Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

31__Installer.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.938021095236715
Filename:	31__Installer.exe
Filesize:	249344
MD5:	cc1bb6a11aa1706bcbc42f04d1b1d865
SHA1:	b4555a73799aa255c431c227db3958e6286d6977
SHA256:	96d3ad9b885e0a57a37a84582d6a681f98d5e71b11e952082a7b610026198b00
SHA512:	13bd5158d2dbb7a6f621a4d36be93e897eee5cad20fbe8a6b16e45ae0d40f8051d697a3ea1d14510c2e4aad69160a74d83144838a4216dc814946d5c540acdbc
SSDEEP:	3072:JPl4G474Poo9JkbXjEU+QVUjsbC8g2SbAe4ZQeAnuTCt2xbzmyoaq6rcYsc8kOeu:JPW745r2XgUsjsbIZnjZ2x4
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L....b.f.................v...T.....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
.NET source code contains potential unpacker	Data Obfuscation
Machine Learning detection for sample	AV Detection
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Sample uses string decryption to hide its real strings	AV Detection	Security Software Discovery
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Abnormal high CPU Usage	System Summary	System Time Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Security Software Discovery
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation Security Software Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Security Software Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion	Security Software Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Security Software Discovery
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality to download additional files from the internet	Networking
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Security Software Discovery Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery

C:\Users\Public\Downloads\ind.jpg

data

dropped

Details

File:	C:\Users\Public\Downloads\ind.jpg
Category:	dropped
Dump:	ind.jpg.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\31__Installer.exe
Type:	data
Entropy:	7.605549717634749
Encrypted:	false
Ssdeep:	1536:7rOXXfr0QSEEQrLQDcbAbmYcOM6eKXBwLsy1ETqfvu+P4Rtsj5o:WfwQPEQPJbAbmYrMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\31[1].ccp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\31[1].ccp
Category:	dropped
Dump:	31[1].ccp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\31__Installer.exe
Type:	data
Entropy:	7.605549717634749
Encrypted:	false
Ssdeep:	1536:7rOXXfr0QSEEQrLQDcbAbmYcOM6eKXBwLsy1ETqfvu+P4Rtsj5o:WfwQPEQPJbAbmYrMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\31__Installer.exe

"C:\Users\user\Desktop\31__Installer.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7148
Target ID:	0
Parent PID:	4084
Name:	31__Installer.exe
Path:	C:\Users\user\Desktop\31__Installer.exe
Commandline:	"C:\Users\user\Desktop\31__Installer.exe"
Size:	249344
MD5:	CC1BB6A11AA1706BCBC42F04D1B1D865
Time:	13:22:57
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3e0000
Modulesize:	270336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

156.238.235.31

Details

Name:	156.238.235.31
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\31__Installer.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

http://guanlix.cn:881/31.ccp

91.208.240.157

Details

Name:	http://guanlix.cn:881/31.ccp
IP:	91.208.240.157
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\31__Installer.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://guanlix.cn:881/31.ccpG

unknown

Details

Name:	http://guanlix.cn:881/31.ccpG
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\31__Installer.exe
Source:	31__Installer.exe, 00000000.00000003.1678316988.000000000097E000.00000004.00000020.00020000.00000000.sdmp, 31__Installer.exe, 00000000.00000002.3816556651.000000000097E000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

56.126.166.20.in-addr.arpa

unknown

guanlix.cn

91.208.240.157

Details

Name:	guanlix.cn
IP:	91.208.240.157
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

156.238.235.31

unknown

Seychelles

Details

IP:	156.238.235.31
TargetID:	0
Current Path:	C:\Users\user\Desktop\31__Installer.exe
Country:	Seychelles
Countrycode:	SYC
ASN number:	394281
ASN name:	XHOSTSERVERUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

91.208.240.157

guanlix.cn

unknown

Details

IP:	91.208.240.157
TargetID:	0
Current Path:	C:\Users\user\Desktop\31__Installer.exe
ASN number:	139659
ASN name:	LUCID-AS-APLUCIDACLOUDLIMITEDHK
Private:	false
Domain:	guanlix.cn

