Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

09j4wHYrHs.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	4.600770612695514
Filename:	09j4wHYrHs.exe
Filesize:	49665
MD5:	b3370422cd4262297843df6f6b16d273
SHA1:	092f1aac2c72ead151585cd11712b4fa32ed4d39
SHA256:	c26ffcfad1b175fecb51e9b9724f63cbbd5e789ca9d075d7b9c5d88ae914078b
SHA512:	5ac971db6f50f25dddbab16b253c5573d6ba8950860b12639f0c1738de9824f627ca295b6fd3fc2384d4733167aa05c2df00e6bbb3d480a2f179b1497b076b7f
SSDEEP:	384:Yphk1qGvq/a/ryIstUT4FPwk5wAjFwyXILah1/VBjzYwXfA/ae/UcD6:Yc1qGAWrGOkFTxKe/VBjzYUqxL6
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...;..a.....................0....................@................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary

C:\Users\user\AppData\Local\Temp\~DFAC1AC9EB40B6FD0C.TMP

Composite Document File V2 Document, Cannot read section info

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DFAC1AC9EB40B6FD0C.TMP
Category:	dropped
Dump:	~DFAC1AC9EB40B6FD0C.TMP.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\09j4wHYrHs.exe
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	2.59212770002593
Encrypted:	false
Ssdeep:	24:rwrubDvqLJ/K93+OO2C9HpAgf3omT7zlzGl7wUpT1GsjW9YmAS7Wipgp:rwcjqLBK9xw9Jv3D2wWT4nASqipgp
Size:	6144
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\Desktop\config.xml

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\Desktop\config.xml
Category:	dropped
Dump:	config.xml.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\09j4wHYrHs.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.147869792568112
Encrypted:	false
Ssdeep:	3:fKpr+YfrYn:ipr+YfrY
Size:	36
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\09j4wHYrHs.exe

"C:\Users\user\Desktop\09j4wHYrHs.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6764
Target ID:	0
Parent PID:	2580
Name:	09j4wHYrHs.exe
Path:	C:\Users\user\Desktop\09j4wHYrHs.exe
Commandline:	"C:\Users\user\Desktop\09j4wHYrHs.exe"
Size:	49665
MD5:	B3370422CD4262297843DF6F6B16D273
Time:	10:27:00
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

URLs

Name

Malicious

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://duckduckgo.com/?q=

unknown

https://drive-daily-2.corp.google.com/

unknown

https://drive-autopush.corp.google.com/

unknown

https://drive-daily-4.corp.google.com/

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://payments.google.com/

unknown

https://www.ecosia.org/newtab/

unknown

https://drive-daily-1.corp.google.com/

unknown

https://drive-daily-5.corp.google.com/

unknown

https://docs.google.com/

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://drive-staging.corp.google.com/

unknown

https://drive-daily-6.corp.google.com/

unknown

https://drive.google.com/

unknown

https://drive-daily-0.corp.google.com/

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://drive-preprod.corp.google.com/

unknown

https://sandbox.google.com/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://www.google.com/

unknown

https://drive-daily-3.corp.google.com/

unknown

There are 15 hidden URLs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

4B3000

heap

page read and write

463000

heap

page read and write

326E000

stack

page read and write

2A80000

heap

page read and write

2AB0000

heap

page read and write

510000

heap

page read and write

474000

heap

page read and write

42C000

heap

page read and write

312F000

stack

page read and write

2050000

trusted library allocation

page execute read

4B6000

heap

page read and write

463000

heap

page read and write

4A8000

heap

page read and write

454000

heap

page read and write

42C000

heap

page read and write

441000

heap

page read and write

2120000

heap

page read and write

448000

heap

page read and write

484000

heap

page read and write

418000

heap

page read and write

430000

heap

page read and write

4B5000

heap

page read and write

46E000

heap

page read and write

5A0000

heap

page read and write

442000

heap

page read and write

4B3000

heap

page read and write

43D000

heap

page read and write

463000

heap

page read and write

42D000

heap

page read and write

20A0000

heap

page read and write

2130000

trusted library allocation

page read and write

409000

unkown

page read and write

463000

heap

page read and write

448000

heap

page read and write

9A000

stack

page read and write

4A8000

heap

page read and write

430000

heap

page read and write

59E000

stack

page read and write

2939000

heap

page read and write

4B5000

heap

page read and write

20B0000

heap

page read and write

2A7E000

stack

page read and write

484000

heap

page read and write

482000

heap

page read and write

2940000

heap

page read and write

463000

heap

page read and write

401000

unkown

page execute read

410000

heap

page read and write

40A000

unkown

page readonly

454000

heap

page read and write

472000

heap

page read and write

49A000

heap

page read and write

880000

heap

page read and write

40A000

unkown

page readonly

48F000

heap

page read and write

454000

heap

page read and write

448000

heap

page read and write

292E000

stack

page read and write

46F000

heap

page read and write

77F000

stack

page read and write

454000

heap

page read and write

466000

heap

page read and write

47F000

heap

page read and write

45A000

heap

page read and write

2080000

heap

page read and write

2930000

heap

page read and write

5A5000

heap

page read and write

454000

heap

page read and write

44E000

heap

page read and write

400000

unkown

page readonly

438000

heap

page read and write

4B6000

heap

page read and write

463000

heap

page read and write

49A000

heap

page read and write

425000

heap

page read and write

4A8000

heap

page read and write

87F000

stack

page read and write

336F000

stack

page read and write

482000

heap

page read and write

44E000

heap

page read and write

19C000

stack

page read and write

48F000

heap

page read and write

48F000

heap

page read and write

4B5000

heap

page read and write

484000

heap

page read and write

454000

heap

page read and write

322F000

stack

page read and write

4B3000

heap

page read and write

44A000

heap

page read and write

55E000

stack

page read and write

49A000

heap

page read and write

46F000

heap

page read and write

451000

heap

page read and write

401000

unkown

page execute read

400000

unkown

page readonly

There are 85 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
09j4wHYrHs.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report09j4wHYrHs.exe

Files

Processes

URLs

Memdumps

IOC Report
09j4wHYrHs.exe