Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Lakeringernes (1).exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.911285564125606
Filename:	Lakeringernes (1).exe
Filesize:	271824
MD5:	d70de507cc0d22e43ebcf8b61a273ea5
SHA1:	9818fba05573d67b834c90a3208faddea3446545
SHA256:	4dbcd711f2263775f0a1083e0541a07247736ba2fdaabf000654756f8c3dae67
SHA512:	7931df17ea6f9e0fb53b8158fd6f6fbdfcee2cd1aea8252815e0575e0ae993935e60ba6007635d380cb88ea80bbf6b3fb70e2846fc24a04499e84746eb9ee1a0
SSDEEP:	6144:9C2z47aQORdv5crEH4N6KOIH6e1OLNp0Wl0gSMr+ZMYPPBDqN:V47AvKEH4LOI1QlMMcMmM
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API Security Software Discovery System Information Discovery
Uses 32bit PE files	Compliance, System Summary
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Creates files inside the system directory	System Summary	Masquerading
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
PE / OLE file has an invalid certificate	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample is known by Antivirus	System Summary	Windows Service Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion	Windows Service
URLs found in memory or binary data	Networking
Creates temporary files	System Summary
Writes ini files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to check free disk space	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Creates a software uninstall entry	Compliance, System Summary	Windows Service

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Graviton\Kvle\Materialiseringerne\Antenneanlgget\Custom3.ini

Generic INItialization configuration [Effect2]

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Graviton\Kvle\Materialiseringerne\Antenneanlgget\Custom3.ini
Category:	dropped
Dump:	Custom3.ini.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Lakeringernes (1).exe
Type:	Generic INItialization configuration [Effect2]
Entropy:	4.3524133300305206
Encrypted:	false
Ssdeep:	96:hJDu0BoU1s8G9LfGOOOOOOjOOOOOOEOOOOOOBOOOOOONsOOOOOO/OOOOOOAOOOOW:mCs8GVfGOOOOOOjOOOOOOEOOOOOOBOO4
Size:	5487
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes ini files	System Summary	File and Directory Discovery

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Graviton\Kvle\Materialiseringerne\Antenneanlgget\Invirility.Hus

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Graviton\Kvle\Materialiseringerne\Antenneanlgget\Invirility.Hus
Category:	dropped
Dump:	Invirility.Hus.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Lakeringernes (1).exe
Type:	data
Entropy:	7.997895223683267
Encrypted:	true
Ssdeep:	3072:A9H6LIx1K3dZjbPe8NDqL+++gZWYS0gSMr+ZuFYPPBDz:+H6e1OLNp0Wl0gSMr+ZMYPPBDz
Size:	110043
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\histopathologist.Clo

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\histopathologist.Clo
Category:	dropped
Dump:	histopathologist.Clo.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Lakeringernes (1).exe
Type:	data
Entropy:	6.675652521201867
Encrypted:	false
Ssdeep:	3072:H6TfK+T+1UeMXjFAPxIcDKYwgBN0lpwLO/KC:Oq1UeMXjFmCcDn9BNEERC
Size:	182295
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\Dybfrossen.ini

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Dybfrossen.ini
Category:	dropped
Dump:	Dybfrossen.ini.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Lakeringernes (1).exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.131687083026442
Encrypted:	false
Ssdeep:	3:pDQo7JKU2QYEJry:FQov1YEw
Size:	40
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\nst187.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nst187.tmp\System.dll
Category:	dropped
Dump:	System.dll.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\Lakeringernes (1).exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.770803561213006
Encrypted:	false
Ssdeep:	192:vPtkumJX7zB22kGwfy0mtVgkCPOsE1un:k702k5qpdsEQn
Size:	11264
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Lakeringernes (1).exe

