Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Invoices AMM Consol 020-04860612.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	7.95785405939972
Filename:	Invoices AMM Consol 020-04860612.exe
Filesize:	1056256
MD5:	d6ab3fc2af456e87088f640d4cabb8c5
SHA1:	4543d0556b4eaa857bd77b61c7ff062531645980
SHA256:	cd1d53de473b9d6a924d7942acc9f8e09fcd6bc452ed1fa4935f3ca692d9cc44
SHA512:	ce8092d2033dc3c0a5f4ee3b6281ce7b3b5dcf0b671dade5be4f76a8fae4060594cc598c004d5ae4d881113f1181b6f2680b37375b58898fd3bc9a47f341905f
SSDEEP:	24576:Vd0LGOsLNlw2PmdCyUwRHMk+7PkjDPoOMHht8Cq6c+QeBn:Vd0LG1odCyUzZsDwOwht8CEeBn
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.....................f......6.... ....@...... ....................................@...@......@............... .....

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Machine Learning detection for sample	AV Detection
Modifies the context of a thread in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Invoices AMM Consol 020-04860612.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Invoices AMM Consol 020-04860612.exe.log
Category:	dropped
Dump:	Invoices AMM Consol 020-04860612.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe
Type:	CSV text
Entropy:	5.380493107040482
Encrypted:	false
Ssdeep:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
Size:	1510
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe

"C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5600
Target ID:	0
Parent PID:	4056
Name:	Invoices AMM Consol 020-04860612.exe
Path:	C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe
Commandline:	"C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe"
Size:	1056256
MD5:	D6AB3FC2AF456E87088F640D4CABB8C5
Time:	11:43:24
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xdb0000
Modulesize:	1081344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Details

Is windows:	true
Is dropped:	false
PID:	6900
Target ID:	5
Parent PID:	5600
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Size:	258544
MD5:	2EDD0B288FE2459DA84E4274D1942343
Time:	11:43:27
Date:	03/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x252f3950000
Modulesize:	253952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6900 -s 12

Details

Is windows:	true
Is dropped:	false
PID:	7028
Target ID:	8
Parent PID:	6900
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6900 -s 12
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	11:43:28
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6c9370000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.214.172

time.windows.com

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

7FFAACBAD000

trusted library allocation

page execute and read and write

1DB1F000

stack

page read and write

1690000

heap

page read and write

7FFB1E3C5000

unkown

page readonly

41FB000

trusted library allocation

page read and write

1C8E000

stack

page read and write

7FFAACD42000

trusted library allocation

page read and write

DB0000

unkown

page readonly

4223000

trusted library allocation

page read and write

1CDE0000

heap

page read and write

248E000

stack

page read and write

1D71F000

stack

page read and write

1CC70000

heap

page read and write

FB0000

heap

page read and write

1C180000

trusted library allocation

page read and write

1426B000

trusted library allocation

page read and write

7FFB1E3C0000

unkown

page read and write

1CF10000

heap

page read and write

1660000

heap

page execute and read and write

7FFAACBB0000

trusted library allocation

page read and write

172D000

heap

page read and write

7FFAACC5C000

trusted library allocation

page execute and read and write

7FFAACDB0000

trusted library allocation

page read and write

14158000

trusted library allocation

page read and write

7FFAACD7B000

trusted library allocation

page read and write

414E000

stack

page read and write

1F620000

heap

page read and write

7FFB1E3C2000

unkown

page readonly

16C9000

heap

page read and write

208F000

stack

page read and write

7FFAACBA0000

trusted library allocation

page read and write

4228000

trusted library allocation

page read and write

3C38000

heap

page read and write

7FFAACD80000

trusted library allocation

page execute and read and write

1CD80000

trusted library section

page read and write

7FFB1E3A0000

unkown

page readonly

7FFAACCC0000

trusted library allocation

page execute and read and write

FE0000

heap

page read and write

7FFAACBBD000

trusted library allocation

page execute and read and write

1F7F0000

trusted library section

page read and write

1CC10000

trusted library section

page readonly

200BE000

stack

page read and write

F70000

heap

page read and write

3D49000

heap

page read and write

1701000

heap

page read and write

FA5000

heap

page read and write

15EE000

stack

page read and write

1CEE0000

trusted library section

page read and write

14355000

trusted library allocation

page read and write

7FFAACBA4000

trusted library allocation

page read and write

F40000

heap

page read and write

1600000

trusted library allocation

page read and write

7FFAACBFC000

trusted library allocation

page execute and read and write

1FCBE000

stack

page read and write

FE5000

heap

page read and write

3D40000

heap

page read and write

7FFAACBC0000

trusted library allocation

page read and write

1CEF0000

trusted library allocation

page read and write

41F9000

trusted library allocation

page read and write

1CCF0000

heap

page execute and read and write

1703000

heap

page read and write

7FFAACBCB000

trusted library allocation

page execute and read and write

7FFAACBCD000

trusted library allocation

page execute and read and write

7FFAACD90000

trusted library allocation

page read and write

7FFB1E3A1000

unkown

page execute read

16C0000

heap

page read and write

420C000

trusted library allocation

page read and write

7FFAACBC4000

trusted library allocation

page read and write

7FFAACD50000

trusted library allocation

page read and write

DB2000

unkown

page readonly

1620000

trusted library allocation

page read and write

7FFAACDA0000

trusted library allocation

page read and write

7FFAACC56000

trusted library allocation

page read and write

14151000

trusted library allocation

page read and write

7FF443640000

trusted library allocation

page execute and read and write

1CC20000

heap

page read and write

7FFAACD70000

trusted library allocation

page read and write

7FFAACD60000

trusted library allocation

page execute and read and write

1F120000

heap

page read and write

1DF30000

heap

page read and write

7FFAACBA3000

trusted library allocation

page execute and read and write

1CC76000

heap

page read and write

7FFAACC50000

trusted library allocation

page read and write

1C8CC000

stack

page read and write

1CDA0000

trusted library section

page read and write

41EC000

trusted library allocation

page read and write

1F020000

heap

page read and write

FA0000

heap

page read and write

1733000

heap

page read and write

7FFB1E3B6000

unkown

page readonly

1CDE3000

heap

page read and write

1CDC0000

heap

page read and write

7FFAACD78000

trusted library allocation

page read and write

7FFAACC60000

trusted library allocation

page execute and read and write

7FFAACBB3000

trusted library allocation

page read and write

1DF1F000

stack

page read and write

7FFAACD40000

trusted library allocation

page read and write

1D31C000

stack

page read and write

1DF20000

heap

page read and write

4151000

trusted library allocation

page read and write

14161000

trusted library allocation

page read and write

7FFAACC86000

trusted library allocation

page execute and read and write

F50000

heap

page read and write

16EB000

heap

page read and write

BC781FC000

stack

page read and write

There are 95 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Invoices AMM Consol 020-04860612.exe

Files

Processes

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportInvoices AMM Consol 020-04860612.exe

Files

Processes

Domains

Memdumps

IOC Report
Invoices AMM Consol 020-04860612.exe