Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

veems.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.2434777549334095
Filename:	veems.exe
Filesize:	1153953
MD5:	edf46dbf4604538e8960afea7aabcaf3
SHA1:	97c0968be1c80de8aedc94029e7b7ec1cf509b62
SHA256:	abfb108ffb2021d7851e2908a6ebf23b507aa2cbf36628f9f30b9eada587de96
SHA512:	8149edb19759f3a86fbdd0be8732402544b4bbe8edb43e1ed9672c01be476e08052e6afee51403173e25b5a0902c19503dc11bdf031b7d66a88825e64f9ded39
SSDEEP:	12288:ALkcoxg7v3qnC11ErwIhh0F4qwUgUny5Qb1egC3ExjqtbfwJDjrbGfDdR83dIk/S:WfmMv6Ckr7Mny5Qb11C3ExGfM7KRQWkq
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Exploitation for Privilege Escalation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
PE file contains an invalid checksum	Data Obfuscation
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\beeish

SVr2 curses screen image, big-endian

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\beeish
Category:	dropped
Dump:	beeish.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\veems.exe
Type:	SVr2 curses screen image, big-endian
Entropy:	6.4560762508107326
Encrypted:	false
Ssdeep:	6144:NDWHHpVpcLfsgPkFktPgU4H0/J4Ysw334ZdM:NDQHpDb7qtR4H0/J4YsYIzM
Size:	240128
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\veems.exe

"C:\Users\user\Desktop\veems.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7516
Target ID:	0
Parent PID:	2580
Name:	veems.exe
Path:	C:\Users\user\Desktop\veems.exe
Commandline:	"C:\Users\user\Desktop\veems.exe"
Size:	1153953
MD5:	EDF46DBF4604538E8960AFEA7AABCAF3
Time:	20:15:01
Date:	03/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	782336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\veems.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7576
Target ID:	1
Parent PID:	7516
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\veems.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	20:15:04
Date:	03/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x960000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://pgsu.co.id

unknown

http://r10.o.lencr.org0#

unknown

Details

Name:	http://r10.o.lencr.org0#
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.4170536256.000000000104C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4170932605.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4172437770.0000000005F60000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

http://mail.pgsu.co.id

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://r10.i.lencr.org/0

unknown

Details

Name:	http://r10.i.lencr.org/0
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.4170536256.000000000104C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4170932605.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4172437770.0000000005F60000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

pgsu.co.id

107.178.108.41

Details

Name:	pgsu.co.id
IP:	107.178.108.41
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.pgsu.co.id

unknown

Details

Name:	mail.pgsu.co.id
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

107.178.108.41

pgsu.co.id

United States

Details

IP:	107.178.108.41
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	53755
ASN name:	IOFLOODUS
Private:	false
Domain:	pgsu.co.id