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

31E1000

trusted library allocation

page read and write

5450000

trusted library section

page read and write

41E5000

trusted library allocation

page read and write

5CE000

stack

page read and write

5570000

trusted library allocation

page read and write

3FF000

unkown

page write copy

5570000

trusted library allocation

page read and write

318E000

stack

page read and write

2F90000

direct allocation

page execute and read and write

41EC000

trusted library allocation

page read and write

3585000

trusted library allocation

page read and write

53FF000

stack

page read and write

930000

heap

page read and write

5580000

trusted library allocation

page read and write

A10000

heap

page read and write

5580000

trusted library allocation

page read and write

7FAA0000

trusted library allocation

page execute and read and write

7FAB8000

trusted library allocation

page execute and read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

A10000

heap

page read and write

99A000

heap

page read and write

5570000

trusted library allocation

page read and write

A28000

heap

page read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5581000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

90E000

stack

page read and write

5847000

heap

page read and write

5460000

trusted library allocation

page execute and read and write

99E000

heap

page read and write

5480000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

54D0000

trusted library allocation

page read and write

5540000

heap

page read and write

54E0000

heap

page execute and read and write

5580000

trusted library allocation

page read and write

CDE000

stack

page read and write

5560000

trusted library allocation

page read and write

3F9000

unkown

page readonly

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

2CCF000

stack

page read and write

3E0000

unkown

page readonly

5570000

trusted library allocation

page read and write

5423000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

2FC0000

trusted library section

page read and write

5D0000

direct allocation

page read and write

3017000

trusted library allocation

page execute and read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

580000

heap

page read and write

31D0000

heap

page read and write

5580000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

3010000

trusted library allocation

page read and write

D1E000

stack

page read and write

5490000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

54A0000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

3020000

heap

page execute and read and write

5859000

heap

page read and write

5580000

trusted library allocation

page read and write

93E000

heap

page read and write

2FE3000

trusted library allocation

page execute and read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5E5000

heap

page read and write

5FED000

stack

page read and write

54D0000

trusted library allocation

page read and write

5AC0000

trusted library allocation

page execute and read and write

5570000

trusted library allocation

page read and write

5576000

trusted library allocation

page read and write

62AC000

stack

page read and write

5570000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

9C9000

heap

page read and write

5490000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

54D0000

trusted library allocation

page read and write

93A000

heap

page read and write

97E000

heap

page read and write

9A6000

heap

page read and write

5571000

trusted library allocation

page read and write

5429000

trusted library allocation

page execute and read and write

5580000

trusted library allocation

page read and write

3E0000

unkown

page readonly

9BC000

heap

page read and write

96C000

heap

page read and write

5570000

trusted library allocation

page read and write

5843000

heap

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

2FE0000

trusted library allocation

page read and write

5AD0000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

54D0000

trusted library allocation

page read and write

3030000

trusted library allocation

page execute and read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

54D0000

trusted library allocation

page read and write

C40000

heap

page read and write

54D0000

trusted library allocation

page read and write

3F9000

unkown

page readonly

5570000

trusted library allocation

page read and write

DE0000

heap

page read and write

97E000

heap

page read and write

5EEC000

stack

page read and write

5570000

trusted library allocation

page read and write

584B000

heap

page read and write

3E1000

unkown

page execute read

5426000

trusted library allocation

page execute and read and write

5570000

trusted library allocation

page read and write

2ACF000

stack

page read and write

5830000

heap

page read and write

A1E000

heap

page read and write

D40000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

308E000

stack

page read and write

5560000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

54D0000

trusted library allocation

page read and write

5AD0000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5AC0000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5E0000

heap

page read and write

542C000

trusted library allocation

page execute and read and write

54D0000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

9C6000

heap

page read and write

5AB0000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

5AD5000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5835000

heap

page read and write

5560000

trusted library allocation

page read and write

54D0000

trusted library allocation

page read and write

54D0000

trusted library allocation

page read and write

54A0000

trusted library allocation

page read and write

31CC000

stack

page read and write

63F0000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5845000

heap

page read and write

602C000

stack

page read and write

5570000

trusted library allocation

page read and write

5854000

heap

page read and write

95E000

heap

page read and write

964000

heap

page read and write

2FE4000

trusted library allocation

page read and write

9A6000

heap

page read and write

5430000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5AD0000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5A6F000

