Automated Malware Analysis IOC Report for

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.026777813646962
Filename:	file.exe
Filesize:	150016
MD5:	417429fd2a6efc7f87c32696c8545146
SHA1:	04624a0080341cc2409f76bd1f5d9def049f46a9
SHA256:	d15624abf29ec8f68092007b8359b03182e3a82b0d8b8c3cd72f1d765e8ca1bb
SHA512:	6228d5d3f0c30ad84aec299726ab380cfc73cb39c77423c68f7e992ce581be1c768c0c4e0d3c7056d58a5b155cf88d4532b5354f24dfaf1a2d885e9baf6d01f9
SSDEEP:	1536:QvUCiG3nFYWlYNrlaREKm/FvwUMaNualmNH/gAsuaiug5i9CnXMji/7WDP8QOS7j:Gzi3/adkvwYWHfrcOhXMj8WocEl4EsO
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}...............N1......N'.................D....N ......N0......N5.....Rich............PE..L...Zm.`.....................8.....

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion
Checks if the current machine is a virtual machine (disk enumeration)	Malware Analysis System Evasion
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))	Anti Debugging
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Archive Collected Data
Contains functionality to read the PEB	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to call native functions	System Summary
PE file contains executable resources (Code or Archives)	System Summary
PE file has an executable .text section and no other executable section	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
PE file contains a debug data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary

Details

File:	C:\Users\user\AppData\LocalLow\freebl3.dll
Category:	dropped
Dump:	freebl3.dll.20.dr
ID:	dr_17
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.857030838615762
Encrypted:	false
Ssdeep:	12288:0oUg2twzqWC4kBNv1pMByWk6TYnhCevOEH07OqHM65BaFBuY3NUNeCLIV/Rqnhab:0oUg2tJWC44WUuY3mMCLA/R+hw
Size:	684984
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\LocalLow\mozglue.dll
Category:	dropped
Dump:	mozglue.dll.20.dr
ID:	dr_16
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.792651884784197
Encrypted:	false
Ssdeep:	12288:dfsiG5KNZea77VUHQqROmbIDm0ICRfCtbtEE/2OH9E2ARlZYSd:df53NZea3V+QqROmum0nRKx79E2ARlrd
Size:	627128
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
DLL side loading technique detected	HIPS / PFW / Operating System Protection Evasion	DLL Side-Loading
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\LocalLow\nss3.dll
Category:	dropped
Dump:	nss3.dll.20.dr
ID:	dr_13
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.775178510549486
Encrypted:	false
Ssdeep:	49152:6dvFywfzFAF7fg39IwA49Kap9bGt+qoStYnOsbqbeQom7gN7BpDD5SkIN1g5D92+:pptximYfpx8OwNiVG09
Size:	2042296
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
DLL side loading technique detected	HIPS / PFW / Operating System Protection Evasion	DLL Side-Loading
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\LocalLow\softokn3.dll
Category:	dropped
Dump:	softokn3.dll.20.dr
ID:	dr_18
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.686038834818694
Encrypted:	false
Ssdeep:	6144:uI7A8DMhFE2PlKOcpHSvV6x/CHQyhvs277H0mhWGzTdtb2bbIFxW7zrM2ruyYz+h:uI7A8DMhFE2PlbcpSv0x/CJVUmhDzTvS
Size:	254392
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\LocalLow\sqlite3.dll
Category:	dropped
Dump:	sqlite3.dll.20.dr
ID:	dr_19
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.502588297211263
Encrypted:	false
Ssdeep:	24576:9jxwSkSteuT4P/y7HjsXAGJyGvN5z4Rui2IXLbO:9Vww8HyrjsvyWN54RZH+
Size:	1099223
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
DLL side loading technique detected	HIPS / PFW / Operating System Protection Evasion	DLL Side-Loading
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\Local\Temp\253.exe
Category:	dropped
Dump:	253.exe.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.889244227649686
Encrypted:	false
Ssdeep:	12288:eXDfwGHmnTxDkpJf6UdYVMtIqZONCBuVEQ32uO7QDnJSzVKxZOlsoe0PX:eDGORl5tI+S32/7QDJ4K/YPX
Size:	679936
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads the hosts file	System Summary	Remote System Discovery
Spawns processes	System Summary	Process Injection

Details

File:	C:\Users\user\AppData\Local\Temp\959.exe
Category:	modified
Dump:	959.exe.1.dr
ID:	dr_5
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.219735995622874
Encrypted:	false
Ssdeep:	24576:wEMtlaEDmxWVYOYtKjWVIUvuMB1d87Lzdzvg7/AfTx7lJIDLbSZGl3RuQ553136:wjlHKxYBxlsIfTx7lJIDi0l3U
Size:	2624689
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection

