Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.836361315282437
Filename:	DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Filesize:	348136
MD5:	91c0c4710db096a4689d40e2ceb3814d
SHA1:	63880c602b960c5f91e55cbe4d5d18c7b8f1d63a
SHA256:	a4d4961d124ea4276512c1584f1ebd30951cd469659b3a623594d6361772fae7
SHA512:	b5fc41a609efb2946ddce21f383b5ae8e70d93b0fd0dec8e48b27f7660569ccdbafe806bf56fc0cd7c4e43826b79f065d57cd66da3c27e865cdced3ca865eb2a
SSDEEP:	6144:twq3NpWyFr7S0HFwnNHF6pmK2DIuua9ma+T4cX+tTMZP3qtTaPwkYn5inpT4:tzayFfDwNg4RE864c4MZ/c2UinS
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses 32bit PE files	Compliance, System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Creates files inside the system directory	System Summary
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Creates files inside the user directory	System Summary	Masquerading
Enumerates the file system	Spreading, Malware Analysis System Evasion
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\Hynde.Una

ASCII text, with very long lines (34794), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\Hynde.Una
Category:	dropped
Dump:	Hynde.Una.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Type:	ASCII text, with very long lines (34794), with no line terminators
Entropy:	3.9997795398371228
Encrypted:	false
Ssdeep:	768:ccaHQHD7RgNO/PDcbf/CBrmE4Hi1r1scfUos2cX7nhL/djYY2v:iQHDyO4mrei7sqc7BdsYG
Size:	34794
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\Rouleredes.coe

data

dropped

Details

File:	C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\Rouleredes.coe
Category:	dropped
Dump:	Rouleredes.coe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Type:	data
Entropy:	7.720384553629306
Encrypted:	false
Ssdeep:	3072:c5Nv/wHlbfgXh62+XKffH2i5A3Mz3xDD1TiBonOxOo0TUhBj4g2RgYyv:c5NvAbfgsrX6qMFdTiBQhooSBj4g2d4
Size:	223928
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\checkbox_checked.png

PNG image data, 32 x 32, 2-bit colormap, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\checkbox_checked.png
Category:	dropped
Dump:	checkbox_checked.png.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Type:	PNG image data, 32 x 32, 2-bit colormap, non-interlaced
Entropy:	5.579261213353732
Encrypted:	false
Ssdeep:	3:yionv//thPl3MrpxyPuReVl/nRwPd/ggZcFmz3iVVyjXrC5RlH1p:6v/lhP6TwOeVV6Pd/MmgEK5RlVp
Size:	147
Whitelisted:	true
Reputation:	low

C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\multimedia-volume-control-symbolic.svg

SVG Scalable Vector Graphics image

dropped

Details

File:	C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\multimedia-volume-control-symbolic.svg
Category:	dropped
Dump:	multimedia-volume-control-symbolic.svg.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Type:	SVG Scalable Vector Graphics image
Entropy:	5.228667299529662
Encrypted:	false
Ssdeep:	12:t4Cp9xXnlWjoprGDWXYmfM26oprGhyGuC1hz4AeWrGdKdK:t4CpPlWsrGDoY32/rGYG/4AeWrGMQ
Size:	651
Whitelisted:	true
Reputation:	low

C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\phone-symbolic.svg

SVG Scalable Vector Graphics image

dropped

Details

File:	C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\phone-symbolic.svg
Category:	dropped
Dump:	phone-symbolic.svg.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Type:	SVG Scalable Vector Graphics image
Entropy:	4.45278069770929
Encrypted:	false
Ssdeep:	12:TMHdPnnl/nu3tln5CfYUtLLgpvAjmAKWlzmOA/e7/lsEbWlM:2dPnnxu3tlQfjngEmAKvOA/U/lsEbN
Size:	629
Whitelisted:	true
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\nshED40.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nshED40.tmp
Category:	dropped
Dump:	nshED40.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Type:	data
Entropy:	7.470506584929792
Encrypted:	false
Ssdeep:	6144:X5NvAbfgsrX6qMFdTiBQhooSBj4g2dgQ20cP7m:JjvTiapwjGdf20cP7m
Size:	296163
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nshED41.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nshED41.tmp\System.dll
Category:	dropped
Dump:	System.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.656065698421856
Encrypted:	false
Ssdeep:	192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
Size:	11776
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Details