Details

Is windows:	false
Is dropped:	false
PID:	3052
Target ID:	0
Parent PID:	3528
Name:	Lakeringernes (1).exe
Path:	C:\Users\user\Desktop\Lakeringernes (1).exe
Commandline:	C:\Users\user\Desktop\Lakeringernes (1).exe
Size:	271824
MD5:	D70DE507CC0D22E43EBCF8B61A273EA5
Time:	10:09:49
Date:	28/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	249856
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE / OLE file has an invalid certificate	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://crl.certum.pl/ctnca2.crl0l

unknown

http://repository.certum.pl/ctnca2.cer09

unknown

http://crl.certum.pl/ctsca2021.crl0o

unknown

http://nsis.sf.net/NSIS_Error

unknown

http://repository.certum.pl/ctnca.cer09

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

http://repository.certum.pl/ctsca2021.cer0

unknown

http://crl.certum.pl/ctnca.crl0k

unknown

http://subca.ocsp-certum.com05

unknown

http://www.certum.pl/CPS0

unknown

http://subca.ocsp-certum.com02

unknown

http://subca.ocsp-certum.com01

unknown

There are 2 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Strikketjet

Trafikable

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Produktionsmodel\Mandilion

tilsynskapitlernes

Memdumps

Base Address

Regiontype

Protect

Malicious

3260000

direct allocation

page execute and read and write

64B000

heap

page read and write

401000

unkown

page execute read

1B52E1C0000

trusted library allocation

page read and write

10005000

unkown

page readonly

20C0000

heap

page read and write

3130000

trusted library allocation

page read and write

2214000

heap

page read and write

2764000

trusted library allocation

page read and write

2764000

trusted library allocation

page read and write

1B52E1F0000

trusted library allocation

page read and write

409000

unkown

page write copy

1B52E140000

heap

page read and write

1B52E120000

heap

page read and write

21F0000

trusted library allocation

page read and write

407000

unkown

page readonly

409000

unkown

page read and write

43B000

unkown

page readonly

210E000

stack

page read and write

550000

trusted library allocation

page read and write

1B52E1D0000

trusted library allocation

page read and write

1B52E24D000

heap

page read and write

9946DF9000

stack

page read and write

219E000

stack

page read and write

30000

heap

page read and write

1B52E246000

heap

page read and write

1B52E208000

heap

page read and write

2210000

heap

page read and write

1B52DFF0000

trusted library allocation

page read and write

1B52E247000

heap

page read and write

1B52F090000

trusted library allocation

page read and write

10003000

unkown

page readonly

1B52DFE0000

heap

page read and write

400000

unkown

page readonly

10001000

unkown

page execute read

1B52E1B0000

trusted library allocation

page read and write

401000

unkown

page execute read

1B52E266000

heap

page read and write

590000

heap

page read and write

19A000

stack

page read and write

97000

stack

page read and write

43A000

unkown

page read and write

43B000

unkown

page readonly

638000

heap

page read and write

1B52F0F0000

trusted library allocation

page read and write

1B52E4C9000

heap

page read and write

407000

unkown

page readonly

429000

unkown

page read and write

600000

heap

page read and write

1B52E200000

heap

page read and write

1B52E24E000

heap

page read and write

9946EFE000

stack

page read and write

9946E79000

stack

page read and write

1B52E4C0000

heap

page read and write

1B52E4C5000

heap

page read and write

2764000

trusted library allocation

page read and write

275F000

stack

page read and write

2200000

trusted library allocation

page read and write

421000

unkown

page read and write

436000

unkown

page read and write

1B52E210000

heap

page read and write

1B52F0A0000

trusted library allocation

page read and write

2150000

heap

page read and write

1B52E4D0000

trusted library allocation

page read and write

1B52E4B0000

heap

page readonly

9946FF9000

stack

page read and write

641000

heap

page read and write

1B52E26B000

heap

page read and write

10000000

unkown

page readonly

20C6000

heap

page read and write

1B52EE80000

trusted library allocation

page read and write

265F000

stack

page read and write

9946C7B000

stack

page read and write

400000

unkown

page readonly

425000

unkown

page read and write

607000

heap

page read and write

9946F7A000

stack

page read and write

1B52E24D000

heap

page read and write

2762000

trusted library allocation

page read and write

There are 69 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Lakeringernes (1).exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLakeringernes (1).exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
Lakeringernes (1).exe