Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

INSTALL (1).EXE

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.316581949387796
Filename:	INSTALL (1).EXE
Filesize:	632784
MD5:	9ef163303a7fc06b98beb90ae14217ba
SHA1:	a8a44b4553aeedbfcc240d5ee47539119b1a4287
SHA256:	49f9aeee62ddd572dacba21f5e7298cd33856818ee3cc9d691d4788a79fbad68
SHA512:	73fca97e6c8a4299404264b07df6916646c542843a69a97584da8de516adf6cb5b71c03205bcf140804e2993d987956e991dc1596afab9c02ada07607bfe3819
SSDEEP:	12288:FBo9oKbH9+TYDbqiYHX6Ofc4YLWKMUvVbm2HnhT7ZFTjHCSpNIlUPciRd:FBozz9+TYDbuHqOfEWhUvVbm2Hh33Hr1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.S...=...=...=.......=.......=.......=._.9...=._.>...=._.8.'.=.......=...<...=...4.K.=...=...=.......=.......=...?...=.Rich..=

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to read ini properties file for application configuration	Persistence and Installation Behavior
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Writes ini files	System Summary	File and Directory Discovery
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\INSTALL[1].htm

HTML document, ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\INSTALL[1].htm
Category:	dropped
Dump:	INSTALL[1].htm.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
Type:	HTML document, ASCII text
Entropy:	4.775681572027714
Encrypted:	false
Ssdeep:	24:YBjbUMLmpnZogSA5JeMDt8Nzs7fxzDs5XkGII6LGyflyEwL9n5iNiQGxRfSxXa:WHUMLkka8dKGII6LGyoEwL9nUoQGuxK
Size:	1527
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Temp\WD200D.tmp\INSTALL.ZIP

HTML document, ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\WD200D.tmp\INSTALL.ZIP
Category:	dropped
Dump:	INSTALL.ZIP.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
Type:	HTML document, ASCII text
Entropy:	4.775681572027714
Encrypted:	false
Ssdeep:	24:YBjbUMLmpnZogSA5JeMDt8Nzs7fxzDs5XkGII6LGyflyEwL9n5iNiQGxRfSxXa:WHUMLkka8dKGII6LGyoEwL9nUoQGuxK
Size:	1527
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
Category:	dropped
Dump:	INSTALL.EXE.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\INSTALL (1).EXE
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.624794863265175
Encrypted:	false
Ssdeep:	12288:7GE4JYN6g3oXlWnwgcFRrEv4qWna9nYw/EwqW87uxRvmx:WqN6g2AGrEvFW6/xLxxmx
Size:	482696
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.INI

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.INI
Category:	dropped
Dump:	INSTALL.INI.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\INSTALL (1).EXE
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.5605628328541394
Encrypted:	false
Ssdeep:	6:Q+2lsYL4UXKaLail9q2lMFO8X2lxSlslsYLo8ivURYrMlxn:Q+C/4UaaLai3q2ln8mlxpo/vUGMlxn
Size:	286
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Writes ini files	System Summary	File and Directory Discovery

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\INSTALL (1).EXE

"C:\Users\user\Desktop\INSTALL (1).EXE"

Details

Is windows:	false
Is dropped:	false
PID:	7436
Target ID:	0
Parent PID:	2580
Name:	INSTALL (1).EXE
Path:	C:\Users\user\Desktop\INSTALL (1).EXE
Commandline:	"C:\Users\user\Desktop\INSTALL (1).EXE"
Size:	632784
MD5:	9EF163303A7FC06B98BEB90AE14217BA
Time:	02:25:56
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbc0000
Modulesize:	393216
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE

"C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE"

Details

Is windows:	false
Is dropped:	true
PID:	7484
Target ID:	1
Parent PID:	7436
Name:	INSTALL.EXE
Path:	C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
Commandline:	"C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE"
Size:	482696
MD5:	8D493C3586E91D6AC600C55EA6EA2B5F
Time:	02:25:56
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x920000
Modulesize:	487424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#

unknown

https://sectigo.com/CPS0

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0

unknown

http://ocsp.sectigo.com0

unknown

https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIPsRS

unknown

https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP=

unknown

https://logiciels.vim.fr/

unknown

https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP

109.69.187.83

Domains

Name

Malicious

logiciels.vim.fr

109.69.187.83

Details

Name:	logiciels.vim.fr
IP:	109.69.187.83
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

109.69.187.83

logiciels.vim.fr

France

Details

IP:	109.69.187.83
TargetID:	1
Current Path:	C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE
Country:	France
Countrycode:	FRA
ASN number:	50446
ASN name:	DATACAMPUSFR
Private:	false
Domain:	logiciels.vim.fr

