Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Payment_copy28476450.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.918853891717431
Filename:	Payment_copy28476450.exe
Filesize:	247655
MD5:	70e90926399154c2708801a73cf53d99
SHA1:	0eaff8f1cde17a392d9e7935bae96f21c91acc3c
SHA256:	c36de6d07a8ce4407cb59a275dbf8c04d05844903bb6d566f295ccd13a2d4ce6
SHA512:	a6256e11df089a3063738ca0e36eca4ca89ed89ac7530a83394aa1864ba392e87318270529d04b1c72fa0d2cb392ba8c66ebedca335af82ec8fe124814ec9cab
SSDEEP:	6144:QBn1WN747c5LFA0rw3gw8QXRq+/lp7q76lS:gWZ4wa8QXRq+/Pe76lS
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.]...RF..RG.pRF.]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...ly.V.................^.........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Executable has a suspicious name (potential lure to open the executable)	System Summary	Masquerading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation Security Software Discovery
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\Temp\wcycejenv.exe

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Category:	dropped
Dump:	wcycejenv.exe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Payment_copy28476450.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.549726242729774
Encrypted:	false
Ssdeep:	6144:Qoe9deNmwPG6xFMCgRlXXLRLh7mzMb1iRWuuu9toDVdmqQL17EMRvM/gRUuJ5dX:Qoe9deAwRxFMCgRlXXLRLh7mgb1xuuuz
Size:	340992
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to steal Mail credentials (via file registry)	Stealing of Sensitive Information	Credentials in Registry
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality for error logging	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads the hosts file	System Summary	Remote System Discovery
Spawns processes	System Summary	Process Injection
Checks if Microsoft Office is installed	System Summary	System Information Discovery

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)
Category:	dropped
Dump:	wcycejenv.exe.0.dr
ID:	dr_6
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.549726242729774
Encrypted:	false
Ssdeep:	6144:Qoe9deNmwPG6xFMCgRlXXLRLh7mzMb1iRWuuu9toDVdmqQL17EMRvM/gRUuJ5dX:Qoe9deAwRxFMCgRlXXLRLh7mgb1xuuuz
Size:	340992
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\AppData\Local\Temp\nsg6B4D.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsg6B4D.tmp
Category:	dropped
Dump:	nsg6B4D.tmp.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Payment_copy28476450.exe
Type:	data
Entropy:	7.057848521690541
Encrypted:	false
Ssdeep:	12288:JxcTxTkKZ9roe9deAwRxFMCgRlXXLRLh7mgb1xuuu9toBdmqQGMZRUuJ5:ATxTkQEweAwbqD7vb1xuuu9Edmdl
Size:	459450
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\ntwcyphb.r

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\ntwcyphb.r
Category:	dropped
Dump:	ntwcyphb.r.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Payment_copy28476450.exe
Type:	data
Entropy:	7.955523846750811
Encrypted:	false
Ssdeep:	3072:wjajJkiH9OPjfkivvicRevZjOqhaMItCzjriqZTa5apaaaaaaaaaaaaaaaaaaaal:Q7fk2evZCqhadZqZ1
Size:	106496
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\stvrrcrc.d

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Category:	dropped
Dump:	stvrrcrc.d.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Payment_copy28476450.exe
Type:	data
Entropy:	6.234833362351721
Encrypted:	false
Ssdeep:	96:4HXF/taUEVYCVmNFHILHl95DTMQUTPENeG2O3VyKbaj9XPlP:w1/tNECRKZTtkG2W8fP
Size:	5655
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

very short file (no magic)

dropped

Details

File:	C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
Category:	dropped
Dump:	B52B3F.lck.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:U:U
Size:	1
Whitelisted:	true
Reputation:	high

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a
Category:	dropped
Dump:	21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	49
Whitelisted:	true
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Payment_copy28476450.exe

Details

Is windows:	false
Is dropped:	false
PID:	160
Target ID:	0
Parent PID:	3452
Name:	Payment_copy28476450.exe
Path:	C:\Users\user\Desktop\Payment_copy28476450.exe
Commandline:	C:\Users\user\Desktop\Payment_copy28476450.exe
Size:	247655
MD5:	70E90926399154C2708801A73CF53D99
Time:	19:54:02
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	188416
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Executable has a suspicious name (potential lure to open the executable)	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\Temp\wcycejenv.exe

