Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

103-o_Installer.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.939939761503241
Filename:	103-o_Installer.exe
Filesize:	249344
MD5:	dc4b9be7a5645d5c7fd18a4ac175830c
SHA1:	3b2a0dc310a1af35629fca61ae1ccc530b8c9a30
SHA256:	233e15fe06e10eb85efdd62345a90c62d43d30f2d01122d79fbc5299c25f3d81
SHA512:	aca2108ae93ff5be7c9196d6b92101c8bd83d48302847f69ed785fce146098e7753e62c14efa9c4b50122130e46bb8aacb283ea4cd0f4ba8491a2aa7a0a518da
SSDEEP:	3072:3uWmO3uTwghfpRBCa5XrD5sxTQ1wb7QNaV4ZQeAnuTCt2xbzmyoaq6rcYsc8kOee:3uW4TwSR57aTQCQN4njZ2x0p
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L...o..f.................v...T.....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
.NET source code contains potential unpacker	Data Obfuscation
Machine Learning detection for sample	AV Detection
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Sample uses string decryption to hide its real strings	AV Detection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Abnormal high CPU Usage	System Summary	System Time Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\Public\Downloads\ind.cod

data

dropped

Details

File:	C:\Users\Public\Downloads\ind.cod
Category:	dropped
Dump:	ind.cod.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\103-o_Installer.exe
Type:	data
Entropy:	7.604678512981776
Encrypted:	false
Ssdeep:	1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\103[1].ccp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\103[1].ccp
Category:	dropped
Dump:	103[1].ccp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\103-o_Installer.exe
Type:	data
Entropy:	7.604678512981776
Encrypted:	false
Ssdeep:	1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\103-o_Installer.exe

"C:\Users\user\Desktop\103-o_Installer.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5508
Target ID:	0
Parent PID:	4056
Name:	103-o_Installer.exe
Path:	C:\Users\user\Desktop\103-o_Installer.exe
Commandline:	"C:\Users\user\Desktop\103-o_Installer.exe"
Size:	249344
MD5:	DC4B9BE7A5645D5C7FD18A4AC175830C
Time:	13:21:05
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3a0000
Modulesize:	270336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

59.56.110.103

Details

Name:	59.56.110.103
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\103-o_Installer.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

http://guanlix.cn:881/103.ccp

91.208.240.157

Details

Name:	http://guanlix.cn:881/103.ccp
IP:	91.208.240.157
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\103-o_Installer.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

http://guanlix.cn:881/103.ccph

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

guanlix.cn

91.208.240.157

Details

Name:	guanlix.cn
IP:	91.208.240.157
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

59.56.110.103

unknown

China

Details

IP:	59.56.110.103
TargetID:	0
Current Path:	C:\Users\user\Desktop\103-o_Installer.exe
Country:	China
Countrycode:	CHN
ASN number:	133774
ASN name:	CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

91.208.240.157

guanlix.cn

unknown

Details

IP:	91.208.240.157
TargetID:	0
Current Path:	C:\Users\user\Desktop\103-o_Installer.exe
ASN number:	139659
ASN name:	LUCID-AS-APLUCIDACLOUDLIMITEDHK
Private:	false
Domain:	guanlix.cn

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

3141000

trusted library allocation

page read and write

5390000

trusted library section

page read and write

53E0000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

3C3000

unkown

page readonly

955000

heap

page read and write

6EE0D000

unkown

page read and write

6170000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

5727000

heap

page read and write

2F00000

trusted library section

page read and write

5450000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

6320000

trusted library allocation

page read and write

5148000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

8D0000

trusted library allocation

page read and write

3C3000

unkown

page readonly

53E0000

trusted library allocation

page read and write

37C000

stack

page read and write

750000

heap

page read and write

6170000

trusted library allocation

page read and write

2F60000

trusted library allocation

page read and write

5500000

heap

page execute and read and write

58E0000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

5EE0000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

3A0000

unkown

page readonly

3B9000

unkown

page readonly

28BE000

stack

page read and write

6160000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6330000

trusted library allocation

page read and write

320000

heap

page read and write

3020000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

5840000

heap

page read and write

2F70000

heap

page execute and read and write

58E0000

trusted library allocation

page read and write

58E0000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6320000

trusted library allocation

page read and write

5A9F000

stack

page read and write

6160000

trusted library allocation

page read and write

BD7000

heap

page read and write

6320000

heap

page read and write

98A000

heap

page read and write

BAE000

stack

page read and write

560D000

stack

page read and write

6160000

trusted library allocation

page read and write

3030000

heap

page read and write

6160000

trusted library allocation

page read and write

B2E000

stack

page read and write

987000

heap

page read and write

5450000

trusted library allocation

page read and write

3010000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

62B0000

trusted library allocation

page read and write

3A1000

unkown

page execute read

6160000

trusted library allocation

page read and write

8FE000

heap

page read and write

6160000

trusted library allocation

page read and write

58D0000

trusted library allocation

page read and write

58D0000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

531E000

stack

page read and write

6160000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

5724000

heap

page read and write

58D0000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

3A0000

unkown

page readonly

53D0000

trusted library allocation

page read and write

58E0000

trusted library allocation

page read and write

2F24000

trusted library allocation

page read and write

9EE000

heap

page read and write

58E0000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

573B000

heap

page read and write

6160000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6340000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