stack

page read and write

5470000

trusted library allocation

page read and write

C9E000

stack

page read and write

9BC000

heap

page read and write

5410000

trusted library allocation

page read and write

63AD000

stack

page read and write

5490000

trusted library allocation

page read and write

63E5000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

54CE000

stack

page read and write

54A0000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

63C0000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

3217000

trusted library allocation

page read and write

5AB0000

trusted library allocation

page read and write

5579000

trusted library allocation

page read and write

5AD0000

trusted library allocation

page read and write

5A2E000

stack

page read and write

5570000

trusted library allocation

page read and write

552C000

stack

page read and write

301B000

trusted library allocation

page execute and read and write

5490000

trusted library allocation

page read and write

2BCE000

stack

page read and write

6400000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5847000

heap

page read and write

5580000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

A10000

heap

page read and write

5570000

trusted library allocation

page read and write

5560000

trusted library allocation

page read and write

51E8000

trusted library allocation

page read and write

A17000

heap

page read and write

5580000

trusted library allocation

page read and write

5AAE000

stack

page read and write

53BE000

stack

page read and write

54D0000

trusted library allocation

page read and write

DAE000

stack

page read and write

584C000

heap

page read and write

3E1000

unkown

page execute read

41E1000

trusted library allocation

page read and write

2FED000

trusted library allocation

page execute and read and write

A27000

heap

page read and write

583E000

heap

page read and write

5560000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

570000

heap

page read and write

9A4000

heap

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

963000

heap

page read and write

5570000

trusted library allocation

page read and write

5AD0000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

3FF000

unkown

page read and write

99A000

heap

page read and write

5580000

trusted library allocation

page read and write

3040000

heap

page read and write

612E000

stack

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

3BC000

stack

page read and write

5480000

trusted library allocation

page read and write

2FB0000

trusted library section

page read and write

2FD0000

trusted library allocation

page read and write

54D0000

trusted library allocation

page read and write

B2D000

stack

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

9BC000

heap

page read and write

5580000

trusted library allocation

page read and write

5EAD000

stack

page read and write

5570000

trusted library allocation

page read and write

29CF000

stack

page read and write

54D0000

trusted library allocation

page read and write

A1C000

heap

page read and write

5828000

stack

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

403000

unkown

page readonly

5580000

trusted library allocation

page read and write

63B4000

trusted library allocation

page read and write

537E000

stack

page read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5DAC000

stack

page read and write

9A6000

heap

page read and write

9C6000

heap

page read and write

5580000

trusted library allocation

page read and write

5571000

trusted library allocation

page read and write

5560000

trusted library allocation

page read and write

5AB0000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

5400000

trusted library allocation

page read and write

5420000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

3047000

heap

page read and write

5570000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

5AD0000

heap

page read and write

5560000

trusted library allocation

page read and write

5570000

trusted library allocation

page read and write

5580000

trusted library allocation

page read and write

528000

stack

page read and write

5C2F000

stack

page read and write

5560000

trusted library allocation

page read and write

54D0000

trusted library allocation

page read and write

5AB1000

trusted library allocation

page read and write

9C9000

heap

page read and write

5570000

trusted library allocation

page read and write

DE7000

heap

page read and write

54D0000

trusted library allocation

page read and write

54A0000

trusted library allocation

page read and write

D60000

heap

page read and write

5570000

trusted library allocation

page read and write

5AE0000

heap

page read and write

403000

unkown

page readonly

96C000

heap

page read and write

572D000

stack

page read and write

9C9000

heap

page read and write

5570000

trusted library allocation

page read and write

5AC0000

trusted library allocation

page read and write

C2E000

stack

page read and write

There are 302 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
31__Installer.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report31__Installer.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
31__Installer.exe