Details

File:	C:\Users\user\AppData\Local\Temp\FED8.dll
Category:	dropped
Dump:	FED8.dll.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	7.856211151221828
Encrypted:	false
Ssdeep:	24576:KtAdxxejFTVAIWACMbKiW49UBDIPXqXYRkyXB7b5kCLMdl88j8ipxv/TR54F:DeBR2ACM1QIPyYZB79x+8G5p1/z4F
Size:	1323008
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\Roaming\sfrvjvv
Category:	dropped
Dump:	sfrvjvv.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.026777813646962
Encrypted:	false
Ssdeep:	1536:QvUCiG3nFYWlYNrlaREKm/FvwUMaNualmNH/gAsuaiug5i9CnXMji/7WDP8QOS7j:Gzi3/adkvwYWHfrcOhXMj8WocEl4EsO
Size:	150016
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Checks if the current machine is a virtual machine (disk enumeration)	Malware Analysis System Evasion	Security Software Discovery
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

Details

File:	C:\Users\user\AppData\Roaming\sfrvjvv:Zone.Identifier
Category:	dropped
Dump:	sfrvjvv_Zone.Identifier.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Checks if the current machine is a virtual machine (disk enumeration)	Malware Analysis System Evasion	Security Software Discovery
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion

Details

File:	C:\Users\user\AppData\LocalLow\22wTvv5mR62E
Category:	dropped
Dump:	22wTvv5mR62E.20.dr
ID:	dr_21
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
Entropy:	0.4393511334109407
Encrypted:	false
Ssdeep:	24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
Size:	28672
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\LocalLow\GOpRcXXjoWmm
Category:	dropped
Dump:	GOpRcXXjoWmm.20.dr
ID:	dr_20
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Entropy:	0.7876734657715041
Encrypted:	false
Ssdeep:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
Size:	49152
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\LocalLow\Zsrw9A4N7Zio
Category:	dropped
Dump:	Zsrw9A4N7Zio.20.dr
ID:	dr_10
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Entropy:	1.2889923589460437
Encrypted:	false
Ssdeep:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
Size:	94208
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\LocalLow\msvcp140.dll
Category:	dropped
Dump:	msvcp140.dll.20.dr
ID:	dr_14
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.670243582402913
Encrypted:	false
Ssdeep:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
Size:	449280
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\LocalLow\rE5287BD83io
Category:	dropped
Dump:	rE5287BD83io.20.dr
ID:	dr_11
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Entropy:	1.2889923589460437
Encrypted:	false
Ssdeep:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
Size:	94208
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\LocalLow\vcruntime140.dll
Category:	dropped
Dump:	vcruntime140.dll.20.dr
ID:	dr_15
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.906674531653877
Encrypted:	false
Ssdeep:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
Size:	80128
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\LocalLow\zpW7O7U8iJFQ
Category:	dropped
Dump:	zpW7O7U8iJFQ.20.dr
ID:	dr_12
Target ID:	20
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Entropy:	7.930414350711271
Encrypted:	false
Ssdeep:	3072:W0dFQl2pjXihBUEEoRq6er7A6Yf+3ltXaukKhwR:W0LQkVyhBU+c6eXA6b3lHwR
Size:	105051
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Local\Temp\144C.tmp
Category:	dropped
Dump:	144C.tmp.17.dr
ID:	dr_8
Target ID:	17
Process:	C:\Windows\SysWOW64\explorer.exe
Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Entropy:	0.7876734657715041
Encrypted:	false
Ssdeep:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
Size:	49152
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Local\Temp\5A6F.tmp
Category:	dropped
Dump:	5A6F.tmp.17.dr
ID:	dr_9
Target ID:	17
Process:	C:\Windows\SysWOW64\explorer.exe
Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
Entropy:	0.4393511334109407
Encrypted:	false
Ssdeep:	24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
Size:	28672
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Local\Temp\64FF.tmp
Category:	modified
Dump:	64FF.tmp.17.dr
ID:	dr_7
Target ID:	17
Process:	C:\Windows\SysWOW64\explorer.exe
Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Entropy:	1.2889923589460437
Encrypted:	false
Ssdeep:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
Size:	94208
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Roaming\wjsucgc
Category:	dropped
Dump:	wjsucgc.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	data
Entropy:	7.99926196063922
Encrypted:	true
Ssdeep:	6144:TYmClBaYtaOsKuv/LlShAXC+3qlo3W/By+903rkS5Vf9u:hCz13eShAXRoo3oBUbkS5FI
Size:	248887
Whitelisted:	false
Reputation:	timeout

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.15.dr
ID:	dr_6
Target ID:	15
Process:	C:\Users\user\AppData\Local\Temp\959.exe
Type:	ASCII text, with no line terminators
Entropy:	2.1709505944546685
Encrypted:	false
Ssdeep:	3:BXxX2Xn:hxg
Size:	10
Whitelisted:	false
Reputation:	timeout

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IOC Report
file.exe