4141000

trusted library allocation

page read and write

53A0000

trusted library allocation

page execute and read and write

954000

heap

page read and write

53D0000

trusted library allocation

page read and write

313F000

stack

page read and write

414C000

trusted library allocation

page read and write

6EE06000

unkown

page readonly

58E0000

trusted library allocation

page read and write

380000

direct allocation

page read and write

3A1000

unkown

page execute read

5450000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

5A1D000

stack

page read and write

58E0000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6169000

trusted library allocation

page read and write

573E000

heap

page read and write

34FA000

trusted library allocation

page read and write

5369000

trusted library allocation

page execute and read and write

6160000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

5363000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

58D0000

trusted library allocation

page read and write

3B9000

unkown

page readonly

2F23000

trusted library allocation

page execute and read and write

6160000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6180000

trusted library allocation

page read and write

53C0000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

61AC000

stack

page read and write

6170000

trusted library allocation

page read and write

330000

heap

page read and write

5370000

trusted library allocation

page read and write

2B7000

stack

page read and write

5450000

trusted library allocation

page read and write

5B1E000

stack

page read and write

6170000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

5721000

heap

page read and write

959000

heap

page read and write

6166000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

9D9000

heap

page read and write

2F50000

heap

page read and write

6160000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

62C0000

trusted library allocation

page read and write

7FCA0000

trusted library allocation

page execute and read and write

5733000

heap

page read and write

6170000

trusted library allocation

page read and write

53B0000

trusted library allocation

page read and write

6171000

trusted library allocation

page read and write

8FA000

heap

page read and write

5C9C000

stack

page read and write

AEE000

stack

page read and write

535F000

stack

page read and write

9E0000

heap

page read and write

6160000

trusted library allocation

page read and write

6310000

trusted library allocation

page execute and read and write

2EF0000

trusted library section

page read and write

6EE0F000

unkown

page readonly

9D6000

heap

page read and write

53D0000

trusted library allocation

page read and write

6310000

trusted library allocation

page read and write

58E0000

trusted library allocation

page read and write

58E0000

trusted library allocation

page read and write

2ABF000

stack

page read and write

6170000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

5737000

heap

page read and write

6160000

trusted library allocation

page read and write

6320000

trusted library allocation

page read and write

58E0000

trusted library allocation

page read and write

27BE000

stack

page read and write

9E0000

heap

page read and write

BD0000

heap

page read and write

5810000

heap

page read and write

536C000

trusted library allocation

page execute and read and write

6310000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

88D000

stack

page read and write

58D0000

trusted library allocation

page read and write

29BD000

stack

page read and write

B6E000

stack

page read and write

58D0000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

780000

heap

page read and write

62B4000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

62F0000

trusted library allocation

page read and write

2ED0000

direct allocation

page execute and read and write

97E000

heap

page read and write

2F2D000

trusted library allocation

page execute and read and write

53D0000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

5A5D000

stack

page read and write

6160000

trusted library allocation

page read and write

2F6B000

trusted library allocation

page execute and read and write

6325000

trusted library allocation

page read and write

52DE000

stack

page read and write

5ADE000

stack

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6310000

trusted library allocation

page read and write

740000

heap

page read and write

591C000

stack

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

959000

heap

page read and write

8F0000

heap

page read and write

58D0000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

3BF000

unkown

page write copy

58E1000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

53C0000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

6310000

trusted library allocation

page read and write

785000

heap

page read and write

6170000

trusted library allocation

page read and write

6300000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

58D0000

trusted library allocation

page read and write

5366000

trusted library allocation

page execute and read and write

1BC000

stack

page read and write

70E000

stack

page read and write

2FBE000

stack

page read and write

962000

heap

page read and write

58E0000

trusted library allocation

page read and write

6161000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

6EDF0000

unkown

page readonly

544C000

stack

page read and write

6160000

trusted library allocation

page read and write

62E5000

trusted library allocation

page read and write

5709000

stack

page read and write

6160000

trusted library allocation

page read and write

2F57000

heap

page read and write

5D9D000

stack

page read and write

6170000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

3000000

trusted library allocation

page execute and read and write

6160000

trusted library allocation

page read and write

58E0000

trusted library allocation

page read and write

6180000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

540E000

stack

page read and write

58E0000

trusted library allocation

page read and write

2F10000

trusted library allocation

page read and write

3BF000

unkown

page read and write

58E0000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

58E0000

trusted library allocation

page read and write

5736000

heap

page read and write

2FFC000

stack

page read and write

7FCB8000

trusted library allocation

page execute and read and write

9ED000

heap

page read and write

4145000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

8CE000

stack

page read and write

6EDF1000

unkown

page execute read

987000

heap

page read and write

53D0000

trusted library allocation

page read and write

93C000

heap

page read and write

6170000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

62B0000

trusted library allocation

page read and write

2F20000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

62AD000

stack

page read and write

5710000

heap

page read and write

2F67000

trusted library allocation

page execute and read and write

58DE000

trusted library allocation

page read and write

98A000

heap

page read and write

53D0000

trusted library allocation

page read and write

97E000

heap

page read and write

6160000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

There are 291 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
103-o_Installer.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report103-o_Installer.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
103-o_Installer.exe