"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d

Details

Is windows:	false
Is dropped:	true
PID:	588
Target ID:	1
Parent PID:	160
Name:	wcycejenv.exe
Path:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Size:	340992
MD5:	3182BEF520A1E9F52BE3755C25E4C3B0
Time:	19:54:03
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	413696
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Lokibot	Stealing of Sensitive Information
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\wcycejenv.exe

"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d

Details

Is windows:	false
Is dropped:	true
PID:	5332
Target ID:	3
Parent PID:	588
Name:	wcycejenv.exe
Path:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Size:	340992
MD5:	3182BEF520A1E9F52BE3755C25E4C3B0
Time:	19:54:04
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	663552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Lokibot	Stealing of Sensitive Information
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	584
Target ID:	2
Parent PID:	588
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	19:54:03
Date:	24/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6da640000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://sempersim.su/gl20/fre.php

95.213.216.202

Details

Name:	http://sempersim.su/gl20/fre.php
IP:	95.213.216.202
TargetID:	3
From Memory:	false
Current Path:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Snort IDS alert for network traffic	Networking
URLs found in memory or binary data	Networking

http://kbfvzoboss.bid/alien/fre.php

Details

Name:	http://kbfvzoboss.bid/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Payment_copy28476450.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

http://alphastand.win/alien/fre.php

Details

Name:	http://alphastand.win/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Payment_copy28476450.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

http://alphastand.trade/alien/fre.php

Details

Name:	http://alphastand.trade/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Payment_copy28476450.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

http://alphastand.top/alien/fre.php

Details

Name:	http://alphastand.top/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Payment_copy28476450.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

http://nsis.sf.net/NSIS_Error

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

http://www.ibsensoftware.com/

unknown

Domains

Name

Malicious

sempersim.su

95.213.216.202

Details

Name:	sempersim.su
IP:	95.213.216.202
TargetID:	3
Current Path:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

95.213.216.202

sempersim.su

Russian Federation

Details

IP:	95.213.216.202
TargetID:	3
Current Path:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49505
ASN name:	SELECTELRU
Private:	false
Domain:	sempersim.su

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

192.168.2.1

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

737000

heap

page read and write

400000

system

page execute and read and write

400000

system

page execute and read and write

610000

direct allocation

page read and write

2130000

heap

page read and write

1F543261000

heap

page read and write

9D000

stack

page read and write

28DF000

direct allocation

page read and write

27C0000

direct allocation

page read and write

2247000

direct allocation

page read and write

500000

trusted library allocation

page read and write

22EF7C6E000

heap

page read and write

29DBC750000

heap

page read and write

1D8A2CD0000

heap

page read and write

407000

unkown

page readonly

4FE000

stack

page read and write

786000

heap

page read and write

1F543313000

heap

page read and write

409000

unkown

page write copy

78F000

heap

page read and write

27C0000

direct allocation

page read and write

1D8A2D30000

heap

page read and write

1F543140000

heap

page read and write

233F000

stack

page read and write

786000

heap

page read and write

776000

heap

page read and write

773000

heap

page read and write

401000

unkown

page execute read

28DB000

direct allocation

page read and write

470000

trusted library allocation

page read and write

22EF7C3A000

heap

page read and write

22EF7C79000

heap

page read and write

29DBC900000

heap

page read and write

22EF7C6B000

heap

page read and write

1C0000

remote allocation

page read and write

67C9A7E000

stack

page read and write

786000

heap

page read and write

1F54323C000

heap

page read and write

783000

heap

page read and write

DCECDFE000

stack

page read and write

E45C0FA000

stack

page read and write

C3B737F000

stack

page read and write

1C0000

remote allocation

page read and write

2746000

direct allocation

page read and write

67C92FB000

stack

page read and write

783000

heap

page read and write

DCECCFE000

stack

page read and write

29DBD202000

trusted library allocation

page read and write

2746000

direct allocation

page read and write

67C9CFD000

stack

page read and write

C3B757B000

stack

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Payment_copy28476450.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPayment_copy28476450.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Payment_copy28476450.exe