Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

33__Installer.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.9386097015607895
Filename:	33__Installer.exe
Filesize:	247808
MD5:	8182ed62008e7526ae7e1f7d702fbcb6
SHA1:	3a3808eefd17f32bc074c739586b6b36c0a06c15
SHA256:	a862efea745fd2c39b097d2e1e1d6961ba4d6f8e5c2823d345c5035b95d44f69
SHA512:	913e79b2613236be7e805dd2c22aceef5fbe9cf408534968aa4ae8dc939dc3eb8a9ee7ba9eb8369d3fed97e6313d0e1183849f9ab7bb84f0e9529064a2b6731b
SSDEEP:	3072:jSg5JZaegxuSS7JY459BaybX1xirH7sO4ZQeAnuTCt2xbzmyoaq6rcYsc8kOeAVS:jt5JPgxcqAKcXWrbNnjZ2x
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{b..{b..{b......ob....<..b..r...\|b..{b..!b....=.Ob......zb......zb..Rich{b..........PE..L....d.f.................v...N.....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Sample uses string decryption to hide its real strings	AV Detection
Abnormal high CPU Usage	System Summary	System Time Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\Public\Downloads\ind.jpg

data

dropped

Details

File:	C:\Users\Public\Downloads\ind.jpg
Category:	dropped
Dump:	ind.jpg.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\33__Installer.exe
Type:	data
Entropy:	7.604676564541333
Encrypted:	false
Ssdeep:	1536:u7rl7/dDEWTG0KHvpLhkUsYywwI6aM6eKXBwLsy1ETqfvu+P4Rtsj5o:enTG0KBLfsYywwTaMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp
Category:	dropped
Dump:	330[1].ccp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\33__Installer.exe
Type:	data
Entropy:	7.604676564541333
Encrypted:	false
Ssdeep:	1536:u7rl7/dDEWTG0KHvpLhkUsYywwI6aM6eKXBwLsy1ETqfvu+P4Rtsj5o:enTG0KBLfsYywwTaMRKXBwLs/
Size:	71938
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\33__Installer.exe

"C:\Users\user\Desktop\33__Installer.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6556
Target ID:	0
Parent PID:	2580
Name:	33__Installer.exe
Path:	C:\Users\user\Desktop\33__Installer.exe
Commandline:	"C:\Users\user\Desktop\33__Installer.exe"
Size:	247808
MD5:	8182ED62008E7526AE7E1F7D702FBCB6
Time:	13:23:56
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc20000
Modulesize:	266240
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

117.41.184.33

Details

Name:	117.41.184.33
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\33__Installer.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://guanlix.cn:881/330.ccp

91.208.240.157

Details

Name:	http://guanlix.cn:881/330.ccp
IP:	91.208.240.157
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\33__Installer.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

http://guanlix.cn:881/330.ccp&(

unknown

Domains

Name

Malicious

guanlix.cn

91.208.240.157

Details

Name:	guanlix.cn
IP:	91.208.240.157
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

117.41.184.33

unknown

China

Details

IP:	117.41.184.33
TargetID:	0
Current Path:	C:\Users\user\Desktop\33__Installer.exe
Country:	China
Countrycode:	CHN
ASN number:	134238
ASN name:	CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

91.208.240.157

guanlix.cn

unknown

Details

IP:	91.208.240.157
TargetID:	0
Current Path:	C:\Users\user\Desktop\33__Installer.exe
ASN number:	139659
ASN name:	LUCID-AS-APLUCIDACLOUDLIMITEDHK
Private:	false
Domain:	guanlix.cn

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

4021000

trusted library allocation

page read and write

6160000

trusted library section

page read and write

6770000

trusted library allocation

page read and write

61DE000

stack

page read and write

196E000

stack

page read and write

6690000

trusted library allocation

page read and write

192E000

stack

page read and write

6770000

trusted library allocation

page read and write

147E000

heap

page read and write

6770000

trusted library allocation

page read and write

652F000

heap

page read and write

3E30000

trusted library allocation

page read and write

1840000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

694C000

stack

page read and write

6760000

trusted library allocation

page read and write

1810000

heap

page read and write

66A0000

trusted library allocation

page read and write

6690000

trusted library allocation

page read and write

153D000

heap

page read and write

6770000

trusted library allocation

page read and write

6F50000

trusted library allocation

page read and write

3F10000

heap

page execute and read and write

356F000

stack

page read and write

6770000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

3CF0000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6CD0000

heap

page read and write

640D000

stack

page read and write

366D000

stack

page read and write

66A0000

trusted library allocation

page read and write

3E10000

trusted library allocation

page read and write

61A0000

trusted library allocation

page read and write

1980000

heap

page read and write

6760000

trusted library allocation

page read and write

61A0000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

147A000

heap

page read and write

3E20000

trusted library allocation

page read and write

3CA0000

direct allocation

page execute and read and write

6770000

trusted library allocation

page read and write

C3E000

unkown

page read and write

61B0000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6766000

trusted library allocation

page read and write

654E000

heap

page read and write

3E3C000

trusted library allocation

page execute and read and write

61A0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

61B0000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

6780000

heap

page read and write

C20000

unkown

page readonly

14E7000

heap

page read and write

6535000

heap

page read and write

6770000

trusted library allocation

page read and write

6690000

trusted library allocation

page read and write

61A0000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6190000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

