ZeaYDqKjmgtajzKmFGMiElvFoe2:2Tsusm3ODqK/Imlh
Size:	29564
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll
Category:	dropped
Dump:	GPUPowerSavingConfigEditor.dll.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	6.0996914820635295
Encrypted:	false
Ssdeep:	384:sQ1QmY/8eFuAYNAx4klQvhI0tUA9wZmjML9S/3oche5ZP2TFn0E0C04Haqk6Olkm:s0YvT4ZbzRj1foHGpzkkF2X9Dh/
Size:	31456
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png
Category:	dropped
Dump:	face-cool.png.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Entropy:	7.722985666159481
Encrypted:	false
Ssdeep:	24:47y7zZd6D14lz6mML1mc2TvTl4P5VwbxjoUWBx9:57mD14lz61gTv+P5Vwtj0
Size:	845
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp

JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp
Category:	dropped
Dump:	Aqua_20.bmp.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Entropy:	7.8975477212121925
Encrypted:	false
Ssdeep:	192:oXRnOJl+MmnEjHXjbDkd914gmMJrq03QVWpen7d:KRHMmn2XjXQ1VqaQVWs7d
Size:	8419
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre
Category:	dropped
Dump:	Noneffervescently.Cre.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	data
Entropy:	6.8469376549161245
Encrypted:	false
Ssdeep:	1536:cYUYKcQR5Y+GAjmU8R20KnRFr/ASso1gQa0CozxqDkHHB+Q/vGmHi:cYvuY+1J8R2bFbAYGQa09zxqDk++GmHi
Size:	105498
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json

UTF-8 Unicode text

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json
Category:	dropped
Dump:	iso_3166-1.json.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	UTF-8 Unicode text
Entropy:	4.260373998588477
Encrypted:	false
Ssdeep:	192:OU+NvXvwEXFo+Hco8/+8IXAMaM2LkAAVemLK9f8QayVEJUfYZqAmULr:OU+Eo8ZLMaMWlAVemOZwyyOwMAmUX
Size:	36718
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6508
Target ID:	2
Parent PID:	5336
Name:	Order_002376662-579588_Date 24082022.exe
Path:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Commandline:	"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Size:	195584
MD5:	8C2A59BD88B7E2C26045A604ED544288
Time:	23:51:11
Date:	31/08/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	278528
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Initial sample is a PE file and has a suspicious name	System Summary
PE / OLE file has an invalid certificate	System Summary
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://crl.certum.pl/ctnca2.crl0l

unknown

http://repository.certum.pl/ctnca2.cer09

unknown

http://crl.certum.pl/ctsca2021.crl0o

unknown

http://nsis.sf.net/NSIS_Error

unknown

http://repository.certum.pl/ctnca.cer09

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

http://repository.certum.pl/ctsca2021.cer0

unknown

http://crl.certum.pl/ctnca.crl0k

unknown

http://subca.ocsp-certum.com05

unknown

http://www.certum.pl/CPS0

unknown

http://subca.ocsp-certum.com02

unknown

http://subca.ocsp-certum.com01

unknown

There are 2 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism

Swithen

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Trakeotomis

Brndboringen

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fallalishly

Navigationsskoler

HKEY_CURRENT_USER\Software\Outsnores\Begre\Bonusernes\Skovdistrikts

Chold146

Memdumps

Base Address

Regiontype

Protect

Malicious

30C0000

direct allocation

page execute and read and write

7717B77000

stack

page read and write

1E962030000

heap

page read and write

13FFFA29000

heap

page read and write

7F8000

heap

page read and write

14000102000

heap

page read and write

24D2FB00000

heap

page read and write

7F2000

heap

page read and write

13FFF9F0000

trusted library allocation

page read and write

401000

unkown

page execute read

24D2FA53000

heap

page read and write

14004F02000

heap

page read and write

C6CE7A000

stack

page read and write

78E000

stack

page read and write

7F5000

heap

page read and write

400000

unkown

page readonly

1883A452000

heap

page read and write

14000118000

heap

page read and write

1883A44B000

heap

page read and write

14000015000

heap

page read and write

702E27F000

stack

page read and write

13FFFA13000

heap

page read and write

22F88254000

heap

page read and write

277A000

trusted library allocation

page read and write

702E577000

stack

page read and write

1883A421000

heap

page read and write

2424000

heap

page read and write

24D2F900000

heap

page read and write

401000

unkown

page execute read

13FFFA79000

heap

page read and write

13FFF9C0000

heap

page read and write

14004E3D000

heap

page read and write

13FFFAA1000

heap

page read and write

14004EB7000

heap

page read and write

40A000

unkown

page write copy

239F000

stack

page read and write

1B8AEF9000

stack

page read and write

14005024000

trusted library allocation

page read and write

1883A44D000

heap

page read and write

24D2FA29000

heap

page read and write

1883A488000

heap

page read and write

14004DC0000

trusted library allocation

page read and write

C6D07F000

stack

page read and write

1883A43C000

heap

page read and write

24D2FA4B000

heap

page read and write

690127D000

stack

page read and write

C6CCF9000

stack

page read and write

14000BF1000

trusted library allocation

page read and write

24D2FB08000

heap

page read and write

690117F000

stack

page read and write

14004DF0000

trusted library allocation

page read and write

13FFFAB3000

heap

page read and write

69009DB000

stack

page read and write

24D2FB02000

heap

page read and write

14005004000

trusted library allocation

page read and write

24D2FA82000

heap

page read and write

14004DD0000

trusted library allocation

page read and write

2420000

heap

page read and write

C6C4F7000

stack

page read and write

1883A44C000

heap

page read and write

43C000

unkown

page readonly

1E962052000

heap

page read and write

14004E00000

heap

page read and write

1E96201F000

heap

page read and write

13FFF950000

heap

page read and write

1E961F10000

heap

page read and write

1883A467000

heap

page read and write

14004EAD000

heap

page read and write

13FFFAFE000

heap

page read and write

14004EFB000

heap

page read and write

C6CB7F000

stack

page read and write

702DFBD000

stack

page read and write

13FFFFD0000

trusted library section

page read and write

1883A508000

heap

page read and write

22F87FF0000

heap

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Order_002376662-579588_Date 24082022.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOrder_002376662-579588_Date 24082022.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
Order_002376662-579588_Date 24082022.exe