Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C1ZsNxSer8.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.219441527091625
Filename:	C1ZsNxSer8.exe
Filesize:	2673152
MD5:	4fb3e6e7b8f9c12cd2d5e161f7b94760
SHA1:	57bdad62c6ea7f1b905c900302f918d185811a94
SHA256:	f76f9b85df2ba8850bec058164d2c752c8fd8ef0f1bcffd793e5f453d8a839bb
SHA512:	f762ad1ccd537d06c1cf3538e433671f441f100b06d37ec34b3a3e76dfbfad40ac7ca50ee32297c54f628b0b89d75c2c5255166cc992f9bcff8f117f70aa179a
SSDEEP:	49152:Og7eO7kjTav5AwVZGsY3uS+s1vm1lvt+vU0JSziMwqM:j7lmmUM7wq
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`...$n.K$n.K$n.K...J-n.K...J(n.K...J.n.K-.Kn.Ko..J-n.K$n.K.n.K...J/n.K...J`n.K$n.K%n.K7..J%n.K7.FK%n.K7..J%n.KRich$n.K.......

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Archive Collected Data Encrypted Channel
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation Security Software Discovery System Shutdown/Reboot
Yara signature match	System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Native API Software Packing
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Public key (encryption) found	Cryptography	Account Discovery Security Software Discovery System Owner/User Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

JSON data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json
Category:	dropped
Dump:	json[1].json.6.dr
ID:	dr_0
Target ID:	6
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Type:	JSON data
Entropy:	5.013130376969173
Encrypted:	false
Ssdeep:	12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
Size:	962
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\C1ZsNxSer8.exe

"C:\Users\user\Desktop\C1ZsNxSer8.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3432
Target ID:	1
Parent PID:	4056
Name:	C1ZsNxSer8.exe
Path:	C:\Users\user\Desktop\C1ZsNxSer8.exe
Commandline:	"C:\Users\user\Desktop\C1ZsNxSer8.exe"
Size:	2673152
MD5:	4FB3E6E7B8F9C12CD2D5E161F7B94760
Time:	04:38:02
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff774a00000
Modulesize:	3137536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6780
Target ID:	6
Parent PID:	3432
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Size:	108664
MD5:	914F728C04D3EDDD5FBA59420E74E56B
Time:	04:38:02
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x8c0000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6000
Target ID:	2
Parent PID:	3432
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	04:38:02
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

unifrieghtmovers.com

http://geoplugin.net/json.gp

178.237.33.50

https://aka.ms/GlobalizationInvariantMode

unknown

http://geoplugin.net/json.gp/C

unknown

http://geoplugin.net/json.gpl

unknown

https://aka.ms/nativeaot-c

unknown

http://geoplugin.net/json.gpSystem32

unknown

https://aka.ms/nativeaot-compatibility

unknown

https://aka.ms/nativeaot-compatibilityY

unknown

https://aka.ms/nativeaot-compatibilityy

unknown

https://aka.ms/nativeaot-compatibilityX

unknown

http://geoplugin.net/json.gp-

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

unifrieghtmovers.com

23.95.60.82

Details

Name:	unifrieghtmovers.com
IP:	23.95.60.82
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

23.95.60.82

unifrieghtmovers.com

United States

Details

IP:	23.95.60.82
TargetID:	6
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false
Domain:	unifrieghtmovers.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

178.237.33.50

geoplugin.net

Netherlands

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\chrome-E2SMAR

exepath

HKEY_CURRENT_USER\SOFTWARE\chrome-E2SMAR

licence

HKEY_CURRENT_USER\SOFTWARE\chrome-E2SMAR

time

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

145BF964000

direct allocation

page read and write

F77000

heap

page read and write

CFB000

stack

page read and write

145BF600000

direct allocation

page read and write

145C2400000

direct allocation

page read and write

145BA422000

heap

page read and write

145BA5D0000

heap

page read and write

2BCF000

stack

page read and write

186509C0000

direct allocation

page read and write

7FF774A01000

unkown

page execute read

294D000

stack

page read and write

358F000

stack

page read and write

FE5000

heap

page read and write

7FF774A01000

unkown

page execute read

7FF774B9B000

unkown

page readonly

29C0000

heap

page read and write

145BA3C0000

heap

page read and write

FFE000

heap

page read and write

7FF774C6C000

unkown

page read and write

478000

remote allocation

page execute and read and write

7FF774B3B000

unkown

page read and write

25884F9000

stack

page read and write

2950000

heap

page read and write

25888FE000

stack

page read and write

7FF774C6F000

unkown

page readonly

145BA590000

heap

page read and write

348E000

stack

page read and write

FB4000

heap

page read and write

185CFDAF000

direct allocation

page read and write

116F000

stack

page read and write

7FF774A00000

unkown

page readonly

E0E000

stack

page read and write

18650978000

heap

page read and write

145BEC00000

direct allocation

page read and write

29AE000

stack

page read and write

E55000

heap

page read and write

145BE000000

direct allocation

page read and write

25887FE000

stack

page read and write

E50000

heap

page read and write

E60000

heap

page read and write

145C1000000

direct allocation

page read and write

F70000

heap

page read and write

7FF774B9B000

unkown

page readonly

145BA3C6000

heap

page read and write

96C000

stack

page read and write

145BA5B0000

heap

page read and write

FF8000

heap

page read and write

474000

remote allocation

page execute and read and write

25886FE000

stack

page read and write

9D0000

heap

page read and write

145C1A00000

direct allocation

page read and write

145BA5D5000

heap

page read and write

9E0000

heap

page read and write

1865099E000

heap

page read and write

FC8000

heap

page read and write

7FF774C67000

unkown

page read and write

145BA3CC000

heap

page read and write

7FF774A00000

unkown

page readonly

7FF774C60000

unkown

page read and write

186508B0000

heap

page read and write

186509B0000

direct allocation

page read and write

2ACF000

stack

page read and write

186509A1000

heap

page read and write

7FF774C60000

unkown

page write copy

7FF774C6F000

unkown

page readonly

145BA3A0000

heap

page read and write

E70000

heap

page read and write

145BC000000

direct allocation

page read and write

25885FE000

stack

page read and write

There are 60 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
C1ZsNxSer8.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportC1ZsNxSer8.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
C1ZsNxSer8.exe