Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ts.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.442416778819568
Filename:	ts.exe
Filesize:	744981
MD5:	ad57d446c107b5abd83b6180456cd0dd
SHA1:	8e277fb9bc97bedc7f7f4ba4390cc36702d87b7c
SHA256:	58d9d7c2d4a4140bbdc16c9b6ab1b56244ebc8b1c3eaa1fc63386bbce7acdb4c
SHA512:	35eaa45de9906131f0020640f11eeef46e10244c09c67018a4723cf4932fc3662fbdb61e230f96ce10f47adb12d46e1cf6dc365c79c92c87b1a2679f222a1983
SSDEEP:	12288:LXZ1QgQQ5KLv9Z/QN1MlFuViQic76k0d3hNnC1Pc2lBrxhirous0o3RcYeqzVR8I:LXV2EplBrPZus04p3CBdOj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E........................f...................................................L.......L.n.....L.......Rich...................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Machine Learning detection for sample	AV Detection
Yara signature match	System Summary
Drops PE files	Persistence and Installation Behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Sample reads its own file content	System Summary	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Creates temporary files	System Summary	Security Software Discovery
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\Desktop\06B049A8.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\06B049A8.dll
Category:	dropped
Dump:	06B049A8.dll.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\ts.exe
Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy:	6.020791170598696
Encrypted:	false
Ssdeep:	3072:dvsJ1yYfWqzIcJ6+R8uQyUtjt8F+8uYW5j:R4cYfWqzr4+R8xZCF+dJ
Size:	121344
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\Desktop\62366813.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\62366813.dll
Category:	dropped
Dump:	62366813.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ts.exe
Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy:	6.655206296626177
Encrypted:	false
Ssdeep:	1536:UTPDxXuEznF2kuaKvu0By22/uTjKd0ovxVg0pJvHj4o0iplGnn5A:UbDx+ELlKtG/u69rj4TiplG5
Size:	95232
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Emotet	E-Banking Fraud, Stealing of Sensitive Information
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\ts.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.332868847941536
Encrypted:	false
Ssdeep:	12:RkjUJY/Ux2UA7FrPHOqF9ptE+7i6x6s+0+5v0aYJ4Cjp5KbJzS+Fo6:mjT/cj2POwTql35vNCp5szS6o6
Size:	619
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ts.exe

Details

Is windows:	true
Is dropped:	false
PID:	3664
Target ID:	0
Parent PID:	3324
Name:	ts.exe
Path:	C:\Users\user\Desktop\ts.exe
Commandline:	C:\Users\user\Desktop\ts.exe
Size:	744981
MD5:	AD57D446C107B5ABD83B6180456CD0DD
Time:	14:06:45
Date:	14/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7a5880000
Modulesize:	671744
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected Emotet	E-Banking Fraud, Stealing of Sensitive Information
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4724
Target ID:	1
Parent PID:	3664
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	14:06:45
Date:	14/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7fcd70000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

228231C0000

direct allocation

page read and write

22823350000

direct allocation

page read and write

7FFA0AED1000

unkown

page execute read

7FF7A58FC000

unkown

page write copy

7FF7A58FB000

unkown

page read and write

7FF7A5880000

unkown

page readonly

7FF7A58E2000

unkown

page readonly

7FF7A58FB000

unkown

page write copy

22823180000

heap

page read and write

7FFA0AEE8000

unkown

page read and write

7FF7A591A000

unkown

page read and write

228231A0000

heap

page read and write

7FF7A5881000

unkown

page execute read

7FF7A5881000

unkown

page execute read

7FFA0AEE7000

unkown

page readonly

22823430000

heap

page read and write

7FFA0AED0000

unkown

page readonly

7FF7A5880000

unkown

page readonly

22823435000

heap

page read and write

7D6E77B000

stack

page read and write

7FFA0AEEA000

unkown

page readonly

22823040000

heap

page read and write

7FF7A58E2000

unkown

page readonly

7FF7A591D000

unkown

page readonly

22823258000

heap

page read and write

7FF7A591D000

unkown

page readonly

22823250000

heap

page read and write

There are 17 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ts.exe_

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportts.exe_

Files

Processes

Memdumps

IOC Report
ts.exe_