3E36000

trusted library allocation

page execute and read and write

3CE0000

trusted library allocation

page read and write

3E58000

trusted library allocation

page read and write

18AE000

stack

page read and write

6770000

trusted library allocation

page read and write

3DAC000

stack

page read and write

6F64000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6260000

heap

page execute and read and write

3EF0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

3D6E000

stack

page read and write

6760000

trusted library allocation

page read and write

611D000

stack

page read and write

3DC0000

trusted library allocation

page execute and read and write

61A0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

1340000

heap

page read and write

61B0000

trusted library allocation

page read and write

61B0000

trusted library allocation

page read and write

150E000

heap

page read and write

6760000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

671E000

stack

page read and write

6760000

trusted library allocation

page read and write

156A000

heap

page read and write

6760000

trusted library allocation

page read and write

6690000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6771000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

6510000

heap

page read and write

66A1000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

6FC0000

trusted library allocation

page read and write

6180000

trusted library allocation

page read and write

7F140000

trusted library allocation

page execute and read and write

6760000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

61A0000

trusted library allocation

page read and write

6E10000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6533000

heap

page read and write

61A0000

trusted library allocation

page read and write

1860000

heap

page read and write

6E4C000

stack

page read and write

6760000

trusted library allocation

page read and write

669E000

trusted library allocation

page read and write

615E000

stack

page read and write

17ED000

stack

page read and write

6769000

trusted library allocation

page read and write

C20000

unkown

page readonly

61A0000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

3CFD000

trusted library allocation

page execute and read and write

6760000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

401E000

stack

page read and write

66A0000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

3CD0000

trusted library section

page read and write

1540000

heap

page read and write

3D27000

trusted library allocation

page execute and read and write

C39000

unkown

page readonly

6760000

trusted library allocation

page read and write

5025000

trusted library allocation

page read and write

6BCC000

stack

page read and write

6A8C000

stack

page read and write

4496000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

14E2000

heap

page read and write

621C000

stack

page read and write

3E0E000

stack

page read and write

6760000

trusted library allocation

page read and write

61A0000

trusted library allocation

page read and write

7F158000

trusted library allocation

page execute and read and write

6FB0000

trusted library allocation

page read and write

6690000

trusted library allocation

page read and write

6E10000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

3E40000

heap

page read and write

6F4E000

stack

page read and write

6690000

trusted library allocation

page read and write

6770000

trusted library allocation

page execute and read and write

3D20000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

1510000

heap

page read and write

6770000

trusted library allocation

page read and write

6690000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6230000

heap

page read and write

6770000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

502C000

trusted library allocation

page read and write

61A0000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

1470000

heap

page read and write

6190000

trusted library allocation

page read and write

6FC0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

16AE000

stack

page read and write

C21000

unkown

page execute read

14DA000

heap

page read and write

6770000

trusted library allocation

page read and write

C42000

unkown

page readonly

690F000

stack

page read and write

6770000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

1504000

heap

page read and write

6760000

trusted library allocation

page read and write

61A0000

trusted library allocation

page read and write

61A0000

trusted library allocation

page read and write

3DB7000

heap

page read and write

6770000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

376E000

stack

page read and write

6775000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6761000

trusted library allocation

page read and write

3CF3000

trusted library allocation

page execute and read and write

66A0000

trusted library allocation

page read and write

6509000

stack

page read and write

6170000

trusted library allocation

page execute and read and write

6220000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

1420000

heap

page read and write

66A0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

3DB0000

heap

page read and write

1435000

heap

page read and write

C42000

unkown

page readonly

FDC000

stack

page read and write

6770000

trusted library allocation

page read and write

18EE000

stack

page read and write

61A0000

trusted library allocation

page read and write

C39000

unkown

page readonly

6770000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

14BE000

heap

page read and write

6770000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

14E5000

heap

page read and write

66A0000

trusted library allocation

page read and write

6FD0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6B8D000

stack

page read and write

6760000

trusted library allocation

page read and write

6CCD000

stack

page read and write

6A4D000

stack

page read and write

4554000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

C21000

unkown

page execute read

6770000

trusted library allocation

page read and write

6F50000

trusted library allocation

page read and write

61A0000

trusted library allocation

page read and write

1430000

heap

page read and write

6760000

trusted library allocation

page read and write

1440000

direct allocation

page read and write

3CF4000

trusted library allocation

page read and write

3E33000

trusted library allocation

page read and write

6F95000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

3D2B000

trusted library allocation

page execute and read and write

12F8000

stack

page read and write

6220000

trusted library allocation

page read and write

3E39000

trusted library allocation

page execute and read and write

6760000

trusted library allocation

page read and write

15AE000

stack

page read and write

61A0000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

386F000

stack

page read and write

6220000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

6760000

trusted library allocation

page read and write

5021000

trusted library allocation

page read and write

1867000

heap

page read and write

6770000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

16EE000

stack

page read and write

6770000

trusted library allocation

page read and write

C3E000

unkown

page write copy

68CE000

stack

page read and write

6690000

trusted library allocation

page read and write

3CC0000

trusted library section

page read and write

6770000

trusted library allocation

page read and write

6FA0000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

675F000

stack

page read and write

There are 277 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
33__Installer.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report33__Installer.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
33__Installer.exe