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

system

page execute and read and write

4220000

direct allocation

page read and write

2DFE000

trusted library allocation

page read and write

2E29000

trusted library allocation

page read and write

2DB1000

trusted library allocation

page read and write

4AB000

unkown

page readonly

3DC6000

heap

page read and write

3E21000

heap

page read and write

1F0000

heap

page read and write

3E70000

heap

page read and write

400000

unkown

page readonly

110000

heap

page read and write

3E24000

heap

page read and write

F63000

trusted library allocation

page execute and read and write

2E65000

heap

page read and write

EB0000

heap

page read and write

5FD1000

heap

page read and write

104C000

heap

page read and write

3DC6000

heap

page read and write

3E70000

heap

page read and write

3E70000

heap

page read and write

5110000

trusted library allocation

page read and write

2A50000

trusted library allocation

page read and write

51D0000

heap

page read and write

3DD9000

trusted library allocation

page read and write

E80000

heap

page read and write

648E000

stack

page read and write

2A1D000

trusted library allocation

page execute and read and write

3DA5000

heap

page read and write

F8E000

heap

page read and write

3DC6000

heap

page read and write

3E20000

heap

page execute and read and write

6A10000

trusted library allocation

page execute and read and write

3DC6000

heap

page read and write

51D4000

heap

page read and write

39AF000

stack

page read and write

F40000

heap

page read and write

3CC1000

heap

page read and write

4633000

direct allocation

page read and write

3DC6000

heap

page read and write

3E61000

heap

page read and write

47DD000

direct allocation

page read and write

8FE000

stack

page read and write

3CE6000

heap

page read and write

5F4C000

heap

page read and write

401000

unkown

page execute read

920000

heap

page read and write

3E70000

heap

page read and write

2A37000

trusted library allocation

page execute and read and write

3E70000

heap

page read and write

3DC6000

heap

page read and write

3E70000

heap

page read and write

46B0000

direct allocation

page read and write

6160000

trusted library allocation

page execute and read and write

3E70000

heap

page read and write

3D01000

heap

page read and write

15B4000

heap

page read and write

484E000

direct allocation

page read and write

3CC5000

heap

page read and write

F70000

heap

page read and write

115E000

stack

page read and write

6156000

trusted library allocation

page read and write

47D9000

direct allocation

page read and write

3E70000

heap

page read and write

3DB1000

trusted library allocation

page read and write

15FE000

stack

page read and write

660E000

stack

page read and write

2A35000

trusted library allocation

page execute and read and write

512E000

trusted library allocation

page read and write

3CC9000

heap

page read and write

46B0000

direct allocation

page read and write

F60000

trusted library allocation

page read and write

100000

heap

page read and write

6290000

trusted library allocation

page execute and read and write

155F000

stack

page read and write

678E000

stack

page read and write

624E000

stack

page read and write

3D46000

heap

page read and write

2A20000

trusted library allocation

page read and write

F00000

heap

page read and write

5160000

trusted library allocation

page read and write

557F000

stack

page read and write

47DD000

direct allocation

page read and write

513D000

trusted library allocation

page read and write

2A9E000

stack

page read and write

644D000

stack

page read and write

47DD000

direct allocation

page read and write

482000

unkown

page readonly

2A30000

trusted library allocation

page read and write

D60000

heap

page read and write

490000

unkown

page write copy

3DC6000

heap

page read and write

3DC6000

heap

page read and write

47DD000

direct allocation

page read and write

3E70000

heap

page read and write

3DC6000

heap

page read and write

3D24000

heap

page read and write

5FA0000

heap

page read and write

4633000

direct allocation

page read and write

484E000

direct allocation

page read and write

2E30000

heap

page read and write

EB5000

heap

page read and write

5370000

heap

page execute and read and write

3DC5000

heap

page read and write

43B3000

heap

page read and write

3DC6000

heap

page read and write

3E12000

heap

page read and write

65CE000

stack

page read and write

4510000

direct allocation

page read and write

482000

unkown

page readonly

95C000

heap

page read and write

46B0000

direct allocation

page read and write

5100000

trusted library allocation

page read and write

2A26000

trusted library allocation

page execute and read and write

3E70000

heap

page read and write

2D9D000

stack

page read and write

3E70000

heap

page read and write

3E70000

heap

page read and write

628E000

stack

page read and write

3B92000

heap

page read and write

3CF2000

heap

page read and write

2E17000

trusted library allocation

page read and write

400000

unkown

page readonly

46B0000

direct allocation

page read and write

1610000

heap

page read and write

484E000

direct allocation

page read and write

42CF000

heap

page read and write

5F40000

heap

page read and write

5780000

trusted library allocation

page read and write

3DC6000

heap

page read and write

3E70000

heap

page read and write

4510000

direct allocation

page read and write

F64000

trusted library allocation

page read and write

5150000

trusted library allocation

page read and write

F9A000

heap

page read and write

3BB1000

heap

page read and write

47DD000

direct allocation

page read and write

92A000

heap

page read and write

116E000

stack

page read and write

