Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.98989950872948
Filename:	file.exe
Filesize:	192000
MD5:	44c87d3bc316eefe4dcbf66afed72abc
SHA1:	96bde412ef761b4d53506ae4ed2999bc9dcaf137
SHA256:	731e22be2a6b39304919dc24b750a720b23a0f1ed996a9b74cf0b088de6144b1
SHA512:	2449da42cf169ef2a9e01ade64dd8c52ab6037ce9a726597d88f5eeaa726b06f77bc08612aaeccf9354cd23bee879b1724f222e24c8bab25fef7e75a8bf0e0c1
SSDEEP:	3072:hsKq2z/YFBDK+1L8pOov9vl5izTyHnbACodEdE53iiy2:tqG6LaO6QTak/dKEFii1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.......................................4...................=...................Rich............................PE..L......`...

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))	Anti Debugging
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion
Checks if the current machine is a virtual machine (disk enumeration)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Process Discovery
Contains functionality to call native functions	System Summary
PE file contains executable resources (Code or Archives)	System Summary
Contains functionality to read the PEB	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Queries a list of all running processes	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
PE file contains a debug data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\B87E.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\B87E.exe
Category:	dropped
Dump:	B87E.exe.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.918015264621188
Encrypted:	false
Ssdeep:	24576:K/J3qfaq1RXzqGA+PF6ZbOQVIZc77oReV2U6JjgtA1/lGaee:K/Ja54TS6ZyQKk7cJjJJlGa
Size:	1041408
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found large amount of non-executed APIs	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Archive Collected Data Data Encrypted for Impact
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\EBC4.exe

PE32 executable (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\EBC4.exe
Category:	modified
Dump:	EBC4.exe.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.765713315963878
Encrypted:	false
Ssdeep:	6144:5q6OLJ51HLLQrTYeW0w8Y2hm/UchHJ10kiygcz0CkcScVwAjS0bgF8nlctP4:5qJX1H4rUelw4En0V80WSmjWF8nWt
Size:	520192
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Machine Learning detection for dropped file	AV Detection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries disk information (often used to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Virtualization/Sandbox Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp
Category:	dropped
Dump:	Tdryuqayh.tmp.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\B87E.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.878292814763175
Encrypted:	false
Ssdeep:	12288:8jrCotmFXRwupVoGK25MAaSOWfvjCqanOxku3lle2kKE:AzmFB3oG1aSbvGqanwRro
Size:	785408
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\gfgsrbs

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\gfgsrbs
Category:	dropped
Dump:	gfgsrbs.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.98989950872948
Encrypted:	false
Ssdeep:	3072:hsKq2z/YFBDK+1L8pOov9vl5izTyHnbACodEdE53iiy2:tqG6LaO6QTak/dKEFii1
Size:	192000
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Checks if the current machine is a virtual machine (disk enumeration)	Malware Analysis System Evasion	Security Software Discovery
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\gfgsrbs:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\gfgsrbs:Zone.Identifier
Category:	dropped
Dump:	gfgsrbs_Zone.Identifier.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Checks if the current machine is a virtual machine (disk enumeration)	Malware Analysis System Evasion	Security Software Discovery
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

Details

Is windows:	false
Is dropped:	false
PID:	5020
Target ID:	0
Parent PID:	3528
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	C:\Users\user\Desktop\file.exe
Size:	192000
MD5:	44C87D3BC316EEFE4DCBF66AFED72ABC
Time:	20:12:03
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2408448
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

C:\Windows\explorer.exe

C:\Windows\Explorer.EXE

Details

Is windows:	true
Is dropped:	false
PID:	3528
Target ID:	1
Parent PID:	5020
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\explorer.exe
Commandline:	C:\Windows\Explorer.EXE
Size:	3933184
MD5:	AD5296B280E8F522A8A897C96BAB0E1D
Time:	20:12:11
Date:	24/11/2022
Reason:	existingprocessinject
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff618f60000
Modulesize:	3919872
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection

C:\Users\user\AppData\Roaming\gfgsrbs

Details

Is windows:	false
Is dropped:	true
PID:	5000
Target ID:	4
Parent PID:	1088
Name:	gfgsrbs
Path:	C:\Users\user\AppData\Roaming\gfgsrbs
Commandline:	C:\Users\user\AppData\Roaming\gfgsrbs
Size:	192000
MD5:	44C87D3BC316EEFE4DCBF66AFED72ABC
Time:	20:13:01
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	2408448
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Benign windows process drops PE files	HIPS / PFW / Operating System Protection Evasion	Exploitation for Client Execution
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\B87E.exe

