Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Loader.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.3280468055909305
Filename:	Loader.exe
Filesize:	419840
MD5:	edda8f53633b4ea2270424b850d700bf
SHA1:	d1cb6ed8d18f40ed4fafd70a70c8168396912f45
SHA256:	bb8fd576341c8f75f014515016614c9b84505d2704fe3e960c32afebab2c19b0
SHA512:	62637cebf5931eb6c9df407cf82ee37ad2ac6c335dd00cb2c152e9bf6df496875b9740e9862084ac5e7cb1c7c2b3630d6ae764c1efa8ba1e8cc3b2c4366eecc8
SSDEEP:	12288:jfS5v+TGic+7Lq0W4iHIkSZ96dY4NPj49KQ6appN3vgM4d4L2rW48mX8:bS5aTc+fHiokSZQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}f.................D... ...........@... ....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Security Software Discovery
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to modify the execution of threads in other processes		Security Software Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log
Category:	dropped
Dump:	Loader.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Loader.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\d3d9.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\d3d9.dll
Category:	dropped
Dump:	d3d9.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Loader.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.951373265521596
Encrypted:	false
Ssdeep:	12288:4pYXcezO1zLj1KXu4HYkmhrvHfOa3rHk2i4je:VXWiemnmhr/Oa3zk2i4je
Size:	440320
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Loader.exe

"C:\Users\user\Desktop\Loader.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7336
Target ID:	0
Parent PID:	3504
Name:	Loader.exe
Path:	C:\Users\user\Desktop\Loader.exe
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Size:	419840
MD5:	EDDA8F53633B4EA2270424B850D700BF
Time:	06:00:08
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc70000
Modulesize:	458752
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7452
Target ID:	3
Parent PID:	7336
Name:	aspnet_regiis.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Size:	43016
MD5:	5D1D74198D75640E889F0A577BBF31FC
Time:	06:00:08
Date:	01/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7c0000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7344
Target ID:	1
Parent PID:	7336
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	06:00:08
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff70f010000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

grandcommonyktsju.xyz

cooperatvassquaidmew.xyz

exuberanttjdkwo.xyz

qualificationjdwko.xyz

wordingnatturedowo.xyz

deadtrainingactioniw.xyz

crisisrottenyjs.xyz

sweetcalcutangkdow.xyz

https://sweetcalcutangkdow.xyz/

unknown

https://cooperatvassquaidmew.xyz/

unknown

https://qualificationjdwko.xyz/api

unknown

https://sweetcalcutangkdow.xyz/api

unknown

https://sweetcalcutangkdow.xyz/apiz9

unknown

https://exuberanttjdkwo.xyz/api

unknown

https://grandcommonyktsju.xyz/

unknown

https://deadtrainingactioniw.xyz/api

unknown

https://grandcommonyktsju.xyz/api

unknown

https://qualificationjdwko.xyz/apidO

unknown

https://qualificationjdwko.xyz/A

unknown

https://grandcommonyktsju.xyz/apiz?

unknown

https://qualificationjdwko.xyz/

unknown

https://crisisrottenyjs.xyz/api

unknown

https://deadtrainingactioniw.xyz/0

unknown

https://qualificationjdwko.xyz/7

unknown

https://cooperatvassquaidmew.xyz/api

unknown

https://deadtrainingactioniw.xyz/

unknown

https://qualificationjdwko.xyz/apizC

unknown

There are 17 hidden URLs, click here to show them.

