Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Order_002376662-579588_Date 24082022.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.509543109745029
Filename:	Order_002376662-579588_Date 24082022.exe
Filesize:	195584
MD5:	8c2a59bd88b7e2c26045a604ed544288
SHA1:	7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256:	0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
SHA512:	ca6d126b62418c1c9fe6b6c0b0418a7253b6200a179af844bd80f67c055375c51d9b268242ea9ff3e15b0c3d867d84c19508229580605cbaac8460fa9a9bec17
SSDEEP:	3072:RNzPHk9MpcDj6OzDjWubsfxAjaWde+mzaOyrxmIW//z7GfvGxkTjk3kfSD:RhRupsfKW7+me6//z7GvQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...*.uY.................b.........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to detect Any.run	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Creates files inside the system directory	System Summary
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Contains functionality to call native functions	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
PE file contains strange resources	System Summary
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
PE / OLE file has an invalid certificate	System Summary	File and Directory Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample is known by Antivirus	System Summary	Windows Service Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Reads ini files	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Queries a list of all running drivers	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion	Windows Service
URLs found in memory or binary data	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Creates a software uninstall entry	Compliance, System Summary	Windows Service

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll
Category:	modified
Dump:	System.dll.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.767999234165119
Encrypted:	false
Ssdeep:	192:cPtkumJX7zBE2kGwfy9S9VkPsFQ1MZ1c:N7O2k5q9wA1MZa
Size:	11264
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab

ASCII text, with very long lines, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab
Category:	dropped
Dump:	Forhaanet.Nab.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	ASCII text, with very long lines, with no line terminators
Entropy:	3.9994965063204706
Encrypted:	false
Ssdeep:	768:K3xU0sST74YF3ZeaYDqKjmgtajzKmFGMiElvFoe2:2Tsusm3ODqK/Imlh
Size:	29564
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll
Category:	dropped
Dump:	GPUPowerSavingConfigEditor.dll.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	6.0996914820635295
Encrypted:	false
Ssdeep:	384:sQ1QmY/8eFuAYNAx4klQvhI0tUA9wZmjML9S/3oche5ZP2TFn0E0C04Haqk6Olkm:s0YvT4ZbzRj1foHGpzkkF2X9Dh/
Size:	31456
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png
Category:	dropped
Dump:	face-cool.png.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Entropy:	7.722985666159481
Encrypted:	false
Ssdeep:	24:47y7zZd6D14lz6mML1mc2TvTl4P5VwbxjoUWBx9:57mD14lz61gTv+P5Vwtj0
Size:	845
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp

JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp
Category:	dropped
Dump:	Aqua_20.bmp.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Entropy:	7.8975477212121925
Encrypted:	false
Ssdeep:	192:oXRnOJl+MmnEjHXjbDkd914gmMJrq03QVWpen7d:KRHMmn2XjXQ1VqaQVWs7d
Size:	8419
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre
Category:	dropped
Dump:	Noneffervescently.Cre.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	data
Entropy:	6.8469376549161245
Encrypted:	false
Ssdeep:	1536:cYUYKcQR5Y+GAjmU8R20KnRFr/ASso1gQa0CozxqDkHHB+Q/vGmHi:cYvuY+1J8R2bFbAYGQa09zxqDk++GmHi
Size:	105498
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json

UTF-8 Unicode text

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json
Category:	dropped
Dump:	iso_3166-1.json.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Type:	UTF-8 Unicode text
Entropy:	4.260373998588477
Encrypted:	false
Ssdeep:	192:OU+NvXvwEXFo+Hco8/+8IXAMaM2LkAAVemLK9f8QayVEJUfYZqAmULr:OU+Eo8ZLMaMWlAVemOZwyyOwMAmUX
Size:	36718
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2812
Target ID:	2
Parent PID:	5772
Name:	Order_002376662-579588_Date 24082022.exe
Path:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Commandline:	"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Size:	195584
MD5:	8C2A59BD88B7E2C26045A604ED544288
Time:	00:01:06
Date:	01/09/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	278528
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Initial sample is a PE file and has a suspicious name	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3112
Target ID:	4
Parent PID:	2812
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Commandline:	"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Size:	106496
MD5:	7BAE06CBE364BB42B8C34FCFB90E3EBD
Time:	00:01:25
Date:	01/09/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xb90000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4392
Target ID:	5
Parent PID:	3112
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	875008
MD5:	81CA40085FC75BABD2C91D18AA9FFA68
Time:	00:01:25
Date:	01/09/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7c1b30000
Modulesize:	901120
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crl.certum.pl/ctnca2.crl0l

