Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1936,i,14102734953510180185,6557037327749919800,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.bnaminexg.com/Invoice-yetdr.zip"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\vqyu22il.thm\Invoice-yetdr.img"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\vqyu22il.thm\Invoice-yetdr.img"

C:\Windows\SysWOW64\unarchiver.exe

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Invoice-yetdr.zip"

C:\Windows\SysWOW64\7za.exe

"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\vqyu22il.thm" "C:\Users\user\Downloads\Invoice-yetdr.zip"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\NOTEPAD.EXE" D:\autorun.inf

URLs

Name

Malicious

https://www.bnaminexg.com/Invoice-yetdr.zip

Details

Filetype:	URL
Filename:	https://www.bnaminexg.com/Invoice-yetdr.zip

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected VBS Downloader Generic	Spreading
Downloads suspicious files via Chrome	System Summary
Loading BitLocker PowerShell Module	Hooking and other Techniques for Hiding and Protection
Sigma detected: Suspicious PowerShell Parameter Substring	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary	Encrypted Channel
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected non-DNS traffic on DNS port	Networking
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May infect USB drives	Spreading	Replication Through Removable Media
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: PowerShell Script Run in AppData	System Summary
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Contains functionality to query system information	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Downloads files from webservers via HTTP	Networking	Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook		Peripheral Device Discovery
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook		Application Window Discovery
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses HTTPS	Networking	Encrypted Channel
Uses an in-process (OLE) Automation server	System Summary
Uses new MSVCR Dlls	Compliance, System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary
Uses Microsoft Silverlight	System Summary

https://www.bnaminexg.com/Invoice-yetdr.zip

162.210.199.135

Details

Name:	https://www.bnaminexg.com/Invoice-yetdr.zip
IP:	162.210.199.135
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Spawns processes	System Summary	Process Injection

https://pastebin.com/raw/vHQdp1zj

unknown

Domains

Name

Malicious

bnaminexg.com

162.210.199.135

Details

Name:	bnaminexg.com
IP:	162.210.199.135
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

www.google.com

142.250.184.228

Details

Name:	www.google.com
IP:	142.250.184.228
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.bnaminexg.com

unknown

Details

Name:	www.bnaminexg.com
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

239.255.255.250

unknown

Reserved

162.210.199.135

bnaminexg.com

United States

142.250.184.228

www.google.com

United States

192.168.2.6

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\system32\NOTEPAD.EXE.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\system32\NOTEPAD.EXE.ApplicationCompany

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad

fWindowsOnlyEOL

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad

fPasteOriginalEOL

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad

fReverse

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad

fWrapAround

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad

fMatchCase

Memdumps

Base Address

Regiontype

Protect

Malicious

F2B000

heap

page read and write

309C000

trusted library allocation

page read and write

13E0000

heap

page read and write

1330000

trusted library allocation

page read and write

1470000

heap

page read and write

FCD000

heap

page read and write

30B0000

trusted library allocation

page read and write

311E000

trusted library allocation

page read and write

5B9D000

stack

page read and write

30EE000

trusted library allocation

page read and write

F89000

heap

page read and write

12AE000

stack

page read and write

53EE000

stack

page read and write

2DC3000

heap

page read and write

4CA0000

trusted library allocation

page read and write

52AD000

stack

page read and write

3145000

heap

page read and write

1478000

heap

page read and write

3061000

trusted library allocation

page read and write

30FF000

trusted library allocation

page read and write

313A000

heap

page read and write

2E0F000

stack

page read and write

12B0000

heap

page read and write

3154000

heap

page read and write

FAC000

heap

page read and write

2F10000

trusted library allocation

page read and write

1440000

trusted library allocation

page execute and read and write

310A000

trusted library allocation

page read and write

12C0000

trusted library allocation

page read and write

52C0000

heap

page read and write

2B5D000

stack

page read and write

3076000

stack

page read and write

1465000

heap

page read and write

60AE000

stack

page read and write

309E000

stack

page read and write

2DC4000

heap

page read and write

6560000

heap

page read and write

30FC000

trusted library allocation

page read and write

1352000

trusted library allocation

page execute and read and write

5C9F000

stack

page read and write

1367000

trusted library allocation

page execute and read and write

1430000

trusted library allocation

page read and write

4ECF000

stack

page read and write

313D000

heap

page read and write

30A0000

heap

page read and write

1460000

heap

page execute and read and write

13AE000

stack

page read and write

12E0000

trusted library allocation

page read and write

31D0000

heap

page read and write

10FD000

stack

page read and write

132A000

trusted library allocation

page execute and read and write

3410000

heap

page read and write

4DC0000

heap

page read and write

4DB9000

heap

page read and write

1470000

heap

page read and write

30CC000

trusted library allocation

page read and write

3104000

trusted library allocation

page read and write

5F6E000

stack

page read and write

7F1F0000

trusted library allocation

page execute and read and write

BB9000

stack

page read and write

1478000

heap

page read and write

32B5000

heap

page read and write

E10000

heap

page read and write

30E1000

trusted library allocation

page read and write

FA3000

heap

page read and write

2A5D000

stack

page read and write

FC1000

heap

page read and write

2DAC000

heap

page read and write

576F000

stack

page read and write

30EB000

trusted library allocation

page read and write

52E0000

heap

page read and write

6DE0000

trusted library allocation

page read and write

1332000

trusted library allocation

page execute and read and write

51FE000

stack

page read and write

2D1E000

stack

page read and write

4F4F000

stack

page read and write

2DC6000

heap

page read and write

5900000

heap

page read and write

3107000

trusted library allocation

page read and write

53AD000

stack

page read and write

F2E000

heap

page read and write

133C000

trusted library allocation

page execute and read and write

315A000

heap

page read and write

4DB0000

heap

page read and write

30DE000

trusted library allocation

page read and write

3162000

heap

page read and write

12E0000

heap

page read and write

4061000

trusted library allocation

page read and write

2F9F000

unkown

page read and write

6DD0000

trusted library allocation

page read and write

2BC0000

heap

page read and write

30B5000

trusted library allocation

page read and write

1130000

heap

page read and write

BB6000

stack

page read and write

30AA000

trusted library allocation

page read and write

5770000

trusted library allocation

page read and write

F10000

heap

page read and write

3135000

heap

page read and write

5A4E000

stack

page read and write

1250000

heap

page read and write

606E000

stack

page read and write

142E000

stack

page read and write

4E8E000

stack

page read and write

FC4000

heap

page read and write

30C4000

trusted library allocation

page read and write

135A000

trusted library allocation

page execute and read and write

2D2E000

stack

page read and write

3110000

trusted library allocation

page read and write

F9F000

heap

page read and write

2CA0000

heap

page read and write

313E000

heap

page read and write

E15000

heap

page read and write

1322000

trusted library allocation

page execute and read and write

ABC000

stack

page read and write

2DA0000

heap

page read and write

4F74000

heap

page read and write

1360000

trusted library allocation

page read and write

2E10000

heap

page read and write

12F0000

heap

page read and write

30E4000

trusted library allocation

page read and write

30C1000

trusted library allocation

page read and write

3115000

trusted library allocation

page read and write

4DB6000

heap

page read and write

313D000

heap

page read and write

4E0E000

stack

page read and write

3090000

trusted library allocation

page read and write

BBB000

stack

page read and write

F5E000

heap

page read and write

32B0000

heap

page read and write

4E4E000

stack

page read and write

10D0000

heap

page read and write

4F0E000

stack

page read and write

124E000

stack

page read and write

133A000

trusted library allocation

page execute and read and write

562E000

stack

page read and write

54ED000

stack

page read and write

2CEE000

unkown

page read and write

3118000

trusted library allocation

page read and write

F47000

heap

page read and write

30BB000

stack

page read and write

3220000

heap

page read and write

2D30000

heap

page read and write

566E000

stack

page read and write

3110000

heap

page read and write

3118000

heap

page read and write

552D000

stack

page read and write

30CF000

trusted library allocation

page read and write

3112000

trusted library allocation

page read and write

DCC000

stack

page read and write

13FF000

stack

page read and write

1460000

heap

page read and write

E30000

heap

page read and write

4F70000

heap

page read and write

310E000

trusted library allocation

page read and write

61AE000

stack

page read and write

136B000

trusted library allocation

page execute and read and write

F20000

heap

page read and write

5B4E000

stack

page read and write

1310000

trusted library allocation

page read and write

There are 149 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://www.bnaminexg.com/Invoice-yetdr.zip

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://www.bnaminexg.com/Invoice-yetdr.zip

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
https://www.bnaminexg.com/Invoice-yetdr.zip