Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.91435980932861
Filename:	file.exe
Filesize:	192512
MD5:	4ae4a84eba3264c433e0c1b92594c61b
SHA1:	bc8ee7fb36f3e3c03638bc5b6bf0bc9dd7cc034b
SHA256:	bb531c53e5dc8fcc1fe71ef481253b9d3fa86446e7205e750dc3d6ee5c2a5636
SHA512:	e9e1878de9d124bd52eae169a398c2db91b12b5b832d5ed03b659eda9b0b105892339ed47a8890ea5363f03d35ef8e0c59d19a36d98f321601c70fc05c144be9
SSDEEP:	3072:WsKq2R3GPBzO0uLLO1PtKl5JOLAtsDXi2D4VSZAwbUOrsIUwUT7:0qmLLObVAtsDXi2lrbUOrwNP
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.......................................4...................=...................Rich............................PE..L......a...

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))	Anti Debugging
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion
Checks if the current machine is a virtual machine (disk enumeration)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Contains functionality to call native functions	System Summary
PE file contains executable resources (Code or Archives)	System Summary
Contains functionality to read the PEB	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Queries a list of all running processes	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
PE file contains a debug data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary

C:\Users\user\AppData\Roaming\vvtsewb

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\vvtsewb
Category:	dropped
Dump:	vvtsewb.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.91435980932861
Encrypted:	false
Ssdeep:	3072:WsKq2R3GPBzO0uLLO1PtKl5JOLAtsDXi2D4VSZAwbUOrsIUwUT7:0qmLLObVAtsDXi2lrbUOrwNP
Size:	192512
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Checks if the current machine is a virtual machine (disk enumeration)	Malware Analysis System Evasion	Security Software Discovery
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Contains functionality to enum processes or threads	System Summary	Process Discovery
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\vvtsewb:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Roaming\vvtsewb:Zone.Identifier
Category:	modified
Dump:	vvtsewb_Zone.Identifier.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Windows\explorer.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Checks if the current machine is a virtual machine (disk enumeration)	Malware Analysis System Evasion	Security Software Discovery
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Machine Learning detection for dropped file	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains functionality to enum processes or threads	System Summary	Process Discovery

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

Details

Is windows:	false
Is dropped:	false
PID:	5996
Target ID:	0
Parent PID:	3324
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	C:\Users\user\Desktop\file.exe
Size:	192512
MD5:	4AE4A84EBA3264C433E0C1B92594C61B
Time:	20:12:55
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2408448
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected SmokeLoader	Key, Mouse, Clipboard, Microphone and Screen Capturing, Stealing of Sensitive Information, Remote Access Functionality
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

C:\Windows\explorer.exe

C:\Windows\Explorer.EXE

Details

Is windows:	true
Is dropped:	false
PID:	3324
Target ID:	1
Parent PID:	5996
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\explorer.exe
Commandline:	C:\Windows\Explorer.EXE
Size:	3933184
MD5:	AD5296B280E8F522A8A897C96BAB0E1D
Time:	20:13:02
Date:	24/11/2022
Reason:	existingprocessinject
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff69bc80000
Modulesize:	3919872
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection

C:\Users\user\AppData\Roaming\vvtsewb

Details

Is windows:	false
Is dropped:	true
PID:	5936
Target ID:	2
Parent PID:	1084
Name:	vvtsewb
Path:	C:\Users\user\AppData\Roaming\vvtsewb
Commandline:	C:\Users\user\AppData\Roaming\vvtsewb
Size:	192512
MD5:	4AE4A84EBA3264C433E0C1B92594C61B
Time:	20:13:46
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	2408448
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Benign windows process drops PE files	HIPS / PFW / Operating System Protection Evasion	Exploitation for Client Execution
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected SmokeLoader	Key, Mouse, Clipboard, Microphone and Screen Capturing, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://host-file-host6.com/

84.21.172.159

Details

Name:	http://host-file-host6.com/
IP:	84.21.172.159
TargetID:	1
From Memory:	false
Current Path:	C:\Windows\explorer.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
IP address seen in connection with other malware	Networking
Found malware configuration	AV Detection

http://host-host-file8.com/

Details

Name:	http://host-host-file8.com/
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

http://www.autoitscript.com/autoit3/J

unknown

Details

Name:	http://www.autoitscript.com/autoit3/J
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\explorer.exe
Source:	explorer.exe, 00000001.00000000.333055694.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303883320.000000000091F000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

host-file-host6.com

84.21.172.159

Details

Name:	host-file-host6.com
IP:	84.21.172.159
TargetID:	1
Current Path:	C:\Windows\explorer.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

host-host-file8.com

unknown

Details

Name:	host-host-file8.com
TargetID:	1
Current Path:	C:\Windows\explorer.exe

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

IPs

Domain

Country

Malicious

84.21.172.159

host-file-host6.com

Germany

Memdumps

Base Address

Regiontype

Protect

Malicious

7E1000

unclassified section

page read and write

22A1000

unclassified section

page read and write

7C0000

trusted library allocation

page read and write

800000

direct allocation

page read and write

2901000

system

page execute read

7C0000

direct allocation

page read and write

800000

trusted library allocation

page read and write

7FFA131B5000

unkown

page read and write

7FF585E3E000

unkown

page readonly

7FF585AB9000

unkown

page readonly

4350000

unkown

page read and write

ED22000

unkown

page read and write

4320000

unkown

page read and write

85D8000

unkown

page read and write

7FF585D05000

unkown

page readonly

7FF577B76000

unkown

page readonly

2950000

unkown

page read and write

85C4000

unkown

page read and write

EDBD000

unkown

page read and write

7FF58596F000

unkown

page readonly

6624000

unkown

page read and write

B008000

stack

page read and write

B008000

stack

page read and write

B80B000

stack

page read and write

7FF585940000

unkown

page readonly

85E1000

unkown

page read and write

4BC0000

unkown

page read and write

103B2000

unkown

page read and write

6A90000

unkown

page readonly

726E000

unkown

page readonly

F131000

unkown

page read and write

7FF585D01000

unkown

page readonly

7FF585DEA000

unkown

page readonly

7FF585937000

unkown

page readonly

87C8000

unkown

page read and write

26D0000

unkown

page read and write

F045000

unkown

page read and write

7FF5856C7000

unkown

page readonly

2660000

unkown

page readonly

7FF585ED3000

unkown

page readonly

103A1000

unkown

page read and write

770E000

stack

page read and write

DD7F000

unkown

page read and write

22E3000

heap

page read and write

7FF585D5F000

unkown

page readonly

6210000

unkown

page readonly

2A8B000

unkown

page read and write

5810000

unkown

page read and write

647000

unkown

page read and write

CCB2000

unkown

page read and write

2960000

unkown

page read and write

7FF585D7C000

unkown

page readonly

7FF585773000

unkown

page readonly

2950000

unkown

page read and write

C8B2000

unkown

page read and write

7FF585A91000

unkown

page readonly

7FF5859A5000

unkown

page readonly

7FFA13109000

unkown

page readonly

72B9000

unkown

page readonly

7FF585DD9000

unkown

page readonly

7FF585853000

unkown

page readonly

85D0000

unkown

page read and write

2A40000

unkown

page read and write

7FF585CF6000

unkown

page readonly

470A000

stack

page read and write

419000

unkown

page execute read

4C66000

unkown

page read and write

B18A000

stack

page read and write

29EE000

unkown

page read and write

56E0000

unkown

page readonly

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe