Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

9gkAKTWOXp.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	4.804368489925485
Filename:	9gkAKTWOXp.exe
Filesize:	75264
MD5:	74e135b472b7496b371ce3ba3acfeea8
SHA1:	b64fdd870ff28291b8347317a838a5fb210a6056
SHA256:	d093322a612760cb00ae6fb4c453851ba26f59f2e6a0920b5871a28bbddf9355
SHA512:	c7c3fc7db77b5d450b857917b4157c2e1d2dcc41e18e248e50139711a04ee9893be26679e969a769113349ef9122387333ec7fe57d4d84dc541a4c9f9e25300b
SSDEEP:	1536:kgSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:kMSjOnrmBbMqqMmr3IdE8we0Avu5r++N
Preview:	MZ......................@...............................................!..L.!This ..^.:_m cannot be run in DOS mode....$.......AU@..4...4...4..Ce...4..Ce...4...f...4...4...4...L...4...4/..4...f...4...f...4...f...4..Rich.4..................PE..L...].vZ...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Antivirus / Scanner detection for submitted sample	AV Detection
Contains functionality to determine the online IP of the system	Networking	System Network Configuration Discovery System Network Connections Discovery
Found Tor onion address	Networking	Proxy
Uses nslookup.exe to query domains	Networking
Machine Learning detection for sample	AV Detection
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Yara signature match	System Summary
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	File and Directory Discovery
Drops PE files	Persistence and Installation Behavior
Contains functionality to enumerate device drivers	Malware Analysis System Evasion	Process Discovery
Checks for available system drives (often done to infect USB drives)	Spreading	Replication Through Removable Media
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	System Network Configuration Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Uses an in-process (OLE) Automation server	System Summary
Creates files inside the user directory	System Summary	Masquerading
Contains functionality to check free disk space	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Program exit points	Malware Analysis System Evasion
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
URLs found in memory or binary data	Networking
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Reads the hosts file	System Summary	Remote System Discovery Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Data Encrypted for Impact
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe
Category:	dropped
Dump:	vkspii.exe.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\9gkAKTWOXp.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	4.804275425971981
Encrypted:	false
Ssdeep:	1536:ugSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:uMSjOnrmBbMqqMmr3IdE8we0Avu5r++N
Size:	75264
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Gandcrab	Spam, unwanted Advertisements and Ransom Demands
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
Category:	dropped
Dump:	414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\9gkAKTWOXp.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2218
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\9gkAKTWOXp.exe

"C:\Users\user\Desktop\9gkAKTWOXp.exe"