Is windows:	false
Is dropped:	false
PID:	5032
Target ID:	0
Parent PID:	3528
Name:	DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Path:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Commandline:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Size:	348136
MD5:	91C0C4710DB096A4689D40E2CEB3814D
Time:	03:44:57
Date:	04/02/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	532480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://nsis.sf.net/NSIS_ErrorError

unknown

Details

Name:	http://nsis.sf.net/NSIS_ErrorError
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Source:	DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sansebeskrivelsers\Vandsamling197\Hybridnettets\Energimaengde52

Orientalises

HKEY_CURRENT_USER\Software\carboxylsyren\Fluer172\Amortisationerne

Sociometr

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\weighers

Lunefuldest

Memdumps

Base Address

Regiontype

Protect

Malicious

4C86000

direct allocation

page execute and read and write

674000

heap

page read and write

2216000

heap

page read and write

1FD029D0000

trusted library allocation

page read and write

7486000

direct allocation

page execute and read and write

1FD03A70000

trusted library allocation

page read and write

656000

heap

page read and write

1FD02C59000

heap

page read and write

5B0000

heap

page read and write

1FD02B20000

heap

page read and write

643000

heap

page read and write

9286000

direct allocation

page execute and read and write

1FD02C5E000

heap

page read and write

63A000

heap

page read and write

63F000

heap

page read and write

1FD02D10000

trusted library allocation

page read and write

99000

stack

page read and write

265F000

stack

page read and write

E01E779000

stack

page read and write

1FD03AD0000

trusted library allocation

page read and write

400000

unkown

page readonly

9C86000

direct allocation

page execute and read and write

1FD02BE5000

heap

page read and write

2760000

heap

page read and write

1FD02C57000

heap

page read and write

468000

unkown

page readonly

10001000

unkown

page execute read

400000

unkown

page readonly

40A000

unkown

page write copy

5686000

direct allocation

page execute and read and write

3140000

heap

page read and write

408000

unkown

page readonly

2110000

heap

page read and write

401000

unkown

page execute read

468000

unkown

page readonly

E01E5F9000

stack

page read and write

1FD02C80000

heap

page read and write

E01E67A000

stack

page read and write

10000000

unkown

page readonly

3250000

heap

page read and write

371D000

stack

page read and write

30000

heap

page read and write

401000

unkown

page execute read

6A86000

direct allocation

page execute and read and write

4B20000

direct allocation

page execute and read and write

10005000

unkown

page readonly

408000

unkown

page readonly

20E0000

heap

page read and write

1FD02C60000

heap

page read and write

220E000

stack

page read and write

665000

heap

page read and write

464000

unkown

page read and write

1FD02BD0000

trusted library allocation

page read and write

67B000

heap

page read and write

427000

unkown

page read and write

381B000

stack

page read and write

607000

heap

page read and write

275F000

stack

page read and write

435000

unkown

page read and write

1FD029C0000

heap

page read and write

1FD02BE0000

heap

page read and write

286B000

heap

page read and write

1FD02C61000

heap

page read and write

E01E7FF000

stack

page read and write

1FD02B00000

heap

page read and write

1FD03850000

trusted library allocation

page read and write

422000

unkown

page read and write

3150000

heap

page read and write

1FD03A80000

trusted library allocation

page read and write

1FD02C18000

heap

page read and write

4D0000

heap

page read and write

E01E47C000

stack

page read and write

1FD02BE9000

heap

page read and write

3198000

heap

page read and write

1FD02C5F000

heap

page read and write

1FD03A60000

heap

page readonly

1FD02BB0000

trusted library allocation

page read and write

1FD02B90000

trusted library allocation

page read and write

629000

heap

page read and write

6086000

direct allocation

page execute and read and write

3650000

heap

page read and write

1FD02BA0000

trusted library allocation

page read and write

215E000

stack

page read and write

1FD02C7C000

heap

page read and write

4D5000

heap

page read and write

8886000

direct allocation

page execute and read and write

7E86000

direct allocation

page execute and read and write

19A000

stack

page read and write

21C0000

heap

page read and write

679000

heap

page read and write

10003000

unkown

page readonly

1FD02C20000

heap

page read and write

21C4000

heap

page read and write

600000

heap

page read and write

E01E6FE000

stack

page read and write

2210000

heap

page read and write

40A000

unkown

page read and write

1FD02C35000

heap

page read and write

1FD02C10000

heap

page read and write

1FD02C5E000

heap

page read and write

There are 90 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe