Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

31-o_Installer.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.939901542426743
Filename:	31-o_Installer.exe
Filesize:	249344
MD5:	5913d1b0d2fa0204e9e063467d000c3a
SHA1:	50b4b4929edb21c17c49c40ac2a4050bd8f93768
SHA256:	3192aea6cf0c450948b2006ca0ef28dcaf06aa4c9730ef8dc8199975064cdf72
SHA512:	73a64c4bb61105b8363d6848c9132e2cf0a7ab131417b1190577c256a2d97277fbde0e2d2bb6990cb3e8dac786da7bb7928093cb2b465be9120495dbf0d4e2a8
SSDEEP:	3072:ouWmO3uTwghfpRBCa5XrD5sxTQ1mb7QNaV4ZQeAnuTCt2xbzmyoaq6rcYsc8kOee:ouW4TwSR57aTQkQN4njZ2x0p
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L......f.................v...T.....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Sample uses string decryption to hide its real strings	AV Detection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Abnormal high CPU Usage	System Summary	System Time Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Security Software Discovery
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Archive Collected Data
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\Public\Downloads\ind.cod

data

dropped

Details

File:	C:\Users\Public\Downloads\ind.cod
Category:	dropped
Dump:	ind.cod.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\31-o_Installer.exe
Type:	data
Entropy:	7.605549717634749
Encrypted:	false
Ssdeep:	1536:7rOXXfr0QSEEQrLQDcbAbmYcOM6eKXBwLsy1ETqfvu+P4Rtsj5o:WfwQPEQPJbAbmYrMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\31[1].ccp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\31[1].ccp
Category:	dropped
Dump:	31[1].ccp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\31-o_Installer.exe
Type:	data
Entropy:	7.605549717634749
Encrypted:	false
Ssdeep:	1536:7rOXXfr0QSEEQrLQDcbAbmYcOM6eKXBwLsy1ETqfvu+P4Rtsj5o:WfwQPEQPJbAbmYrMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\31-o_Installer.exe

"C:\Users\user\Desktop\31-o_Installer.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6672
Target ID:	0
Parent PID:	4004
Name:	31-o_Installer.exe
Path:	C:\Users\user\Desktop\31-o_Installer.exe
Commandline:	"C:\Users\user\Desktop\31-o_Installer.exe"
Size:	249344
MD5:	5913D1B0D2FA0204E9E063467D000C3A
Time:	13:20:57
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x260000
Modulesize:	270336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

156.238.235.31

Details

Name:	156.238.235.31
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\31-o_Installer.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

http://guanlix.cn:881/31.ccp

91.208.240.157

Details

Name:	http://guanlix.cn:881/31.ccp
IP:	91.208.240.157
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\31-o_Installer.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

guanlix.cn

91.208.240.157

Details

Name:	guanlix.cn
IP:	91.208.240.157
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

156.238.235.31

unknown

Seychelles

Details

IP:	156.238.235.31
TargetID:	0
Current Path:	C:\Users\user\Desktop\31-o_Installer.exe
Country:	Seychelles
Countrycode:	SYC
ASN number:	394281
ASN name:	XHOSTSERVERUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

91.208.240.157

guanlix.cn

unknown

Details

IP:	91.208.240.157
TargetID:	0
Current Path:	C:\Users\user\Desktop\31-o_Installer.exe
ASN number:	139659
ASN name:	LUCID-AS-APLUCIDACLOUDLIMITEDHK
Private:	false
Domain:	guanlix.cn

