Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PO STS_2184_06_2024.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.910276125677802
Filename:	PO STS_2184_06_2024.exe
Filesize:	1101320
MD5:	f9a3edaa59e9e93035aea302cfdeca9a
SHA1:	ad0e341a060b8e70aedbe56622d872066768dc3a
SHA256:	0d7f81bf5df4bb53947a85f21d0e83dccd3e151b2fbabfc00bd2eb584a273f0b
SHA512:	25d5745c507c6213a45f0353671f2a214ef09b61a2c9250db950894c045f02b42dab7050201d31f027b2fe09c84e59d68fa4835f6ffb008894d4d7976cdbd118
SSDEEP:	24576:pIF6fhKoVz5/QmNMMIrHRBvI4l39sa4On/7oGty:pIF+hKoVz5/PNMxTTgU94Onzvy
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=...............0..0...f......>O... ...`....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO STS_2184_06_2024.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO STS_2184_06_2024.exe.log
Category:	dropped
Dump:	PO STS_2184_06_2024.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\PO STS_2184_06_2024.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.354777075714867
Encrypted:	false
Ssdeep:	24:3gWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:QWSU4y4RQmFoUeWmfmZ9tK8NDE
Size:	1172
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2v5dz3v2.ajr.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2v5dz3v2.ajr.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_2v5dz3v2.ajr.ps1.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rgiecup.p4s.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rgiecup.p4s.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_4rgiecup.p4s.ps1.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jeh12ql5.ely.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jeh12ql5.ely.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_jeh12ql5.ely.psm1.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4eyps3o.gk1.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4eyps3o.gk1.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_p4eyps3o.gk1.psm1.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PO STS_2184_06_2024.exe

"C:\Users\user\Desktop\PO STS_2184_06_2024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3136
Target ID:	0
Parent PID:	4004
Name:	PO STS_2184_06_2024.exe
Path:	C:\Users\user\Desktop\PO STS_2184_06_2024.exe
Commandline:	"C:\Users\user\Desktop\PO STS_2184_06_2024.exe"
Size:	1101320
MD5:	F9A3EDAA59E9E93035AEA302CFDECA9A
Time:	11:46:56
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x850000
Modulesize:	1114112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5340
Target ID:	3
Parent PID:	3136
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"
Size:	433152
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Time:	11:47:00
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xab0000
Modulesize:	446464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1032
Target ID:	5
Parent PID:	3136
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	11:47:00
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7a0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3516
Target ID:	4
Parent PID:	5340
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	11:47:00
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://www.chiark.greenend.org.uk/~sgtatham/putty/0

