Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

q3oUuJIXkc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.8779499305543865
Filename:	q3oUuJIXkc.exe
Filesize:	7732440
MD5:	2239a58cc93fd94dc2806ce7f6af0a0b
SHA1:	f09eb7d69bc7440d3d45e14267236a78ac789fcb
SHA256:	682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811
SHA512:	f77c16626a0e17ff79b95f9fded6a365f913896c89baf76d16bcc8706f3ad10a9476c7cbd3f235250b936171c6e958e145c402952506dc0e434a4f911c99fe02
SSDEEP:	196608:U+rNR2F7EU+iE09OKsRk3PdM+i+8lHFL9AYS:/RWEU+1OP6+X+oYS
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........XH..6...6...6...5...6...3.a.6...2...6.(.2...6.(.5...6.(.3...6...7...6...7.\.6.f.?...6.f.....6.f.4...6.Rich..6.........PE..L..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging	Security Software Discovery
Overwrites code with unconditional jumps - possibly settings hooks in foreign process	Hooking and other Techniques for Hiding and Protection	Credential API Hooking
Tries to evade analysis by execution special instruction (VM detection)	Malware Analysis System Evasion
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	System Information Discovery
PE file contains section with special chars	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary
Drops PE files	Persistence and Installation Behavior
Checks if the current process is being debugged	Anti Debugging
PE / OLE file has an invalid certificate	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Reads software policies	System Summary
Uses an in-process (OLE) Automation server	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads ini files	System Summary	File and Directory Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll
Category:	dropped
Dump:	cred64[1].dll.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	7.9708080300718365
Encrypted:	false
Ssdeep:	196608:ZQoqS56OZEssxxpKIIue41Cf7sgZz6kmAZQ/9RWB0:dMOevKiB1CfQgplmz/9a0
Size:	7705824
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Category:	dropped
Dump:	gntuud.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\q3oUuJIXkc.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.8779499305543865
Encrypted:	false
Ssdeep:	196608:U+rNR2F7EU+iE09OKsRk3PdM+i+8lHFL9AYS:/RWEU+1OP6+X+oYS
Size:	7732440
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Overwrites code with unconditional jumps - possibly settings hooks in foreign process	Hooking and other Techniques for Hiding and Protection	Credential API Hooking
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Abnormal high CPU Usage	System Summary
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe:Zone.Identifier
Category:	modified
Dump:	gntuud.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\q3oUuJIXkc.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Overwrites code with unconditional jumps - possibly settings hooks in foreign process	Hooking and other Techniques for Hiding and Protection	Credential API Hooking
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Abnormal high CPU Usage	System Summary
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Category:	dropped
Dump:	cred64.dll.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	7.9708080300718365
Encrypted:	false
Ssdeep:	196608:ZQoqS56OZEssxxpKIIue41Cf7sgZz6kmAZQ/9RWB0:dMOevKiB1CfQgplmz/9a0
Size:	7705824
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\853321935212

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\853321935212
Category:	dropped
Dump:	853321935212.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Entropy:	7.930938749687084
Encrypted:	false
Ssdeep:	1536:C+HaFexHpq4LV97q5wQq23vv5C4bndDT4vSxJu0VdNjEfYcnF4MXRWNt9bsdjogU:xt/q4xlnQqF0VrX5XrMXWAksu6rGu01
Size:	106755
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

\Device\ConDrv

ASCII text, with no line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.11.dr
ID:	dr_8
Target ID:	11
Process:	C:\Windows\SysWOW64\cacls.exe
Type:	ASCII text, with no line terminators
Entropy:	3.240223928941852
Encrypted:	false
Ssdeep:	3:o3F:o1
Size:	15
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\q3oUuJIXkc.exe

C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

"C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F

C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "gntuud.exe" /P "user:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "gntuud.exe" /P "user:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\03bd543fce" /P "user:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\03bd543fce" /P "user:R" /E

There are 4 hidden processes, click here to show them.

URLs

Name

Malicious

85.209.135.109/jg94cVd30f/index.php

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

http://85.209.135.109/jg94cVd30f/index.phpj

unknown

https://sectigo.com/CPS0

unknown

http://85.209.135.109/jg94cVd30f/index.php

unknown

http://ocsp.sectigo.com0

unknown

http://85.209.135.109/jg94cVd30f/index.phpF

unknown

http://85.209.135.109/jg94cVd30f/index.php?scr=1

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

http://85.209.135.109/jg94cVd30f/index.phpb

unknown

http://85.209.135.109/jg94cVd30f/index.php58e5d3

unknown

http://85.209.135.109/jg94cVd30f/index.phpd3

unknown

http://85.209.135.109/jg94cVd30f/index.phpz

unknown

http://85.209.135.109/jg94cVd30f/index.phpv

unknown

http://85.209.135.109/jg94cVd30f/index.phpR

unknown

http://85.209.135.109/jg94cVd30f/index.php0

unknown

There are 6 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

85.209.135.109

unknown

Germany

Details

IP:	85.209.135.109
TargetID:	1
Current Path:	C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Country:	Germany
Countrycode:	DEU
ASN number:	33657
ASN name:	CMCSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

192.168.2.4

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Memdumps

Base Address

Regiontype

Protect

Malicious

71000

unkown

page execute read

1281000

unkown

page execute read

EAD000

heap

page read and write

34D0000

trusted library allocation

page read and write

CD4000

heap

page read and write

857000

heap

page read and write

11C4000

heap

page read and write

11C4000

heap

page read and write

11C4000

heap

page read and write

33A1000

heap

page read and write

C01000

heap

page read and write

C01000

heap

page read and write

C01000

heap

page read and write

CB7000

heap

page read and write

11C4000

heap

page read and write

52E5000

trusted library allocation

page read and write

C01000

heap

page read and write

11C4000

heap

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
q3oUuJIXkc.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportq3oUuJIXkc.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
q3oUuJIXkc.exe