F78000

heap

page read and write

35AE000

stack

page read and write

401000

unkown

page execute read

9A000

stack

page read and write

3DC6000

heap

page read and write

8AF000

stack

page read and write

3D81000

heap

page read and write

2C9C000

stack

page read and write

3DC6000

heap

page read and write

47D9000

direct allocation

page read and write

F6D000

trusted library allocation

page execute and read and write

4510000

direct allocation

page read and write

4633000

direct allocation

page read and write

4633000

direct allocation

page read and write

3DC6000

heap

page read and write

578C000

trusted library allocation

page read and write

3DC6000

heap

page read and write

3B20000

heap

page read and write

7FAC0000

trusted library allocation

page execute and read and write

3DC6000

heap

page read and write

4225000

heap

page read and write

47D9000

direct allocation

page read and write

5750000

trusted library allocation

page read and write

39B4000

heap

page read and write

3C20000

heap

page read and write

3E70000

heap

page read and write

F30000

heap

page read and write

4633000

direct allocation

page read and write

3DC6000

heap

page read and write

2A10000

trusted library allocation

page read and write

1022000

heap

page read and write

3DC6000

heap

page read and write

3E70000

heap

page read and write

4510000

direct allocation

page read and write

511B000

trusted library allocation

page read and write

6150000

trusted library allocation

page read and write

910000

heap

page read and write

2BA0000

trusted library allocation

page execute and read and write

490000

unkown

page read and write

111E000

stack

page read and write

6140000

trusted library allocation

page read and write

9FA000

stack

page read and write

3E1C000

trusted library allocation

page read and write

3DC6000

heap

page read and write

FA8000

heap

page read and write

47DD000

direct allocation

page read and write

3E70000

heap

page read and write

3E70000

heap

page read and write

658E000

stack

page read and write

3DC6000

heap

page read and write

CF9000

stack

page read and write

5142000

trusted library allocation

page read and write

62AB000

trusted library allocation

page read and write

3E70000

heap

page read and write

47D9000

direct allocation

page read and write

3DC6000

heap

page read and write

2B9E000

stack

page read and write

FA5000

heap

page read and write

2E60000

heap

page read and write

4510000

direct allocation

page read and write

47D9000

direct allocation

page read and write

2DA0000

heap

page execute and read and write

3E70000

heap

page read and write

6A00000

trusted library allocation

page read and write

15B0000

heap

page read and write

2E25000

trusted library allocation

page read and write

5758000

trusted library allocation

page read and write

2BB0000

heap

page read and write

3E67000

heap

page read and write

2E40000

trusted library allocation

page read and write

69CF000

stack

page read and write

3E70000

heap

page read and write

2A32000

trusted library allocation

page read and write

2A22000

trusted library allocation

page read and write

484E000

direct allocation

page read and write

EFE000

stack

page read and write

484E000

direct allocation

page read and write

5131000

trusted library allocation

page read and write

2DFE000

stack

page read and write

6DE0000

heap

page read and write

5F60000

heap

page read and write

2E31000

trusted library allocation

page read and write

68CE000

stack

page read and write

62A0000

trusted library allocation

page read and write

4A7000

unkown

page read and write

11AE000

stack

page read and write

3ECF000

heap

page read and write

69F0000

heap

page read and write

46B0000

direct allocation

page read and write

4633000

direct allocation

page read and write

3E70000

heap

page read and write

3E70000

heap

page read and write

FEF000

heap

page read and write

51E0000

heap

page read and write

2DFC000

trusted library allocation

page read and write

3DC6000

heap

page read and write

3DC6000

heap

page read and write

6A20000

heap

page read and write

511E000

trusted library allocation

page read and write

3DC6000

heap

page read and write

3E70000

heap

page read and write

105000

heap

page read and write

61B0000

trusted library allocation

page read and write

1580000

heap

page read and write

2BC8000

trusted library allocation

page read and write

46B0000

direct allocation

page read and write

2A3B000

trusted library allocation

page execute and read and write

3DC6000

heap

page read and write

3E70000

heap

page read and write

47D9000

direct allocation

page read and write

5122000

trusted library allocation

page read and write

3DC6000

heap

page read and write

688D000

stack

page read and write

2A2A000

trusted library allocation

page execute and read and write

6147000

trusted library allocation

page read and write

51BC000

stack

page read and write

3E70000

heap

page read and write

3B21000

heap

page read and write

50F0000

trusted library allocation

page read and write

400000

system

page execute and read and write

61AE000

stack

page read and write

89F000

stack

page read and write

484E000

direct allocation

page read and write

3DC6000

heap

page read and write

92E000

heap

page read and write

4AB000

unkown

page readonly

4510000

direct allocation

page read and write

F50000

trusted library allocation

page read and write

5136000

trusted library allocation

page read and write

547C000

stack

page read and write

2E3C000

trusted library allocation

page read and write

There are 260 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
veems.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportveems.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
veems.exe