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

D40000

direct allocation

page read and write

DEE000

heap

page read and write

76A2000

trusted library allocation

page read and write

5250000

trusted library allocation

page read and write

1270000

direct allocation

page execute and read and write

545E000

stack

page read and write

122D000

trusted library allocation

page execute and read and write

9670000

heap

page read and write

140E000

direct allocation

page execute and read and write

1710000

heap

page read and write

DE0000

heap

page read and write

125B000

trusted library allocation

page execute and read and write

2F6A000

trusted library allocation

page read and write

8400000

heap

page read and write

2F74000

trusted library allocation

page read and write

2DA5000

trusted library allocation

page read and write

1270000

trusted library allocation

page read and write

2AB0000

trusted library allocation

page execute and read and write

527D000

trusted library allocation

page read and write

9EA000

stack

page read and write

D00000

heap

page read and write

5B2C000

stack

page read and write

1399000

direct allocation

page execute and read and write

4CE0000

trusted library allocation

page execute and read and write

1288000

heap

page read and write

2F82000

trusted library allocation

page read and write

83F0000

heap

page read and write

2AAB000

stack

page read and write

76E0000

heap

page read and write

2F3B000

trusted library allocation

page read and write

852000

unkown

page readonly

139D000

direct allocation

page execute and read and write

2CBB000

trusted library allocation

page read and write

2F78000

trusted library allocation

page read and write

5300000

heap

page read and write

850000

unkown

page readonly

D60000

heap

page read and write

E23000

heap

page read and write

526E000

trusted library allocation

page read and write

4475000

trusted library allocation

page read and write

2F7E000

trusted library allocation

page read and write

5303000

heap

page read and write

BA0000

heap

page read and write

1252000

trusted library allocation

page read and write

2C30000

trusted library allocation

page read and write

10ED000

stack

page read and write

83EE000

stack

page read and write

5290000

trusted library allocation

page read and write

7A3E000

stack

page read and write

44C7000

trusted library allocation

page read and write

2C55000

trusted library allocation

page read and write

4E0C000

stack

page read and write

6310000

trusted library allocation

page read and write

2F7C000

trusted library allocation

page read and write

A3D000

stack

page read and write

76A7000

trusted library allocation

page read and write

5310000

trusted library section

page read and write

96A0000

heap

page read and write

5280000

trusted library allocation

page read and write

1521000

direct allocation

page execute and read and write

850000

unkown

page execute and read and write

4515000

trusted library allocation

page read and write

57AE000

stack

page read and write

2F70000

trusted library allocation

page read and write

2F4A000

trusted library allocation

page read and write

2AC0000

trusted library allocation

page read and write

2F94000

trusted library allocation

page read and write

4CC0000

trusted library section

page read and write

5276000

trusted library allocation

page read and write

2C60000

heap

page execute and read and write

E00000

heap

page read and write

566E000

stack

page read and write

9570000

heap

page read and write

78C0000

heap

page read and write

121F000

stack

page read and write

D30000

heap

page read and write

1230000

trusted library allocation

page read and write

9C72000

trusted library allocation

page read and write

58AF000

stack

page read and write

2AD0000

trusted library allocation

page read and write

10FF000

stack

page read and write

8424000

heap

page read and write

DE8000

heap

page read and write

1280000

heap

page read and write

CFE000

stack

page read and write

1250000

trusted library allocation

page read and write

76A0000

trusted library allocation

page read and write

96A7000

heap

page read and write

E25000

heap

page read and write

76D0000

trusted library section

page readonly

82EF000

stack

page read and write

4563000

trusted library allocation

page read and write

2F96000

trusted library allocation

page read and write

7935000

heap

page read and write

15B8000

direct allocation

page execute and read and write

2F88000

trusted library allocation

page read and write

956000

unkown

page readonly

2F80000

trusted library allocation

page read and write

53F9000

trusted library allocation

page read and write

2F6E000

trusted library allocation

page read and write

2A6E000

stack

page read and write

53F0000

trusted library allocation

page read and write

2F61000

trusted library allocation

page read and write

7F5C0000

trusted library allocation

page execute and read and write

7710000

trusted library allocation

page execute and read and write

B200000

trusted library allocation

page read and write

2F72000

trusted library allocation

page read and write

2C2E000

stack

page read and write

52B0000

trusted library allocation

page execute and read and write

2F6C000

trusted library allocation

page read and write

7700000

trusted library allocation

page read and write

947000

unkown

page execute and read and write

5410000

trusted library allocation

page execute and read and write

7BFE000

stack

page read and write

2F90000

trusted library allocation

page read and write

791B000

stack

page read and write

1223000

trusted library allocation

page execute and read and write

1242000

trusted library allocation

page read and write

1110000

heap

page read and write

2F8A000

trusted library allocation

page read and write

DD0000

heap

page read and write

CBE000

stack

page read and write

7920000

trusted library allocation

page read and write

E0A000

heap

page read and write

52C0000

trusted library allocation

page read and write

CF7000

stack

page read and write

B3C000

stack

page read and write

53E0000

trusted library allocation

page read and write

967D000

heap

page read and write

11FF000

stack

page read and write

153D000

direct allocation

page execute and read and write

7BBE000

stack

page read and write

1240000

trusted library allocation

page read and write

123D000

trusted library allocation

page execute and read and write

E98000

heap

page read and write

E9D000

heap

page read and write

1246000

trusted library allocation

page execute and read and write

6350000

trusted library allocation

page read and write

2F92000

trusted library allocation

page read and write

2C40000

trusted library allocation

page read and write

2F7A000

trusted library allocation

page read and write

D50000

heap

page read and write

2CB9000

trusted library allocation

page read and write

1224000

trusted library allocation

page read and write

7690000

heap

page read and write

576E000

stack

page read and write

4CBE000

stack

page read and write

A1BE000

stack

page read and write

2F98000

trusted library allocation

page read and write

3C71000

trusted library allocation

page read and write

852000

unkown

page execute and read and write

7720000

heap

page read and write

10AE000

stack

page read and write

7C00000

trusted library allocation

page read and write

4479000

trusted library allocation

page read and write

1100000

trusted library allocation

page read and write

124A000

trusted library allocation

page execute and read and write

76F0000

trusted library allocation

page execute and read and write

2AE0000

heap

page read and write

7A7E000

stack

page read and write

9681000

heap

page read and write

2C50000

trusted library allocation

page read and write

1220000

trusted library allocation

page read and write

4CF0000

trusted library section

page read and write

5A2C000

stack

page read and write

5271000

trusted library allocation

page read and write

4D00000

trusted library section

page read and write

2F76000

trusted library allocation

page read and write

954000

unkown

page execute and read and write

562F000

stack

page read and write

E01000

heap

page read and write

F00000

heap

page read and write

7930000

heap

page read and write

1536000

direct allocation

page execute and read and write

DAD000

stack

page read and write

2C71000

trusted library allocation

page read and write

78D0000

heap

page execute and read and write

3D5F000

trusted library allocation

page read and write

7B7F000

stack

page read and write

524F000

stack

page read and write

E7E000

heap

page read and write

2F86000

trusted library allocation

page read and write

E08000

heap

page read and write

2BEE000

stack

page read and write

2F84000

trusted library allocation

page read and write

1257000

trusted library allocation

page execute and read and write

316F000

trusted library allocation

page read and write

There are 178 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PO STS_2184_06_2024.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPO STS_2184_06_2024.exe

Files

Processes

URLs

Memdumps

IOC Report
PO STS_2184_06_2024.exe