Domains

Name

Malicious

qualificationjdwko.xyz

unknown

Details

Name:	qualificationjdwko.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

crisisrottenyjs.xyz

unknown

Details

Name:	crisisrottenyjs.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

deadtrainingactioniw.xyz

unknown

Details

Name:	deadtrainingactioniw.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

grandcommonyktsju.xyz

unknown

Details

Name:	grandcommonyktsju.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

cooperatvassquaidmew.xyz

unknown

Details

Name:	cooperatvassquaidmew.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

sweetcalcutangkdow.xyz

unknown

Details

Name:	sweetcalcutangkdow.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

exuberanttjdkwo.xyz

unknown

Details

Name:	exuberanttjdkwo.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

wordingnatturedowo.xyz

unknown

Details

Name:	wordingnatturedowo.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

58D000

remote allocation

page readonly

14B8000

heap

page read and write

12C7000

trusted library allocation

page execute and read and write

497E000

stack

page read and write

5FB000

heap

page read and write

301F000

stack

page read and write

42AD000

stack

page read and write

43AE000

stack

page read and write

132E000

stack

page read and write

6D38E000

unkown

page readonly

590000

remote allocation

page execute and read and write

299F000

stack

page read and write

5FB000

heap

page read and write

6D321000

unkown

page execute read

C72000

unkown

page readonly

638000

heap

page read and write

30D7000

trusted library allocation

page read and write

551000

remote allocation

page execute read

1561000

heap

page read and write

60D000

heap

page read and write

63F000

heap

page read and write

639000

heap

page read and write

60D000

heap

page read and write

56BE000

stack

page read and write

43C000

stack

page read and write

16AF000

stack

page read and write

60D000

heap

page read and write

780000

heap

page read and write

5E0000

heap

page read and write

5F6000

heap

page read and write

DE0000

heap

page read and write

51BE000

stack

page read and write

53C000

stack

page read and write

77E000

stack

page read and write

14DD000

heap

page read and write

30A0000

trusted library section

page read and write

638000

heap

page read and write

624000

heap

page read and write

14F2000

heap

page read and write

DD0000

heap

page read and write

43ED000

stack

page read and write

12B0000

heap

page read and write

44F0000

remote allocation

page read and write

63B000

heap

page read and write

1770000

heap

page read and write

30B0000

heap

page execute and read and write

1330000

heap

page read and write

1571000

heap

page read and write

14B0000

heap

page read and write

C72000

unkown

page execute and read and write

14DF000

heap

page read and write

157B000

heap

page read and write

1294000

trusted library allocation

page read and write

550000

remote allocation

page execute and read and write

1390000

trusted library allocation

page read and write

10FB000

stack

page read and write

1270000

trusted library allocation

page read and write

309E000

stack

page read and write

30C1000

trusted library allocation

page read and write

730000

heap

page read and write

13A0000

heap

page read and write

305E000

stack

page read and write

624000

heap

page read and write

487D000

stack

page read and write

1290000

trusted library allocation

page read and write

735000

heap

page read and write

AD3E000

stack

page read and write

607000

heap

page read and write

1284000

trusted library allocation

page read and write

6D320000

unkown

page readonly

44F0000

remote allocation

page read and write

151C000

heap

page read and write

14AF000

stack

page read and write

4260000

heap

page read and write

7B3E000

stack

page read and write

638000

heap

page read and write

1380000

trusted library allocation

page execute and read and write

CDA000

unkown

page readonly

155B000

heap

page read and write

14BE000

heap

page read and write

124E000

stack

page read and write

622000

heap

page read and write

5A2000

remote allocation

page readonly

44ED000

stack

page read and write

72E000

stack

page read and write

553E000

stack

page read and write

137D000

stack

page read and write

622000

heap

page read and write

1554000

heap

page read and write

12C0000

trusted library allocation

page read and write

14E6000

heap

page read and write

5E8000

heap

page read and write

6E0000

heap

page read and write

624000

heap

page read and write

30CB000

trusted library allocation

page read and write

12CB000

trusted library allocation

page execute and read and write

55B0000

heap

page execute and read and write

40C1000

trusted library allocation

page read and write

120E000

stack

page read and write

D6C000

stack

page read and write

AC3D000

stack

page read and write

C70000

unkown

page readonly

30D3000

trusted library allocation

page read and write

622000

heap

page read and write

12E0000

trusted library allocation

page read and write

1750000

trusted library allocation

page read and write

558E000

stack

page read and write

1283000

trusted library allocation

page execute and read and write

2A9F000

stack

page read and write

6D340000

unkown

page read and write

6D339000

unkown

page readonly

7A0000

heap

page read and write

48C5000

trusted library allocation

page read and write

44F0000

remote allocation

page read and write

609000

heap

page read and write

C70000

unkown

page execute and read and write

1292000

trusted library allocation

page read and write

There are 107 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Loader.exe

Files

Processes

URLs

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLoader.exe

Files

Processes

URLs

Domains

Memdumps

IOC Report
Loader.exe