Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.688048037898308
Filename:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Filesize:	236896
MD5:	045f22ce9be3d33b07a00780ee66fcfd
SHA1:	91b74e75d55c33d8d82b10bed51ca7d3ad80147c
SHA256:	e05ec32c2edc10b6917a3cbcac9d823cb37db908cc51f3ec459800992e2b8b37
SHA512:	c363c64fe3b52d615601810b577168be5b3339ba6bde011ae0c76bbee76718782f8b737b0c9f6d82d34197045ce1c35389cba26622349bb2c0c77f62ed29d063
SSDEEP:	6144:vT4DtMeWIPR0PVPCespE0s67yIMYxrzWJougaEzEk:vTpeZ00SI18ogC
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...P..`.................h.........

Signature Hits	Behavior Group	Mitre Attack
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API Security Software Discovery
Executable has a suspicious name (potential lure to open the executable)	System Summary	Masquerading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
PE / OLE file has an invalid certificate	System Summary	File and Directory Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample reads its own file content	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Program exit points	Malware Analysis System Evasion	Windows Service
URLs found in memory or binary data	Networking
Creates files inside the user directory	System Summary	Masquerading
Enumerates the file system	Spreading, Malware Analysis System Evasion
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Reads ini files	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Creates a software uninstall entry	Compliance, System Summary	Windows Service

C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll
Category:	dropped
Dump:	System.dll.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.737556724687435
Encrypted:	false
Ssdeep:	192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
Size:	12288
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\AppData\Roaming\Shoved\Factorist\dialog-warning-symbolic.symbolic.png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Roaming\Shoved\Factorist\dialog-warning-symbolic.symbolic.png
Category:	dropped
Dump:	dialog-warning-symbolic.symbolic.png.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Entropy:	6.880810677512409
Encrypted:	false
Ssdeep:	6:6v/lhPysDQqinrW8/97kGwr/F+Elz3hsKrnLIuYK/SwtNVp:6v/7ZiK817kG3Mz3ZIiSoN7
Size:	286
Whitelisted:	true
Reputation:	low

C:\Users\user\AppData\Roaming\Shoved\skrupforelskede.bin

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Shoved\skrupforelskede.bin
Category:	dropped
Dump:	skrupforelskede.bin.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Type:	data
Entropy:	7.75553468119485
Encrypted:	false
Ssdeep:	1536:bYpDSzihO1IsnBzEfH5ZR0fha22stcSuYZtL+8VdfWuZTJrBWmlRsMM:mDcgO1IeQfH5ZRXstcgKodfhrBBDM
Size:	106887
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Details

Is windows:	false
Is dropped:	false
PID:	2800
Target ID:	0
Parent PID:	3528
Name:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Path:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Size:	236896
MD5:	045F22CE9BE3D33B07A00780EE66FCFD
Time:	12:22:10
Date:	03/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	602112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Executable has a suspicious name (potential lure to open the executable)	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
PE / OLE file has an invalid certificate	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://nsis.sf.net/NSIS_ErrorError

unknown

Details

Name:	http://nsis.sf.net/NSIS_ErrorError
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Source:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bestyrelsesformanden

Knsdiskriminering

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Unengrossed\assistance\Irrer36\Trasker

Gloomings

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Investigational\Phenomenally\Abortive

nettoprisens

HKEY_CURRENT_USER\Software\Retssags\Minigolfens\Cerutterne\Pisset

Dactylopius

Memdumps

Base Address

Regiontype

Protect

Malicious

2A70000

trusted library allocation

page execute and read and write

684000

heap

page read and write

1DEBBF50000

trusted library allocation

page read and write

400000

unkown

page readonly

874D379000

stack

page read and write

1DEBB24F000

heap

page read and write

1DEBBF66000

trusted library allocation

page read and write

739A6000

unkown

page readonly

5B0000

trusted library allocation

page read and write

1DEBB5C0000

trusted library allocation

page read and write

874D2FF000

stack

page read and write

19A000

stack

page read and write

287F000

stack

page read and write

1DEBBF6A000

trusted library allocation

page read and write

1DEBB5B5000

heap

page read and write

401000

unkown

page execute read

1DEBBF64000

trusted library allocation

page read and write

739A1000

unkown

page execute read

1DEBC210000

heap

page readonly

1DEBB5B0000

heap

page read and write

47E000

unkown

page readonly

40A000

unkown

page read and write

C36000

heap

page read and write

22F0000

heap

page read and write

1DEBC1D0000

trusted library allocation

page read and write

40A000

unkown

page write copy

1DEBB250000

heap

page read and write

1DEBBF40000

trusted library allocation

page read and write

277E000

stack

page read and write

1DEBB252000

heap

page read and write

1DEBB248000

heap

page read and write

874D07B000

stack

page read and write

874D279000

stack

page read and write

6FC000

heap

page read and write

1DEBBF60000

trusted library allocation

page read and write

874D1F9000

stack

page read and write

440000

unkown

page read and write

47E000

unkown

page readonly

2990000

trusted library allocation

page read and write

1DEBBF62000

trusted library allocation

page read and write

30000

heap

page read and write

1DEBC230000

trusted library allocation

page read and write

2250000

heap

page read and write

6DB000

heap

page read and write

6A0000

heap

page read and write

605000

heap

page read and write

1DEBB210000

heap

page read and write

1DEBB24F000

heap

page read and write

1DEBBFB0000

trusted library allocation

page read and write

29A0000

trusted library allocation

page read and write

408000

unkown

page readonly

437000

unkown

page read and write

C30000

heap

page read and write

97000

stack

page read and write

6A8000

heap

page read and write

2980000

trusted library allocation

page read and write

874D3FC000

stack

page read and write

431000

unkown

page read and write

47B000

unkown

page read and write

680000

heap

page read and write

273F000

stack

page read and write

600000

heap

page read and write

1DEBBFC0000

trusted library allocation

page read and write

460000

unkown

page read and write

1DEBB3D0000

heap

page read and write

1DEBB200000

heap

page read and write

1DEBB208000

heap

page read and write

1DEBBFC6000

trusted library allocation

page read and write

739A4000

unkown

page readonly

1DEBB170000

heap

page read and write

739A0000

unkown

page readonly

1DEBC220000

trusted library allocation

page read and write

1DEBB5B9000

heap

page read and write

408000

unkown

page readonly

22AE000

stack

page read and write

401000

unkown

page execute read

1DEBC280000

trusted library allocation

page read and write

1DEBC200000

trusted library allocation

page read and write

400000

unkown

page readonly

1DEBB271000

heap

page read and write

1DEBB180000

trusted library allocation

page read and write

1DEBB1E0000

heap

page read and write

There are 72 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe