Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

xcYJfxDKL0Sk.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.597271970549895
Filename:	xcYJfxDKL0Sk.exe
Filesize:	494592
MD5:	a75658c26b3c3ef739148060446b8d9b
SHA1:	d8ca42c0a901edea00fedce2d306e8e09bf27c91
SHA256:	3a2bc0787d73f2e92b71865154496cef6c1a983c4137f16c3733c1663295fc43
SHA512:	fe2345ce983781a1f6ba807e5b07f8896ecb931bb049ead7b41bbfc5e190b5ee06b3d1eea01fb22930c39a2128b98301ee9fdb7a4b021bf0c004d150d421a8eb
SSDEEP:	6144:q/7iPrcL3ArwhBq7Kjsn9iHGXg0lwGS9MNNhdFvPxps9gsAOZZuAXec7O57ov:q/uPq3AfK496Gw0lwGXN3pvs/Zu18v
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..- ..~ ..~ ..~.f$~3..~.f&~...~.f'~>..~).Q~!..~.Z.~"..~....:..~.......~.......~).F~9..~ ..~...~....D..~..*~!..~....!..~Rich ..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Access Token Manipulation
Contains functionality to bypass UAC (CMSTPLUA)	Privilege Escalation	Bypass User Account Control Access Token Manipulation
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Antivirus / Scanner detection for submitted sample	AV Detection
Contains functionality to steal Firefox passwords or cookies	Stealing of Sensitive Information	Access Token Manipulation Credentials In Files
Delayed program exit found	Malware Analysis System Evasion	Access Token Manipulation
Contains functionality to register a low level keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation
Contains functionality to steal Chrome passwords or cookies	Stealing of Sensitive Information	OS Credential Dumping Account Discovery System Owner/User Discovery
Contains functionalty to change the wallpaper	Spam, unwanted Advertisements and Ransom Demands	Defacement
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation System Shutdown/Reboot
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Contains functionality to call native functions	System Summary
Contains functionality to launch a control a shell (cmd.exe)	Remote Access Functionality	Access Token Manipulation Account Discovery System Owner/User Discovery
Contains functionality to enumerate running services	Malware Analysis System Evasion	System Service Discovery Ingress Tool Transfer
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to download and launch executables	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Public key (encryption) found	Cryptography	Account Discovery System Owner/User Discovery
Sample is known by Antivirus	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Creates files inside the user directory	System Summary	Masquerading
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery System Information Discovery
Creates temporary files	System Summary
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to start windows services	Boot Survival	Access Token Manipulation
Contains functionality to modify services (start/stop/modify)	System Summary	Service Execution Windows Service Access Token Manipulation System Time Discovery System Information Discovery
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation
Creates mutexes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Program exit points	Malware Analysis System Evasion
Executes visual basic scripts	System Summary	Scripting
Contains functionality to register its own exception handler	Anti Debugging
Might use command line arguments	System Summary	Masquerading
URLs found in memory or binary data	Networking
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

JSON data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json
Category:	dropped
Dump:	json[1].json.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\xcYJfxDKL0Sk.exe
Type:	JSON data
Entropy:	4.977580076482615
Encrypted:	false
Ssdeep:	12:tkl/und6CsGkMyGWKyMPVGADHInmaoHQmGdAvOO+E9F3im51w7L/m9lVF6xIjJOz:qladRNuKyM8FO46m7DoUx6Y+Y
Size:	952
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs
Category:	dropped
Dump:	frjghkytrkcmwefakksrc.vbs.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\xcYJfxDKL0Sk.exe
Type:	data
Entropy:	3.503811903644398
Encrypted:	false
Ssdeep:	12:xQ4lA2++ugypjBQMPURbRmFRQ3DoRmFR9Hz/0aimi:7a2+SDdKQToK9Aait
Size:	476
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates temporary files	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Details