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

3131000

trusted library allocation

page read and write

5320000

trusted library section

page read and write

53E0000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

624E000

stack

page read and write

5960000

trusted library allocation

page read and write

291E000

stack

page read and write

5370000

trusted library allocation

page read and write

A2E000

stack

page read and write

260000

unkown

page readonly

B97000

heap

page read and write

2E60000

direct allocation

page execute and read and write

5860000

trusted library allocation

page read and write

2F9C000

stack

page read and write

2A1F000

stack

page read and write

5960000

trusted library allocation

page read and write

62A0000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

6B3000

heap

page read and write

53F0000

heap

page read and write

5960000

trusted library allocation

page read and write

5966000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

2F2E000

stack

page read and write

5960000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

6110000

trusted library allocation

page read and write

6285000

trusted library allocation

page read and write

630000

heap

page read and write

5350000

trusted library allocation

page read and write

14C000

stack

page read and write

67B000

heap

page read and write

5960000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5861000

trusted library allocation

page read and write

5330000

trusted library allocation

page execute and read and write

5860000

trusted library allocation

page read and write

261000

unkown

page execute read

62A0000

trusted library allocation

page read and write

539E000

stack

page read and write

3110000

trusted library allocation

page read and write

3120000

heap

page execute and read and write

5860000

trusted library allocation

page read and write

2EBD000

trusted library allocation

page execute and read and write

5960000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

2F50000

heap

page read and write

5960000

trusted library allocation

page read and write

2FC7000

heap

page read and write

86E000

stack

page read and write

69F000

heap

page read and write

5970000

trusted library allocation

page read and write

30CE000

stack

page read and write

310E000

stack

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

595E000

stack

page read and write

5410000

heap

page execute and read and write

28BE000

stack

page read and write

7F3D0000

trusted library allocation

page execute and read and write

6A9000

heap

page read and write

2EE7000

trusted library allocation

page execute and read and write

2B9E000

stack

page read and write

5961000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

B90000

heap

page read and write

5970000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

665000

heap

page read and write

5970000

trusted library allocation

page read and write

8AC000

stack

page read and write

5850000

trusted library allocation

page read and write

62C0000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

2FC0000

heap

page read and write

5970000

trusted library allocation

page read and write

62B0000

trusted library allocation

page read and write

614C000

stack

page read and write

2E90000

trusted library section

page read and write

56B9000

stack

page read and write

5970000

trusted library allocation

page read and write

5138000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

2F0000

heap

page read and write

5970000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

27F000

unkown

page read and write

261000

unkown

page execute read

5C4C000

stack

page read and write

6D9000

heap

page read and write

5850000

trusted library allocation

page read and write

9AD000

stack

page read and write

5970000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

2F40000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

62B0000

trusted library allocation

page read and write

279000

unkown

page readonly

5970000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

2FBC000

trusted library allocation

page execute and read and write

53E0000

trusted library allocation

page read and write

27F000

unkown

page write copy

5970000

trusted library allocation

page read and write

6B5000

heap

page read and write

2CB0000

heap

page read and write

5E8D000

stack

page read and write

283000

unkown

page readonly

2F5000

heap

page read and write

5960000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

2EB0000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

2EB4000

trusted library allocation

page read and write

5969000

trusted library allocation

page read and write

2FA0000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

76E000

stack

page read and write

62D0000

trusted library allocation

page read and write

6CD000

heap

page read and write

4135000

trusted library allocation

page read and write

5850000

trusted library allocation

page read and write

55BD000

stack

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

3F0000

heap

page read and write

5960000

trusted library allocation

page read and write

6254000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

2EEB000

trusted library allocation

page execute and read and write

5960000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

591E000

stack

page read and write

53E0000

trusted library allocation

page read and write

72C000

heap

page read and write

62B0000

trusted library allocation

page read and write

2FB9000

trusted library allocation

page execute and read and write

5860000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

2F30000

trusted library allocation

page execute and read and write

53E0000

trusted library allocation

page read and write

2FB3000

trusted library allocation

page read and write

56C0000

heap

page read and write

5970000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

5850000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

B2F000

stack

page read and write

5960000

trusted library allocation

page read and write

9D0000

heap

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

2FB0000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

310000

heap

page read and write

5360000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5850000

trusted library allocation

page read and write

5850000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

2E80000

trusted library section

page read and write

5360000

trusted library allocation

page read and write

B30000

heap

page read and write

5360000

trusted library allocation

page read and write

260000

unkown

page readonly

2EE0000

trusted library allocation

page read and write

6291000

trusted library allocation

page read and write

600000

direct allocation

page read and write

5960000

trusted library allocation

page read and write

5370000

trusted library allocation

page read and write

B7E000

stack

page read and write

2C9E000

stack

page read and write

62B5000

trusted library allocation

page read and write

5370000

trusted library allocation

page read and write

5340000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5ACE000

stack

page read and write

5960000

trusted library allocation

page read and write

52CD000

stack

page read and write

5970000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

413C000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

53DC000

stack

page read and write

6D7000

heap

page read and write

5970000

trusted library allocation

page read and write

2A5E000

stack

page read and write

53E0000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5370000

trusted library allocation

page read and write

2FB6000

trusted library allocation

page execute and read and write

2EB3000

trusted library allocation

page execute and read and write

5850000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

4131000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

28D0000

trusted library allocation

page read and write

283000

unkown

page readonly

5970000

trusted library allocation

page read and write

5D8C000

stack

page read and write

684000

heap

page read and write

2B5D000

stack

page read and write

5360000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

5D4D000

stack

page read and write

2EA0000

trusted library allocation

page read and write

63E000

heap

page read and write

279000

unkown

page readonly

6110000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

6250000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

62B0000

trusted library allocation

page read and write

7F3E8000

trusted library allocation

page execute and read and write

27BE000

stack

page read and write

5960000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

248000

stack

page read and write

62B0000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

62A0000

trusted library allocation

page execute and read and write

5970000

trusted library allocation

page read and write

56E5000

heap

page read and write

277E000

stack

page read and write

53E0000

trusted library allocation

page read and write

5850000

trusted library allocation

page read and write

5350000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

530E000

stack

page read and write

53E0000

trusted library allocation

page read and write

63A000

heap

page read and write

5360000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

5980000

heap

page read and write

5971000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

5960000

trusted library allocation

page read and write

58DD000

stack

page read and write

There are 274 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
31-o_Installer.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report31-o_Installer.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
31-o_Installer.exe