Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive

initial sample

C:\Program Files (x86)\PrintFolders\PrintFolders.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

modified

C:\Program Files (x86)\PrintFolders\Russian.dll (copy)

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Program Files (x86)\PrintFolders\is-2632S.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Program Files (x86)\PrintFolders\is-48N1K.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Program Files (x86)\PrintFolders\unins000.exe (copy)

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_iscrypt.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_setup64.tmp

PE32+ executable (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Program Files (x86)\PrintFolders\Guide.chm (copy)

MS Windows HtmlHelp Data

dropped

C:\Program Files (x86)\PrintFolders\History.txt (copy)

ASCII text, with CRLF line terminators

dropped

C:\Program Files (x86)\PrintFolders\License.txt (copy)

RAGE Package Format (RPF),

dropped

C:\Program Files (x86)\PrintFolders\is-0E5GB.tmp

RAGE Package Format (RPF),

dropped

C:\Program Files (x86)\PrintFolders\is-5F7BS.tmp

ASCII text, with CRLF line terminators

dropped

C:\Program Files (x86)\PrintFolders\is-60UNK.tmp

MS Windows HtmlHelp Data

dropped

C:\Program Files (x86)\PrintFolders\is-OK1CQ.tmp

data

dropped

C:\Program Files (x86)\PrintFolders\unins000.dat

InnoSetup Log PrintFolders {73D78C7A-78F2-476F-86FF-9025EA410908}, version 0x2a, 3813 bytes, 609290\user, "C:\Program Files (x86)\PrintFolders"

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ping[1].htm

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\library[1].htm

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\count[1].htm

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\library[1].htm

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_shfoldr.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

There are 14 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\PrintFolders\PrintFolders.exe

"C:\Program Files (x86)\PrintFolders\PrintFolders.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4532
Target ID:	2
Parent PID:	6080
Name:	PrintFolders.exe
Class:	system-tools
Path:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
Commandline:	"C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
Size:	1990648
MD5:	2ABBE052537A4C836AFE8DBAC888F131
Time:	20:04:02
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	16670720
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected Nymaim	E-Banking Fraud, Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe

Details

Is windows:	false
Is dropped:	true
PID:	6120
Target ID:	3
Parent PID:	4532
Name:	uywwtiNQ.exe
Path:	C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe
Commandline:
Size:	73728
MD5:	3FB36CB0B7172E5298D2992D42984D06
Time:	20:04:06
Date:	24/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xbc0000
Modulesize:	90112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\file.exe

Details

Is windows:	false
Is dropped:	false
PID:	6084
Target ID:	0
Parent PID:	3452
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	C:\Users\user\Desktop\file.exe
Size:	1488975
MD5:	2ED741014B8CDAFD91A740432A3CFFA1
Time:	20:03:59
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	77824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

"C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp" /SL4 $40228 "C:\Users\user\Desktop\file.exe" 1252960 51712

Details

Is windows:	false
Is dropped:	true
PID:	6080
Target ID:	1
Parent PID:	6084
Name:	is-QPTG8.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
Commandline:	"C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp" /SL4 $40228 "C:\Users\user\Desktop\file.exe" 1252960 51712
Size:	658944
MD5:	85B94E72C3F2D2B5464E2AAF3C9E242A
Time:	20:04:00
Date:	24/11/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	847872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit

Details

Is windows:	true
Is dropped:	false
PID:	1336
Target ID:	13
Parent PID:	4532
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
Size:	232960
MD5:	F3BDBE3BB6F734E357235F4D5898582D
Time:	20:04:39
Date:	24/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb0000
Modulesize:	364544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1760
Target ID:	14
Parent PID:	1336
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	20:04:39
Date:	24/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff745070000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "PrintFolders.exe" /f

Details

Is windows:	true
Is dropped:	false
PID:	3416
Target ID:	15
Parent PID:	1336
Name:	taskkill.exe
Path:	C:\Windows\SysWOW64\taskkill.exe
Commandline:	taskkill /im "PrintFolders.exe" /f
Size:	74752
MD5:	15E2E0ACD891510C6268CB8899F2A1A1
Time:	20:04:39
Date:	24/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd80000
Modulesize:	86016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://171.22.30.106/library.phpXZ

unknown

http://107.182.129.235/storage/extension.php

107.182.129.235

http://107.182.129.235/storage/ping.php

107.182.129.235

http://171.22.30.106/library.phpBZ

unknown

http://171.22.30.106/library.php

171.22.30.106

http://pfolders.atopoint.com.

unknown

http://www.innosetup.com/

unknown

http://www.atopoint.com

unknown

http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte

45.139.105.171

http://www.remobjects.com/?ps

unknown

http://pfolders.atopoint.com

unknown

http://www.innosetup.com

unknown

http://107.182.129.235/storage/extension.phpum

unknown

http://www.atopoint.com.

unknown

http://www.innosetup.comDVarFileInfo$

unknown

http://www.remobjects.com/?psU

unknown

There are 6 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

45.139.105.1

unknown

Italy

Details

IP:	45.139.105.1
TargetID:	255
Country:	Italy
Countrycode:	ITA
ASN number:	33657
ASN name:	CMCSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

85.31.46.167

unknown

Germany

Details

IP:	85.31.46.167
TargetID:	255
Country:	Germany
Countrycode:	DEU
ASN number:	43659
ASN name:	CLOUDCOMPUTINGDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

107.182.129.235

unknown

Reserved

Details

IP:	107.182.129.235
TargetID:	2
Current Path:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
Country:	Reserved
Countrycode:	ZZZ
ASN number:	11070
ASN name:	META-ASUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

171.22.30.106

unknown

Germany

Details

IP:	171.22.30.106
TargetID:	2
Current Path:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
Country:	Germany
Countrycode:	DEU
ASN number:	33657
ASN name:	CMCSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

45.139.105.171

unknown

Italy

Details

IP:	45.139.105.171
TargetID:	2
Current Path:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
Country:	Italy
Countrycode:	ITA
ASN number:	33657
ASN name:	CMCSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Atopoint Software\PrintFolders

Language

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1

Inno Setup: Setup Version

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1

Inno Setup: App Path

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1

InstallLocation

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1

Inno Setup: Icon Group

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

IOC Report
file.exe