Is windows:	false
Is dropped:	false
PID:	6188
Target ID:	0
Parent PID:	2580
Name:	xcYJfxDKL0Sk.exe
Path:	C:\Users\user\Desktop\xcYJfxDKL0Sk.exe
Commandline:	C:\Users\user\Desktop\xcYJfxDKL0Sk.exe
Size:	494592
MD5:	A75658C26B3C3EF739148060446B8D9B
Time:	04:05:52
Date:	21/11/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	532480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	6628
Target ID:	1
Parent PID:	6188
Name:	wscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\wscript.exe
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs"
Size:	147456
MD5:	FF00E0480075B095948000BDC66E81F0
Time:	04:06:04
Date:	21/11/2023
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x420000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://geoplugin.net/json.gp

178.237.33.50

0.tcp.sa.ngrok.io

http://geoplugin.net/json.gp/C

unknown

http://geoplugin.net/json.gpb

unknown

http://geoplugin.net/json.gp8

unknown

http://geoplugin.net/

unknown

http://geoplugin.net/json.gp5

unknown

http://geoplugin.net/X

unknown

http://geoplugin.net/json.gpl

unknown

http://geoplugin.net/json.gpSystem32

unknown

Domains

Name

Malicious

0.tcp.sa.ngrok.io

54.94.248.37

Details

Name:	0.tcp.sa.ngrok.io
IP:	54.94.248.37
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

54.94.248.37

0.tcp.sa.ngrok.io

United States

Details

IP:	54.94.248.37
TargetID:	0
Current Path:	C:\Users\user\Desktop\xcYJfxDKL0Sk.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	0.tcp.sa.ngrok.io

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

178.237.33.50

geoplugin.net

Netherlands

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-7QVKVR

exepath

HKEY_CURRENT_USER\SOFTWARE\Rmc-7QVKVR

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-7QVKVR

time

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\WScript.exe.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\WScript.exe.ApplicationCompany

