Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

signed.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.2783295761255555
Filename:	signed.exe
Filesize:	396616
MD5:	adac67fa4e7fbd2c7de600768c40ad69
SHA1:	c79c40e5272ac11180cf90715156e0538336fdbf
SHA256:	3904b06e1150e4e9e167eb1b63a877ed00c08320c637396f12b98e9f14d71010
SHA512:	ea4cda9dc74b67e1a73915184be4e3161000b64de3d77af37735875b0764677a6e5938c1b8138a016c99cad582873380bc9ab05f4a2f4548db59c4b1cad19b33
SSDEEP:	12288:PHQypT6oiKpsoQEX6npbWdhlG8dj6h5PZDeCcq/qybjJVLesH7uCicrPYyr2ac85:PHQypT6oiKpsoQEX6npbWdhlG8dj6rci
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.....w...w...w.p.{...w.V.\|...w.V.}.s.w...y...w.T.}...w...\|...w.].d...w...w...w.i.d...w...v.H.w.T.\|.4.w...q...w.Rich..w........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Creates files inside the system directory	System Summary
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to read ini properties file for application configuration	Persistence and Installation Behavior
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a mix of resources often seen in goodware	System Summary
Uses Rich Edit Controls	System Summary

C:\Windows\etrnview.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\etrnview.exe
Category:	dropped
Dump:	etrnview.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\signed.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.1734613399593
Encrypted:	false
Ssdeep:	6144:AKHQypT6oiKpsoQEX6npbWdhlG8dj61M65PZDeC2TqI6/qygKjJVLesH7uCicrPW:PHQypT6oiKpsoQEX6npbWdhlG8dj6h56
Size:	380928
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealLegal E-Transcript Viewer\RealLegal E-Transcript Viewer.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Wed May 22 14:15:38 2024, mtime=Wed May 22 14:15:38 2024, atime=Wed May 22 14:15:38 2024, length=380928, window=hide

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealLegal E-Transcript Viewer\RealLegal E-Transcript Viewer.lnk
Category:	dropped
Dump:	RealLegal E-Transcript Viewer.lnk.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\signed.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Wed May 22 14:15:38 2024, mtime=Wed May 22 14:15:38 2024, atime=Wed May 22 14:15:38 2024, length=380928, window=hide
Entropy:	4.629970644384975
Encrypted:	false
Ssdeep:	24:8tzhEpwA/APglh8Z+IYA82+J2bTGPqygm:8hhzPgAxdMETRyg
Size:	897
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\Public\Desktop\RealLegal E-Transcript Viewer.lnk

dropped

Details

File:	C:\Users\Public\Desktop\RealLegal E-Transcript Viewer.lnk
Category:	dropped
Dump:	RealLegal E-Transcript Viewer.lnk0.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\signed.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Wed May 22 14:15:38 2024, mtime=Wed May 22 14:15:38 2024, atime=Wed May 22 14:15:38 2024, length=380928, window=hide
Entropy:	4.649885728909304
Encrypted:	false
Ssdeep:	24:8tzhEpwA/APglh8Mv+IYA82+J2bTGPqygm:8hhzPgAM3dMETRyg
Size:	879
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\signed.exe

"C:\Users\user\Desktop\signed.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5872
Target ID:	0
Parent PID:	4004
Name:	signed.exe
Path:	C:\Users\user\Desktop\signed.exe
Commandline:	"C:\Users\user\Desktop\signed.exe"
Size:	396616
MD5:	ADAC67FA4E7FBD2C7DE600768C40AD69
Time:	11:15:16
Date:	22/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	397312
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
PE file contains a mix of resources often seen in goodware	System Summary

URLs

Name

Malicious

http://www.reallegal.com/

unknown

http://www.reallegal.com/binderpull.asp

unknown

http://www.reallegal.com/binderpull.asp.http://www.deposchedule.com/By

unknown

http://www.deposchedule.com/

unknown

http://www.reallegal.com

unknown

Domains

Name

Malicious

206.23.85.13.in-addr.arpa

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ptx

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ptx

ContentType

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ptxfile

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ptxfile\shell\open\command

NULL

Memdumps

Base Address

Regiontype

Protect

Malicious

2B8E000

stack

page read and write

21C0000

heap

page read and write

449000

unkown

page readonly

1F0000

heap

page read and write

23A4000

heap

page read and write

21E0000

heap

page read and write

525000

heap

page read and write

441000

unkown

page read and write

5D9000

heap

page read and write

437000

unkown

page readonly

400000

unkown

page readonly

2C8F000

stack

page read and write

444000

unkown

page write copy

5B0000

heap

page read and write

401000

unkown

page execute read

401000

unkown

page execute read

21FF000

heap

page read and write

570000

heap

page read and write

5A0000

heap

page read and write

447000

unkown

page read and write

444000

unkown

page read and write

437000

unkown

page readonly

613000

heap

page read and write

2A1E000

stack

page read and write

5B5000

heap

page read and write

2DCF000

stack

page read and write

470000

heap

page read and write

95000

stack

page read and write

550000

heap

page read and write

2B1F000

stack

page read and write

5DE000

heap

page read and write

43C000

unkown

page write copy

19A000

stack

page read and write

41A0000

trusted library allocation

page read and write

21F0000

heap

page read and write

2CCE000

stack

page read and write

578000

heap

page read and write

5B9000

heap

page read and write

449000

unkown

page readonly

400000

unkown

page readonly

236E000

stack

page read and write

29DE000

stack

page read and write

5D0000

heap

page read and write

43C000

unkown

page write copy

619000

heap

page read and write

520000

heap

page read and write

622000

heap

page read and write

23A0000

heap

page read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
signed.exe

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsigned.exe

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
signed.exe