Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.989999812901478
Filename:	file.exe
Filesize:	4444053
MD5:	e2c4c4dd8c6a357eca164955a8fe040c
SHA1:	f4114815bce62efbc78c79f9a83ccf74a4ea075c
SHA256:	f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5
SHA512:	389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1
SSDEEP:	98304:3c9jNgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQHbfU0qC:s95zk0mtyTqj6W4SGYSQ/qC
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Contains functionality to shutdown / reboot the system	System Summary
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Drops PE files	Persistence and Installation Behavior
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Uses an in-process (OLE) Automation server	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary
Reads ini files	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Executes batch files	System Summary	Scripting
Submission file is bigger than most known malware samples	System Summary

C:\Baldi\Baldi.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Baldi\Baldi.exe
Category:	dropped
Dump:	Baldi.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.758905606569735
Encrypted:	false
Ssdeep:	98304:4PyiUHCa1abtUvA5b1PSqhRLuaY673+/4ByCNlFSB+sgpDhsfC2PDORalZLCwpo3:ww2U4tuWbDa9PY
Size:	13049579
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Changes the wallpaper picture	Spam, unwanted Advertisements and Ransom Demands
Disables the Windows task manager (taskmgr)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Spawns processes	System Summary	Process Injection
Executable creates window controls seldom found in malware	System Summary

C:\Baldi\DisableUAC.exe

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Baldi\DisableUAC.exe
Category:	dropped
Dump:	DisableUAC.exe.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.27337799955346
Encrypted:	false
Ssdeep:	1536:lD5s9u/O4wppE7b6Ca9wOxibBjPm8YEZDVAguwWx4c6fFSq35t:3s9uWfE7mt+BzXYEZDVAgVWuc69Sq35t
Size:	106496
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection

C:\Baldi\kill.exe

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Baldi\kill.exe
Category:	dropped
Dump:	kill.exe.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.299970440877681
Encrypted:	false
Ssdeep:	1536:pD5s9u/O4wppE7b6Ca9wOxibBjPm8YEZDVAguwWx4c6fFSqF4D:zs9uWfE7mt+BzXYEZDVAgVWuc69SqFc
Size:	107520
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Baldi\lol.png

PNG image data, 700 x 394, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Baldi\lol.png
Category:	dropped
Dump:	lol.png.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PNG image data, 700 x 394, 8-bit/color RGBA, non-interlaced
Entropy:	7.990244705539055
Encrypted:	true
Ssdeep:	3072:dB1lj5X8Ll5YSBw08P47iGR64EjueyjjPQ3FKxu6aSNKkfM7xBTLmtoNDFuSzbDe:f9e5YjN4zR6paM77LPN5uSzb4WG
Size:	151955
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Changes the wallpaper picture	Spam, unwanted Advertisements and Ransom Demands

C:\Baldi\mbr.exe

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Baldi\mbr.exe
Category:	dropped
Dump:	mbr.exe.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	5.173437012266276
Encrypted:	false
Ssdeep:	768:4eMSZqVQuw+qdWSMzKAX9DCn4PLbz5DnNSN4at2bhBXuY8xX:TZqVQcZzXJC2ClktoZxX
Size:	61440
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Baldi\7note.mp3

Audio file with ID3 version 2.4.0, contains:\012- MPEG ADTS, layer III, v2, 160 kbps, 22.05 kHz, Monaural

dropped

Details

File:	C:\Baldi\7note.mp3
Category:	dropped
Dump:	7note.mp3.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	Audio file with ID3 version 2.4.0, contains:\012- MPEG ADTS, layer III, v2, 160 kbps, 22.05 kHz, Monaural
Entropy:	7.546210558954595
Encrypted:	false
Ssdeep:	6144:+vlzl1lcxbHrXiUl8vr6kSWyYqaaBh6P8IkxR/3t:+vlVQl8vr6LH1B//t
Size:	248823
Whitelisted:	false
Reputation:	timeout

C:\Baldi\CleanZUpdater.bat

DOS batch file, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Baldi\CleanZUpdater.bat
Category:	dropped
Dump:	CleanZUpdater.bat.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	4.528650179702277
Encrypted:	false
Ssdeep:	3:mKDDlR+aRMgACL+aROWuM8AC:hOaSgNiaZRC
Size:	66
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat
Category:	dropped
Dump:	FC2C.bat.4.dr
ID:	dr_7
Target ID:	4
Process:	C:\Baldi\DisableUAC.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.385562223264799
Encrypted:	false
Ssdeep:	3:NNgnzKDDEFkhhPk6pdgLxqrZfyM1K7eB/k+7W1nEHfnKyMhF6LFsIlGFIYh9n:NS0QePzYLxiH1jhRiRe66ibFpz
Size:	186
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c CleanZUpdater.bat

C:\Baldi\Baldi.exe

C:\Baldi\DisableUAC.exe

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe

C:\Windows\System32\reg.exe

reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\shutdown.exe

shutdown -r -t 1 -c "BALDI EVIL..."

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 1 hidden processes, click here to show them.

URLs

Name

Malicious

http://nsis.sf.net/NSIS_Error

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang

unknown

Details

Name:	https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang
TargetID:	3
From Memory:	true
Current Path:	C:\Baldi\Baldi.exe
Source:	Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings which match to known social media urls	Networking
URLs found in memory or binary data	Networking

https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A

unknown

Details

Name:	https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A
TargetID:	-1
From Memory:	true
Source:	Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found strings which match to known social media urls	Networking
URLs found in memory or binary data	Networking

https://vk.com/endnet

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableTaskMgr

HKEY_CURRENT_USER\Control Panel\Desktop

Wallpaper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

EnableLUA

Details

TargetID:	9
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value name:	EnableLUA
Value data:	0

Signature Hits	Behavior Group	Mitre Attack
Disables UAC (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses reg.exe to modify the Windows registry	System Summary	Modify Registry
Spawns processes	System Summary	Process Injection

HKEY_CURRENT_USER\softwaremicrosoftwindowscurrentversionpoliciesexplorer

noclose

HKEY_CURRENT_USER\softwaremicrosoftwindowscurrentversionpoliciesexplorer

nologoff

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

GG.exe

Memdumps

Base Address

Regiontype

Protect

Malicious

1FFF3F00000

heap

page read and write

470000

heap

page read and write

16157B60000

heap

page read and write

1FFF3EF0000

heap

page read and write

16157B70000

heap

page read and write

2370000

heap

page read and write

16157B6F000

heap

page read and write

1E5CE7B0000

heap

page read and write

16157B70000

heap

page read and write

1C4000

heap

page read and write

1E5CE4F0000

heap

page read and write

1E5CE4F9000

heap

page read and write

1FFF3EF4000

heap

page read and write

1E5CE7B4000

heap

page read and write

448000

heap

page read and write

16157DD0000

heap

page read and write

16157B6B000

heap

page read and write

16157B84000

heap

page read and write

2EAA000

direct allocation

page read and write

401000

unkown

page execute read

14001B000

unkown

page read and write

140001000

unkown

page execute read

16157B84000

heap

page read and write

2EB8000

direct allocation

page read and write

4DCE000

stack

page read and write

271F000

stack

page read and write

637000

unkown

page read and write

2E0A000

direct allocation

page read and write

180000

heap

page read and write

1E5CE4A0000

heap

page read and write

1EFE000

stack

page read and write

5FD2FC000

stack

page read and write

1040000

unkown

page readonly

16157B74000

heap

page read and write

16157B74000

heap

page read and write

7FE8A000

direct allocation

page read and write

14001E000

unkown

page readonly

16157B74000

heap

page read and write

407000

unkown

page readonly

439000

unkown

page readonly

4D8F000

stack

page read and write

1E5CE4C0000

heap

page read and write

140000000

unkown

page readonly

16157B70000

heap

page read and write

400000

unkown

page readonly

21A0000

heap

page read and write

160E000

stack

page read and write

2DE7000

direct allocation

page read and write

1F0000

heap

page read and write

2EE4000

direct allocation

page read and write

16157B30000

heap

page read and write

2190000

heap

page read and write

1240000

heap

page read and write

2E94000

direct allocation

page read and write

16157B74000

heap

page read and write

628000

unkown

page write copy

16157B74000

heap

page read and write

16157DD9000

heap

page read and write

A3648ED000

stack

page read and write

30000

heap

page read and write

30000

heap

page read and write

628000

unkown

page read and write

B925C7E000

stack

page read and write

16157B70000

heap

page read and write

1E5CE50F000

heap

page read and write

2E1A000

direct allocation

page read and write

63E000

unkown

page readonly

1625000

heap

page read and write

2EEC000

direct allocation

page read and write

10000

heap

page read and write

206F000

stack

page read and write

B925CFF000

stack

page read and write

9C5000

heap

page read and write

16157DD4000

heap

page read and write

480000

heap

page read and write

7FE60000

direct allocation

page read and write

1E5CE502000

heap

page read and write

16157B84000

heap

page read and write

2F01000

direct allocation

page read and write

2ECF000

direct allocation

page read and write

2EF3000

direct allocation

page read and write

4A0000

heap

page read and write

1245000

heap

page read and write

640000

unkown

page readonly

13BA000

heap

page read and write

407000

unkown

page readonly

162B000

heap

page read and write

16157B6C000

heap

page read and write

14001B000

unkown

page write copy

25DF000

stack

page read and write

1F3E000

stack

page read and write

1FFF3F09000

heap

page read and write

4C8E000

stack

page read and write

19A000

stack

page read and write

639000

unkown

page write copy

5FD4FF000

stack

page read and write

7FEA1000

direct allocation

page read and write

1173000

heap

page read and write

41B000

unkown

page execute read

1F60000

heap

page read and write

2E21000

direct allocation

page read and write

2E9B000

direct allocation

page read and write

42C000

unkown

page read and write

16157E10000

heap

page read and write

1E5CE50D000

heap

page read and write

2E29000

direct allocation

page read and write

16157B74000

heap

page read and write

16157B84000

heap

page read and write

1360000

heap

page read and write

2EA2000

direct allocation

page read and write

140016000

unkown

page readonly

459000

heap

page read and write

568000

heap

page read and write

5FD3FF000

unkown

page read and write

2E25000

direct allocation

page read and write

439000

unkown

page readonly

216F000

stack

page read and write

16157AA0000

heap

page read and write

9C000

stack

page read and write

21A7000

heap

page read and write

4F0000

heap

page read and write

1C7000

heap

page read and write

401000

unkown

page execute read

16157B84000

heap

page read and write

2E76000

direct allocation

page read and write

140016000

unkown

page readonly

4ECF000

stack

page read and write

1C0000

heap

page read and write

16157B70000

heap

page read and write

B92599C000

stack

page read and write

16157B84000

heap

page read and write

16157B74000

heap

page read and write

2E36000

direct allocation

page read and write

56B000

heap

page read and write

4C4F000

stack

page read and write

1FFF3E50000

heap

page read and write

1150000

heap

page read and write

2EB1000

direct allocation

page read and write

2E68000

direct allocation

page read and write

140000000

unkown

page readonly

19A000

stack

page read and write

13E7000

heap

page read and write

2040000

heap

page read and write

2E59000

direct allocation

page read and write

2DF3000

direct allocation

page read and write

16157B74000

heap

page read and write

4EE000

stack

page read and write

16157B84000

heap

page read and write

2DF8000

direct allocation

page read and write

2ED6000

direct allocation

page read and write

1E5CE360000

heap

page read and write

80F000

stack

page read and write

98000

stack

page read and write

63D000

unkown

page read and write

16157B84000

heap

page read and write

70F000

stack

page read and write

16157B84000

heap

page read and write

400000

unkown

page readonly

261E000

stack

page read and write

2E12000

direct allocation

page read and write

140001000

unkown

page execute read

2EFA000

direct allocation

page read and write

16157B70000

heap

page read and write

62F000

unkown

page read and write

140D000

heap

page read and write

632000

unkown

page read and write

16157B74000

heap

page read and write

1620000

heap

page read and write

16157B84000

heap

page read and write

400000

unkown

page readonly

400000

heap

page read and write

2F08000

direct allocation

page read and write

16157B74000

heap

page read and write

440000

heap

page read and write

13EB000

heap

page read and write

520000

heap

page read and write

2E60000

direct allocation

page read and write

1A0000

heap

page read and write

640000

heap

page read and write

409000

unkown

page write copy

562000

heap

page read and write

528000

heap

page read and write

16157B84000

heap

page read and write

A36496F000

stack

page read and write

21A2000

heap

page read and write

14001E000

unkown

page readonly

16157DD9000

heap

page read and write

16157B74000

heap

page read and write

1170000

heap

page read and write

13E3000

heap

page read and write

40B000

unkown

page read and write

7FE9A000

direct allocation

page read and write

13B0000

heap

page read and write

9C0000

heap

page read and write

58C0000

trusted library allocation

page read and write

1390000

direct allocation

page execute and read and write

2E03000

direct allocation

page read and write

16157E10000

heap

page read and write

16157B6D000

heap

page read and write

16157B70000

heap

page read and write

409000

unkown

page read and write

16157DD5000

heap

page read and write

2E8C000

direct allocation

page read and write

A3649EF000

stack

page read and write

401000

unkown

page execute read

1200000

heap

page read and write

14C000

stack

page read and write

1380000

heap

page read and write

16157B10000

heap

page read and write

16157B84000

heap

page read and write

16157DD9000

heap

page read and write

1FFF3DE0000

heap

page read and write

2E84000

direct allocation

page read and write

13FB000

heap

page read and write

16157DD9000

heap

page read and write

1FFF3E70000

heap

page read and write

2EC8000

direct allocation

page read and write

2EDD000

direct allocation

page read and write

13F8000

heap

page read and write

434000

unkown

page read and write

645000

heap

page read and write

There are 211 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
file.exe