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

564C000

stack

page read and write

BC0000

unkown

page readonly

2870000

trusted library allocation

page read and write

4A60000

trusted library allocation

page read and write

11D5000

heap

page read and write

4F0E000

stack

page read and write

4A60000

trusted library allocation

page read and write

BEF000

unkown

page readonly

E13000

heap

page read and write

50CD000

stack

page read and write

11C1000

heap

page read and write

120B000

heap

page read and write

11E5000

heap

page read and write

11DA000

heap

page read and write

849000

stack

page read and write

118A000

heap

page read and write

11E0000

heap

page read and write

5970000

heap

page read and write

E43000

heap

page read and write

11E7000

heap

page read and write

10FA000

stack

page read and write

2C34000

heap

page read and write

11C6000

heap

page read and write

2870000

trusted library allocation

page read and write

8C0000

heap

page read and write

C03000

unkown

page write copy

5210000

heap

page read and write

11C5000

heap

page read and write

12A0000

heap

page read and write

554B000

stack

page read and write

4A60000

trusted library allocation

page read and write

11EF000

heap

page read and write

4E2E000

stack

page read and write

2870000

trusted library allocation

page read and write

12C0000

heap

page read and write

5320000

remote allocation

page read and write

2870000

trusted library allocation

page read and write

51CD000

stack

page read and write

D38000

stack

page read and write

2870000

trusted library allocation

page read and write

11C5000

heap

page read and write

2870000

trusted library allocation

page read and write

E2E000

heap

page read and write

5320000

remote allocation

page read and write

12C5000

heap

page read and write

4DDF000

stack

page read and write

15F0000

heap

page read and write

2870000

trusted library allocation

page read and write

920000

unkown

page readonly

5470000

heap

page read and write

BC1000

unkown

page execute read

E4F000

heap

page read and write

11D1000

heap

page read and write

E3B000

heap

page read and write

2870000

trusted library allocation

page read and write

BC0000

unkown

page readonly

C06000

unkown

page readonly

2870000

trusted library allocation

page read and write

2870000

trusted library allocation

page read and write

D58000

stack

page read and write

E4F000

heap

page read and write

52CE000

stack

page read and write

10CE000

stack

page read and write

159F000

stack

page read and write

DCA000

heap

page read and write

2F80000

trusted library allocation

page read and write

11E6000

heap

page read and write

2A2E000

stack

page read and write

5472000

heap

page read and write

149E000

stack

page read and write

4B9E000

stack

page read and write

550F000

stack

page read and write

E4F000

heap

page read and write

4F7D000

stack

page read and write

2A35000

heap

page read and write

DC1000

heap

page read and write

5320000

remote allocation

page read and write

2870000

trusted library allocation

page read and write

535E000

stack

page read and write

E84000

heap

page read and write

2870000

trusted library allocation

page read and write

2870000

trusted library allocation

page read and write

971000

unkown

page readonly

2870000

trusted library allocation

page read and write

545F000

stack

page read and write

11CD000

heap

page read and write

11DB000

heap

page read and write

D80000

heap

page read and write

117E000

stack

page read and write

E3B000

heap

page read and write

1180000

heap

page read and write

2A30000

heap

page read and write

1207000

heap

page read and write

11DA000

heap

page read and write

1207000

heap

page read and write

2870000

trusted library allocation

page read and write

2870000

trusted library allocation

page read and write

122D000

heap

page read and write

E4A000

heap

page read and write

2870000

trusted library allocation

page read and write

90D000

stack

page read and write

2870000

trusted library allocation

page read and write

96E000

unkown

page read and write

540E000

stack

page read and write

2B3E000

stack

page read and write

122D000

heap

page read and write

C03000

unkown

page read and write

507C000

stack

page read and write

31F0000

trusted library allocation

page read and write

DCA000

heap

page read and write

D60000

heap

page read and write

921000

unkown

page execute read

BEF000

unkown

page readonly

113E000

stack

page read and write

11D6000

heap

page read and write

1620000

heap

page read and write

C06000

unkown

page readonly

1629000

heap

page read and write

5470000

trusted library allocation

page read and write

2C30000

heap

page read and write

E4A000

heap

page read and write

971000

unkown

page readonly

5971000

heap

page read and write

EF5000

heap

page read and write

2870000

trusted library allocation

page read and write

4A60000

trusted library allocation

page read and write

2870000

trusted library allocation

page read and write

4CDE000

stack

page read and write

2870000

trusted library allocation

page read and write

E84000

heap

page read and write

11CC000

heap

page read and write

4A60000

trusted library allocation

page read and write

E2E000

heap

page read and write

920000

unkown

page readonly

DA0000

heap

page read and write

504E000

stack

page read and write

96E000

unkown

page write copy

E86000

heap

page read and write

E87000

heap

page read and write

9DE000

stack

page read and write

296C000

stack

page read and write

2870000

trusted library allocation

page read and write

1207000

heap

page read and write

DAA000

heap

page read and write

DD0000

heap

page read and write

954000

unkown

page readonly

DAE000

heap

page read and write

954000

unkown

page readonly

11DA000

heap

page read and write

921000

unkown

page execute read

4B5F000

stack

page read and write

4F2F000

stack

page read and write

4C9F000

stack

page read and write

2A39000

heap

page read and write

514F000

stack

page read and write

518E000

stack

page read and write

2870000

trusted library allocation

page read and write

120B000

heap

page read and write

E8F000

heap

page read and write

120B000

heap

page read and write

EA0000

heap

page read and write

1600000

heap

page read and write

5570000

trusted library allocation

page read and write

528F000

stack

page read and write

1625000

heap

page read and write

2870000

trusted library allocation

page read and write

122D000

heap

page read and write

CFB000

stack

page read and write

53CF000

stack

page read and write

E13000

heap

page read and write

500E000

stack

page read and write

2870000

trusted library allocation

page read and write

DC0000

heap

page read and write

2870000

trusted library allocation

page read and write

11C1000

heap

page read and write

BC1000

unkown

page execute read

DC0000

heap

page read and write

2870000

trusted library allocation

page read and write

11D1000

heap

page read and write

CF4000

stack

page read and write

11CD000

heap

page read and write

11F6000

heap

page read and write

11DE000

heap

page read and write

DC7000

heap

page read and write

E4C000

heap

page read and write

EF0000

heap

page read and write

2870000

trusted library allocation

page read and write

11DE000

heap

page read and write

118E000

heap

page read and write

2870000

trusted library allocation

page read and write

8B0000

heap

page read and write

There are 181 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
INSTALL (1).EXE

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportINSTALL (1).EXE

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
INSTALL (1).EXE