Memdumps

Base Address

Regiontype

Protect

Malicious

459000

unkown

page readonly

459000

unkown

page readonly

2E7E000

stack

page read and write

2BA7000

heap

page read and write

68B000

heap

page read and write

27FB000

stack

page read and write

22EF000

stack

page read and write

282E000

stack

page read and write

92F000

stack

page read and write

2BAA000

heap

page read and write

4DE000

stack

page read and write

2BC9000

heap

page read and write

400000

unkown

page readonly

2A30000

unclassified section

page readonly

2BD1000

heap

page read and write

2BF1000

heap

page read and write

6B7000

heap

page read and write

2BD1000

heap

page read and write

2DFE000

stack

page read and write

673000

heap

page read and write

6A1000

heap

page read and write

2B50000

heap

page read and write

2BE1000

heap

page read and write

2BF2000

heap

page read and write

48F0000

heap

page read and write

2BED000

heap

page read and write

2BEB000

heap

page read and write

6E6000

heap

page read and write

2BC1000

heap

page read and write

2680000

unclassified section

page readonly

2BD2000

heap

page read and write

2BD2000

heap

page read and write

490000

heap

page read and write

31C0000

heap

page read and write

2BE5000

heap

page read and write

332E000

stack

page read and write

2BBA000

heap

page read and write

21E0000

heap

page read and write

35CC000

stack

page read and write

2CBE000

stack

page read and write

690000

heap

page read and write

68B000

heap

page read and write

2F8A000

heap

page read and write

2BE2000

heap

page read and write

671000

heap

page read and write

2BE0000

heap

page read and write

2BC7000

heap

page read and write

20000

unclassified section

page readonly

51E000

stack

page read and write

2B88000

heap

page read and write

2BD4000

heap

page read and write

67A000

heap

page read and write

2BBD000

heap

page read and write

63E000

heap

page read and write

2BCD000

heap

page read and write

400000

unkown

page readonly

6C3000

heap

page read and write

9C000

stack

page read and write

47D0000

heap

page read and write

2BE6000

heap

page read and write

2BF2000

heap

page read and write

535000

heap

page read and write

315B000

stack

page read and write

630000

heap

page read and write

2BF1000

heap

page read and write

2BCC000

heap

page read and write

690000

heap

page read and write

2670000

unclassified section

page readonly

32EE000

stack

page read and write

36CC000

stack

page read and write

2B98000

heap

page read and write

2A2F000

stack

page read and write

2BF2000

heap

page read and write

2BCB000

heap

page read and write

2BDE000

heap

page read and write

6A1000

heap

page read and write

2BBF000

heap

page read and write

82E000

stack

page read and write

680000

heap

page read and write

68B000

heap

page read and write

3ED3000

heap

page read and write

27AE000

stack

page read and write

401000

unkown

page execute read

6A1000

heap

page read and write

2BF0000

heap

page read and write

10000

unclassified section

page readonly

214E000

stack

page read and write

4740000

heap

page read and write

2B80000

heap

page read and write

276E000

stack

page read and write

2BEA000

heap

page read and write

2EFE000

stack

page read and write

2BCE000

heap

page read and write

2BCF000

heap

page read and write

2BD0000

heap

page read and write

2A40000

heap

page read and write

610000

heap

page read and write

478000

unkown

page readonly

6C5000

heap

page read and write

639000

heap

page read and write

2BBB000

heap

page read and write

2BED000

heap

page read and write

292E000

stack

page read and write

21EA000

heap

page read and write

2BC2000

heap

page read and write

474000

unkown

page read and write

31E0000

heap

page read and write

4E1F000

stack

page read and write

43E6000

heap

page read and write

471000

unkown

page read and write

2BC0000

heap

page read and write

6C3000

heap

page read and write

401000

unkown

page execute read

2D2F000

stack

page read and write

2BD6000

heap

page read and write

2BCA000

heap

page read and write

2BC0000

heap

page read and write

2BEC000

heap

page read and write

47AE000

stack

page read and write

27EE000

stack

page read and write

2BD5000

heap

page read and write

2BC5000

heap

page read and write

2A70000

heap

page read and write

2C2F000

stack

page read and write

2BDE000

heap

page read and write

23EF000

stack

page read and write

471000

unkown

page write copy

19C000

stack

page read and write

68B000

heap

page read and write

2BE7000

heap

page read and write

530000

heap

page read and write

2A45000

heap

page read and write

34BF000

stack

page read and write

2BC1000

heap

page read and write

6B7000

heap

page read and write

2B95000

heap

page read and write

2F80000

heap

page read and write

33B0000

heap

page read and write

2BBF000

heap

page read and write

4900000

heap

page read and write

2BEF000

heap

page read and write

2BD3000

heap

page read and write

4E5E000

stack

page read and write

2BF0000

heap

page read and write

39CD000

heap

page read and write

2BA7000

heap

page read and write

47E0000

heap

page read and write

31EB000

heap

page read and write

31BC000

stack

page read and write

2BC4000

heap

page read and write

2BD7000

heap

page read and write

4F60000

heap

page read and write

210E000

stack

page read and write

2D7E000

stack

page read and write

6B7000

heap

page read and write

2BD9000

heap

page read and write

2BCF000

heap

page read and write

4F5F000

stack

page read and write

690000

heap

page read and write

6AF000

heap

page read and write

2BCB000

heap

page read and write

478000

unkown

page readonly

6B7000

heap

page read and write

39C9000

heap

page read and write

2B2F000

stack

page read and write

2BE4000

heap

page read and write

305C000

stack

page read and write

21CC000

stack

page read and write

2BE7000

heap

page read and write

6A1000

heap

page read and write

2BDC000

heap

page read and write

2DBF000

stack

page read and write

26FB000

stack

page read and write

2BD3000

heap

page read and write

1C0000

unclassified section

page readonly

2FBB000

stack

page read and write

6B7000

heap

page read and write

2EBE000

stack

page read and write

2BED000

heap

page read and write

2BAB000

heap

page read and write

1F0000

heap

page read and write

There are 171 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xcYJfxDKL0Sk.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportxcYJfxDKL0Sk.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
xcYJfxDKL0Sk.exe