Details

Is windows:	false
Is dropped:	true
PID:	3316
Target ID:	5
Parent PID:	3528
Name:	B87E.exe
Path:	C:\Users\user\AppData\Local\Temp\B87E.exe
Commandline:	C:\Users\user\AppData\Local\Temp\B87E.exe
Size:	1041408
MD5:	1BD9FB4ADE498938E6432D6C5D1E23A5
Time:	20:13:12
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	3256320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\EBC4.exe

Details

Is windows:	false
Is dropped:	true
PID:	4608
Target ID:	7
Parent PID:	3528
Name:	EBC4.exe
Path:	C:\Users\user\AppData\Local\Temp\EBC4.exe
Commandline:	C:\Users\user\AppData\Local\Temp\EBC4.exe
Size:	520192
MD5:	F06F222962C48BB7D822AC0FCD14CFD2
Time:	20:13:25
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	2736128
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected UAC Bypass using CMSTP	Exploits
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\EBC4.exe

"C:\Users\user\AppData\Local\Temp\EBC4.exe"

Details

Is windows:	false
Is dropped:	true
PID:	2760
Target ID:	12
Parent PID:	2708
Name:	EBC4.exe
Path:	C:\Users\user\AppData\Local\Temp\EBC4.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\EBC4.exe"
Size:	520192
MD5:	F06F222962C48BB7D822AC0FCD14CFD2
Time:	20:13:30
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2736128
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected UAC Bypass using CMSTP	Exploits
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr

Details

Is windows:	true
Is dropped:	false
PID:	2980
Target ID:	6
Parent PID:	3316
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	20:13:19
Date:	24/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x2a0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://piratia.su/tmp/

Details

Name:	http://piratia.su/tmp/
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

http://cracker.biz/tmp/

Details

Name:	http://cracker.biz/tmp/
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

http://freeshmex.at/tmp/

190.140.74.43

http://123.253.32.170/root2.exe

123.253.32.170

Details

Name:	http://123.253.32.170/root2.exe
IP:	123.253.32.170
TargetID:	1
From Memory:	false
Current Path:	C:\Windows\explorer.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

https://thepokeway.nl/upload/index.php

5.135.247.111

http://piratia-life.ru/tmp/

Details

Name:	http://piratia-life.ru/tmp/
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extactor
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

Domains

Name

Malicious

thepokeway.nl

5.135.247.111

Details

Name:	thepokeway.nl
IP:	5.135.247.111
TargetID:	1
Current Path:	C:\Windows\explorer.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Uses secure TLS version for HTTPS connections	Compliance, Networking

freeshmex.at

190.140.74.43

Details

Name:	freeshmex.at
IP:	190.140.74.43
TargetID:	1
Current Path:	C:\Windows\explorer.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

5.135.247.111

thepokeway.nl

France

123.253.32.170

unknown

Malaysia

190.140.74.43

freeshmex.at

Panama

178.31.176.42

unknown

Sweden

109.102.255.230

unknown

Romania

211.40.39.251

unknown

Korea Republic of

211.171.233.129

unknown

Korea Republic of

192.168.2.1

unknown

95.107.163.44

unknown

Albania

211.53.230.67

unknown

Korea Republic of

Memdumps

Base Address

Regiontype

Protect

Malicious

4631000

system

page execute read

7B0000

trusted library allocation

page read and write

413000

unkown

page execute and read and write

2270000

trusted library allocation

page read and write

2291000

unclassified section

page read and write

413000

unkown

page execute and read and write

22B1000

unclassified section

page read and write

7FF5DB9A8000

unkown

page readonly

4324000

unkown

page read and write

7FF5DBD9C000

unkown

page readonly

7FF5DBEF1000

unkown

page readonly

452C000

stack

page read and write

24D0000

heap

page read and write

AB69000

stack

page read and write

2800000

unkown

page readonly

7FF5DC11F000

unkown

page readonly

D12D000

unkown

page read and write

2927000

unkown

page read and write

64B0000

direct allocation

page read and write

46E000

unkown

page execute and read and write

7830000

unkown

page readonly

4BC0000

unkown

page readonly

25D0000

direct allocation

page execute and read and write

705E000

unkown

page readonly

4D5000

stack

page read and write

568B000

unkown

page read and write

441B000

stack

page read and write

2D00000

unkown

page readonly

7FF5DC119000

unkown

page readonly

83B9000

unkown

page read and write

7FF524EA4000

unkown

page readonly

E985000

unkown

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe