Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

gI5xZdIxUs.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.9754370991350365
Filename:	gI5xZdIxUs.exe
Filesize:	101710
MD5:	98a12ec721c098842fbfd7384d5a72ae
SHA1:	9dfd7d1746c8ae943f3dced0f85f0e3c6f5084f3
SHA256:	f83457d173841c7e944bc60b00c197ca93c864893c71902cf1b1a36decdd30a4
SHA512:	a0b74851a36115822bf619a1a767cd76f57539a87dbbd4d452f309839f903ad7d94937a46acdcbc1e41bb50e381fe0fd2394122ec1260f05722a578030973ed8
SSDEEP:	1536:YZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2LkvdQ:WBounVyFHpfMqqDL2/LkvdmYvQd2a
Preview:	MZ......................@...............................................!..L.!This .<].e.m cannot be run in DOS mode....$.........Tg..:4..:4..:4...4..:4...4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L....Z.Z...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Antivirus / Scanner detection for submitted sample	AV Detection
Contains functionality to determine the online IP of the system	Networking	System Network Connections Discovery
Found Tor onion address	Networking	Proxy
Uses nslookup.exe to query domains	Networking	System Network Configuration Discovery
Machine Learning detection for sample	AV Detection
May check the online IP address of the machine	Networking
Performs many domain queries via nslookup	Networking
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Yara signature match	System Summary
Antivirus or Machine Learning detection for unpacked file	AV Detection	Software Packing
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
PE file contains sections with non-standard names	Data Obfuscation
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	File and Directory Discovery
Drops PE files	Persistence and Installation Behavior
Contains functionality to read the PEB	Anti Debugging
Contains functionality to enumerate device drivers	Malware Analysis System Evasion	System Information Discovery Process Discovery
Checks for available system drives (often done to infect USB drives)	Spreading	Replication Through Removable Media
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Uses an in-process (OLE) Automation server	System Summary
Creates files inside the user directory	System Summary	Masquerading
Contains functionality to check free disk space	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Program exit points	Malware Analysis System Evasion
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
URLs found in memory or binary data	Networking
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Reads the hosts file	System Summary	Remote System Discovery Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Data Encrypted for Impact
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\isqmkp.exe
Category:	dropped
Dump:	isqmkp.exe.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\gI5xZdIxUs.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.97549755837271
Encrypted:	false
Ssdeep:	1536:dZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAwfMqqU+2bbbAV2/S2LkvdQ:BBounVyFHpfMqqDL2/LkvdmYvQd2a
Size:	101710
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Gandcrab	Spam, unwanted Advertisements and Ransom Demands
Yara detected ReflectiveLoader	Data Obfuscation
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
Category:	dropped
Dump:	414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\gI5xZdIxUs.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2218
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\gI5xZdIxUs.exe

"C:\Users\user\Desktop\gI5xZdIxUs.exe"