Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.875386203366202
Filename:	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Filesize:	194987
MD5:	b9f70f4146b846179fa182ac868d0c15
SHA1:	97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
SHA256:	ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
SHA512:	2cc45205394074ddf9a5481a81b89582d84d42a34023329e06cf589c455c2fef144905362b5d1001e26026480d490304b6ac96526ab32f5344b1706d98ceff48
SSDEEP:	3072:MRD+3q3NxPTNuY/bQZFler2MUPaSa1y8XKdV06k55ohchNqV3AzlbEnJZGqItyWJ:mwq3NpNSFleCMUPVaidHXMNqwlInJ0q8
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@

Signature Hits	Behavior Group	Mitre Attack
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API Security Software Discovery
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary	Masquerading
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample reads its own file content	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion	Windows Service
URLs found in memory or binary data	Networking
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Creates a software uninstall entry	Compliance, System Summary	Windows Service

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe
Category:	dropped
Dump:	AsOpenFile.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	5.840976252158136
Encrypted:	false
Ssdeep:	768:tba0g4rhVUkxIIaPrd6cMCP1diTLmz1BeeKH2X98VwhH:HPUkxIIaPrsCPXK6z1Bee3+k
Size:	38632
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\Tusindtallig.Syn

data

dropped

Details

File:	C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\Tusindtallig.Syn
Category:	dropped
Dump:	Tusindtallig.Syn.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Type:	data
Entropy:	7.9930541941014255
Encrypted:	true
Ssdeep:	768:E49NB/CsjPddY0nfj1fIXSgH0uO7wt1WayrQ0bThetG:nlCsxfVIXHH2wOfKG
Size:	29309
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\prowl.Dgn

data

dropped

Details

File:	C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\prowl.Dgn
Category:	dropped
Dump:	prowl.Dgn.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Type:	data
Entropy:	7.124693631306355
Encrypted:	false
Ssdeep:	3072:COxlLD2mpgf8pOxNjQzNUflgAG63+OAyam6kxnv:COxlmcg5EzuNG6MyaJSv
Size:	141909
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nsgC6C9.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\nsgC6C9.tmp\System.dll
Category:	modified
Dump:	System.dll.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.656065698421856
Encrypted:	false
Ssdeep:	192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
Size:	11776
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Details

Is windows:	false
Is dropped:	false
PID:	1372
Target ID:	0
Parent PID:	3528
Name:	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Path:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Commandline:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Size:	194987
MD5:	B9F70F4146B846179FA182AC868D0C15
Time:	00:22:02
Date:	30/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	434176
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://nsis.sf.net/NSIS_ErrorError

unknown

Details

Name:	http://nsis.sf.net/NSIS_ErrorError
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Source:	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Procentuelles232\Frafaldsprocents\Forarbejdendes\Inceration

Pythius

HKEY_CURRENT_USER\Software\Sammenlgningens\Tjurunga\Pakkeforsendelserne\Thiophthene

Etaper

HKEY_LOCAL_MACHINE\SOFTWARE\Compoundedness

Caballo

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bekvemmeligheder

Hovedbibliotekerne

Memdumps

Base Address

Regiontype

Protect

Malicious

30F0000

direct allocation

page execute and read and write

694000

heap

page read and write

1DAAB080000

trusted library allocation

page read and write

1DAAA15C000

heap

page read and write

580000

trusted library allocation

page read and write

435000

unkown

page read and write

690000

heap

page read and write

1DAAA167000

heap

page read and write

6AE000

heap

page read and write

3EFD000

stack

page read and write

1DAAB020000

trusted library allocation

page read and write

19A000

stack

page read and write

216E000

stack

page read and write

1DAAA240000

trusted library allocation

page read and write

1DAAA150000

heap

page read and write

1DAAA14E000

heap

page read and write

1DAAA100000

heap

page read and write

25DF000

stack

page read and write

1DAAB000000

trusted library allocation

page read and write

67B000

heap

page read and write

2184000

heap

page read and write

650000

heap

page read and write

1DAAA290000

trusted library allocation

page read and write

30721F9000

stack

page read and write

1DAAB010000

heap

page readonly

10001000

unkown

page execute read

2190000

heap

page read and write

1DAAA0D0000

heap

page read and write

10000000

unkown

page readonly

422000

unkown

page read and write

1DAAA260000

trusted library allocation

page read and write

467000

unkown

page read and write

40A000

unkown

page read and write

1DAAA289000

heap

page read and write

401000

unkown

page execute read

620000

heap

page read and write

2196000

heap

page read and write

2180000

heap

page read and write

1DAAA14E000

heap

page read and write

307227E000

stack

page read and write

657000

heap

page read and write

68B000

heap

page read and write

3020000

trusted library allocation

page read and write

3071DAC000

stack

page read and write

10003000

unkown

page readonly

400000

unkown

page readonly

42D000

unkown

page read and write

10005000

unkown

page readonly

3030000

trusted library allocation

page read and write

469000

unkown

page readonly

35C0000

trusted library allocation

page read and write

30000

heap

page read and write

1DAAADD0000

trusted library allocation

page read and write

2199000

heap

page read and write

1DAAA0B0000

heap

page read and write

99000

stack

page read and write

1DAAA14E000

heap

page read and write

30722F9000

stack

page read and write

212E000

stack

page read and write

408000

unkown

page readonly

590000

heap

page read and write

26DF000

stack

page read and write

469000

unkown

page readonly

1DAAA108000

heap

page read and write

3DFD000

stack

page read and write

600000

heap

page read and write

1DAA9F70000

heap

page read and write

40A000

unkown

page write copy

400000

unkown

page readonly

408000

unkown

page readonly

2712000

trusted library allocation

page read and write

307217D000

stack

page read and write

1DAA9F80000

trusted library allocation

page read and write

1DAAA285000

heap

page read and write

1DAAB030000

trusted library allocation

page read and write

427000

unkown

page read and write

1DAAA280000

heap

page read and write

3040000

trusted library allocation

page read and write

2714000

trusted library allocation

page read and write

1DAAA250000

trusted library allocation

page read and write

1DAAA146000

heap

page read and write

401000

unkown

page execute read

595000

heap

page read and write

There are 73 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportREQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe