Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

xrPfnwOyJZqd.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.549698702116996
Filename:	xrPfnwOyJZqd.exe
Filesize:	33792
MD5:	b45d6b705ff5e1d95974f680c73edca0
SHA1:	551891b184c060b8aadc3e951c6ec4afce2b4b32
SHA256:	3ea9612dc4f0f0aa8e3bfe877f1c3f7bfd79145f22fb9276f08357479a309592
SHA512:	8e8f3c0becb83bfce4f8f388c2d7625f31ad338bf7482c4f6ea69de1fd8447d157bb6e8f4252969abbd3c597b9ad0fe6d0dd51c8474395468336e45bbd155400
SSDEEP:	384:Ql+PkjD9+E5MFs7iui8L7zoM42pfL3iB7OxVqWDRApkFXBLTsOZwpGN2v99Ikuik:k+CD93W03F42JiB70FVF49jzOjhebo
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G!1f.................z..........N.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing Security Software Discovery
.NET source code contains potential unpacker	Data Obfuscation
Machine Learning detection for sample	AV Detection
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Sample uses string decryption to hide its real strings	AV Detection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Chrome Cache Entry: 49

ASCII text, with very long lines (1746)

downloaded

Details

File:	Chrome Cache Entry: 49
Category:	downloaded
Dump:	chromecache_49.12.dr
ID:	dr_7
Target ID:	12
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (1746)
Entropy:	5.55061820245277
Encrypted:	false
Ssdeep:	3072:S0eiNiuzs8v4HHKWY8s1BgP4IDQ9GURWu8zylA/u8PemUPhDlaY/ADiZ65LpK629:S0eMhzvwHHKWY8s1BgP4IDQ9GURWu8UD
Size:	163891
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 50

ASCII text, with very long lines (771)

downloaded

Details

File:	Chrome Cache Entry: 50
Category:	downloaded
Dump:	chromecache_50.12.dr
ID:	dr_8
Target ID:	12
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (771)
Entropy:	5.1613564182196505
Encrypted:	false
Ssdeep:	24:YzzqO+O0HSLoBHslgT9lCuABuoB7HHHHHHHYqmffffffo:8eOxcKlgZ01BuSEqmffffffo
Size:	776
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 51

ASCII text

downloaded

Details

File:	Chrome Cache Entry: 51
Category:	downloaded
Dump:	chromecache_51.12.dr
ID:	dr_9
Target ID:	12
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text
Entropy:	3.9353986674667634
Encrypted:	false
Ssdeep:	3:VQAOx/1n:VQAOd1n
Size:	29
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 52

ASCII text, with very long lines (65531)

downloaded

Details

File:	Chrome Cache Entry: 52
Category:	downloaded
Dump:	chromecache_52.12.dr
ID:	dr_10
Target ID:	12
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (65531)
Entropy:	5.440905612507296
Encrypted:	false
Ssdeep:	1536:yMRA4atKJXjPInWWt/usD98kiHLnRA0zqevcZb+haV+trbbbhYxvdU:ezKJou8TMyeN0shCO
Size:	139819
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 53

ASCII text, with very long lines (3572), with no line terminators

downloaded

Details

File:	Chrome Cache Entry: 53
Category:	downloaded
Dump:	chromecache_53.12.dr
ID:	dr_11
Target ID:	12
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (3572), with no line terminators
Entropy:	5.150542995862274
Encrypted:	false
Ssdeep:	96:RJYrcoiktfqqMghOKTEzNx8BSIMw591g8IOl8u8i8DF+Ks:wkktfqqMghxlg8Ig8u78D2
Size:	3572
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 54

SVG Scalable Vector Graphics image

downloaded

Details

File:	Chrome Cache Entry: 54
Category:	downloaded
Dump:	chromecache_54.12.dr
ID:	dr_12
Target ID:	12
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	SVG Scalable Vector Graphics image
Entropy:	4.301517070642596
Encrypted:	false
Ssdeep:	48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
Size:	1660
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 55

ASCII text, with very long lines (2124)

downloaded

Details

File:	Chrome Cache Entry: 55
Category:	downloaded
Dump:	chromecache_55.12.dr
ID:	dr_13
Target ID:	12
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (2124)
Entropy:	5.506662476672723
Encrypted:	false
Ssdeep:	3072:QI9yvwslCsrCF9f/U2Dj3Fkk7rEehA5L1kx:l9ygsrieDkVaL1kx
Size:	121628
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xrPfnwOyJZqd.exe

"C:\Users\user\Desktop\xrPfnwOyJZqd.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3468
Target ID:	5
Parent PID:	4056
Name:	xrPfnwOyJZqd.exe
Path:	C:\Users\user\Desktop\xrPfnwOyJZqd.exe
Commandline:	"C:\Users\user\Desktop\xrPfnwOyJZqd.exe"
Size:	33792
MD5:	B45D6B705FF5E1D95974F680C73EDCA0
Time:	19:06:07
Date:	30/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x40000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///

Details

Is windows:	true
Is dropped:	false
PID:	6812
Target ID:	10
Parent PID:	5832
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	19:06:12
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6c4390000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2064,i,9320462037478548023,11330767766689099081,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	4360
Target ID:	12
Parent PID:	6812
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2064,i,9320462037478548023,11330767766689099081,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	19:06:12
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6c4390000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

warzones12.duckdns.org

https://www.google.com/async/ddljson?async=ntp:2

142.250.190.132

https://play.google.com/log?format=json&hasfast=true

unknown

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

142.250.190.132

http://www.broofa.com

unknown

https://csp.withgoogle.com/csp/lcreport/

unknown

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0

142.250.191.206

https://www.google.com/async/newtab_promos

142.250.190.132

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

142.250.190.132

https://apis.google.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1

unknown

https://domains.google.com/suggest/flow

unknown

https://clients6.google.com

unknown

https://plus.google.com

unknown

There are 5 hidden URLs, click here to show them.

Domains

Name

Malicious

warzones12.duckdns.org

179.13.0.175

Details

Name:	warzones12.duckdns.org
IP:	179.13.0.175
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

plus.l.google.com

142.250.191.206

www.google.com

142.250.190.132

Details

Name:	www.google.com
IP:	142.250.190.132
TargetID:	12
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

apis.google.com

unknown

Details

Name:	apis.google.com
TargetID:	12
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

179.13.0.175

warzones12.duckdns.org

Colombia

Details

IP:	179.13.0.175
TargetID:	5
Current Path:	C:\Users\user\Desktop\xrPfnwOyJZqd.exe
Country:	Colombia
Countrycode:	COL
ASN number:	27831
ASN name:	ColombiaMovilCO
Private:	false
Domain:	warzones12.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

192.168.2.7

unknown

Details

IP:	192.168.2.7
TargetID:	10
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses secure TLS version for HTTPS connections	Compliance, Networking

142.250.190.132

www.google.com

United States

239.255.255.250

unknown

Reserved

142.250.191.206

plus.l.google.com

United States

192.168.2.4

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

2331000

trusted library allocation

page read and write

42000

unkown

page readonly

7FFB22680000

unkown

page read and write

7FFAAC8F0000

trusted library allocation

page read and write

7FFAAC774000

trusted library allocation

page read and write

40000

unkown

page readonly

1ADB3000

heap

page read and write

1BB8C000

stack

page read and write

7FFAAC750000

trusted library allocation

page read and write

1B2C0000

heap

page read and write

7FFAAC76D000

trusted library allocation

page execute and read and write

184000

stack

page read and write

1B2BF000

stack

page read and write

2437000

trusted library allocation

page read and write

7FFAAC806000

trusted library allocation

page read and write

12331000

trusted library allocation

page read and write

1B580000

heap

page read and write

7FFB22685000

unkown

page readonly

400000

heap

page read and write

1AC7E000

stack

page read and write

7FFB22682000

unkown

page readonly

770000

trusted library allocation

page read and write

491000

heap

page read and write

7FFAAC7AC000

trusted library allocation

page execute and read and write

2320000

heap

page read and write

460000

heap

page read and write

420000

heap

page read and write

7FFAAC800000

trusted library allocation

page read and write

1A360000

trusted library allocation

page read and write

7FFB22660000

unkown

page readonly

4A1000

heap

page read and write

1B30E000

heap

page read and write

1AEBA000

stack

page read and write

7FFAAC836000

trusted library allocation

page execute and read and write

2378000

trusted library allocation

page read and write

1E0000

heap

page read and write

40000

unkown

page readonly

805000

heap

page read and write

4E4000

heap

page read and write

1B98C000

stack

page read and write

7FFAAC760000

trusted library allocation

page read and write

4CD000

heap

page read and write

1ADB0000

heap

page read and write

7FFB22661000

unkown

page execute read

1B88A000

stack

page read and write

7FFAAC770000

trusted library allocation

page read and write

7FF42BF90000

trusted library allocation

page execute and read and write

49F000

heap

page read and write

1B2D2000

heap

page read and write

1233E000

trusted library allocation

page read and write

800000

heap

page read and write

7FFAAC754000

trusted library allocation

page read and write

48A000

heap

page read and write

A40000

heap

page read and write

1A8BC000

stack

page read and write

4D1000

heap

page read and write

A0C000

stack

page read and write

1B312000

heap

page read and write

1ACB0000

heap

page execute and read and write

12338000

trusted library allocation

page read and write

1B30C000

heap

page read and write

66F000

stack

page read and write

522000

heap

page read and write

46C000

heap

page read and write

22EF000

stack

page read and write

7FFAAC870000

trusted library allocation

page execute and read and write

A10000

heap

page read and write

760000

trusted library allocation

page read and write

1B68F000

stack

page read and write

780000

heap

page execute and read and write

1B0BF000

stack

page read and write

740000

trusted library allocation

page read and write

493000

heap

page read and write

7FFAAC80C000

trusted library allocation

page execute and read and write

1D0000

heap

page read and write

4CB000

heap

page read and write

7FFAAC75D000

trusted library allocation

page execute and read and write

520000

heap

page read and write

90E000

stack

page read and write

7FFAAC77D000

trusted library allocation

page execute and read and write

1B1BC000

stack

page read and write

7FFAAC901000

trusted library allocation

page read and write

51D000

heap

page read and write

7FFAAC810000

trusted library allocation

page execute and read and write

7FFB22676000

unkown

page readonly

27E9000

trusted library allocation

page read and write

1A6B0000

heap

page read and write

7FFAAC753000

trusted library allocation

page execute and read and write

7FFAAC762000

trusted library allocation

page read and write

25AF000

trusted library allocation

page read and write

1AFB4000

stack

page read and write

A45000

heap

page read and write

773000

trusted library allocation

page read and write

There are 83 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xrPfnwOyJZqd.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportxrPfnwOyJZqd.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
xrPfnwOyJZqd.exe