unknown

http://repository.certum.pl/ctnca2.cer09

unknown

http://crl.certum.pl/ctsca2021.crl0o

unknown

http://nsis.sf.net/NSIS_Error

unknown

http://repository.certum.pl/ctnca.cer09

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

http://repository.certum.pl/ctsca2021.cer0

unknown

http://crl.certum.pl/ctnca.crl0k

unknown

http://subca.ocsp-certum.com05

unknown

http://www.certum.pl/CPS0

unknown

http://subca.ocsp-certum.com02

unknown

http://subca.ocsp-certum.com01

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

mnhckm.tk

45.8.132.92

Details

Name:	mnhckm.tk
IP:	45.8.132.92
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

45.8.132.92

mnhckm.tk

Germany

Details

IP:	45.8.132.92
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Country:	Germany
Countrycode:	DEU
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false
Domain:	mnhckm.tk

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism

Swithen

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Trakeotomis

Brndboringen

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fallalishly

Navigationsskoler

HKEY_CURRENT_USER\SOFTWARE\Outsnores\Begre\Bonusernes\Skovdistrikts

Chold146

Memdumps

Base Address

Regiontype

Protect

Malicious

F70000

remote allocation

page execute and read and write

F70000

remote allocation

page execute and read and write

3500000

direct allocation

page execute and read and write

422000

unkown

page read and write

F60000

remote allocation

page read and write

1114000

heap

page read and write

E6EB1FB000

stack

page read and write

1BF4E632000

heap

page read and write

2CE970CD000

heap

page read and write

2CE9790F000

heap

page read and write

2CE97040000

heap

page read and write

1BF4E613000

heap

page read and write

2CE97024000

heap

page read and write

8D0000

trusted library allocation

page read and write

3410000

heap

page read and write

235F000

stack

page read and write

3601000

trusted library allocation

page read and write

10001000

unkown

page execute read

1BF4E450000

heap

page read and write

14CE000

stack

page read and write

2CE970CD000

heap

page read and write

11D4000

heap

page read and write

10005000

unkown

page readonly

1BF4E67D000

heap

page read and write

2D80000

trusted library allocation

page read and write

158E000

stack

page read and write

2CE97913000

heap

page read and write

17318FA000

stack

page read and write

E6EAFFE000

stack

page read and write

2CE97970000

heap

page read and write

E6EB0FD000

stack

page read and write

3240000

trusted library allocation

page read and write

98000

stack

page read and write

277E000

stack

page read and write

2CE96F20000

unclassified section

page readonly

1BF4EDC0000

trusted library allocation

page read and write

2CE97974000

heap

page read and write

33FC000

stack

page read and write

40A000

unkown

page write copy

1BF4E5D0000

heap

page read and write

4FD000

heap

page read and write

1BF4E602000

heap

page read and write

2CE9793B000

heap

page read and write

400000

unkown

page readonly

10F0000

heap

page read and write

2CE970A4000

heap

page read and write

10D9000

heap

page read and write

1BF4E63B000

heap

page read and write

2CE97970000

heap

page read and write

2CE970B9000

heap

page read and write

E6EB2FE000

stack

page read and write

2CE97102000

heap

page read and write

52C000

heap

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Order_002376662-579588_Date 24082022.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOrder_002376662-579588_Date 24082022.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Order_002376662-579588_Date 24082022.exe