Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

sample-20240612.exe

PE32 executable (console) Intel 80386, for MS Windows, UPX compressed

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.2239260255600035
Filename:	sample-20240612.exe
Filesize:	11264
MD5:	8045fd77ad5d947604c3641666dda302
SHA1:	54d9d532e3947738aac4e46be674286ed3d96546
SHA256:	98299848d4551b3491b8932596e194bb8f59eaf30438992109d48c1a391a49f4
SHA512:	d93d19835e48650ce6f25f0452e81c52eb80eecfcbb15fac1e64b6636c2bc0d7b2af864cc395dc26c5cfcace815a7b3fc513c8402b6d6fdd447da33325571fc4
SSDEEP:	192:9SEqLn60yDanuxsSObs9O+q/kJCYpbFLUCIApgGVdbPURsinTyhvUyS9leOd:4Ey60yDuSOYWYDUCIApgGV5cRsiwYlLd
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i...:...:...:..R:...:...;...:...;...:...;...:...;...:...;...:...;...:...:...:4..;...:4.>:...:4..;...:Rich...:........PE..L..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Clipboard Data
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Injection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Process Injection
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Uses 32bit PE files	Compliance, System Summary	Process Injection Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Process Injection Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to download additional files from the internet	Networking	Process Injection Ingress Tool Transfer
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Process Injection
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary	Process Injection File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Found GUI installer (many successful clicks)	System Summary

C:\Users\user\Pictures\pressica.exe

PE32 executable (console) Intel 80386, for MS Windows, UPX compressed

dropped

Details

File:	C:\Users\user\Pictures\pressica.exe
Category:	dropped
Dump:	pressica.exe.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\SysWOW64\xcopy.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.2239260255600035
Encrypted:	false
Ssdeep:	192:9SEqLn60yDanuxsSObs9O+q/kJCYpbFLUCIApgGVdbPURsinTyhvUyS9leOd:4Ey60yDuSOYWYDUCIApgGV5cRsiwYlLd
Size:	11264
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Found GUI installer (many successful clicks)	System Summary

C:\Users\user\Pictures\pressica.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\Pictures\pressica.exe:Zone.Identifier
Category:	modified
Dump:	pressica.exe_Zone.Identifier.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\SysWOW64\xcopy.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates mutexes	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Found GUI installer (many successful clicks)	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\sample-20240612.exe

"C:\Users\user\Desktop\sample-20240612.exe"

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Users\user\Pictures\pressica.exe

"C:\Users\user\Pictures\pressica.exe"

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Users\user\Pictures\pressica.exe

"C:\Users\user\Pictures\pressica.exe"

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\xcopy.exe

"C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612.exe" "C:\Users\user\Pictures\pressica.exe*"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 1 hidden processes, click here to show them.

Domains

Name

Malicious

S(]H7p#}ho:P4p__.str4ng3l.ov

unknown

Details

Name:	S(]H7p#}ho:P4p__.str4ng3l.ov
TargetID:	11
Current Path:	C:\Users\user\Pictures\pressica.exe

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

VirtualBox Guest Additions Manager

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value name:	VirtualBox Guest Additions Manager
Value data:	C:\Users\user\Pictures\pressica.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

741000

heap

page read and write

6E0000

remote allocation

page execute and read and write

52B000

heap

page read and write

730000

remote allocation

page execute and read and write

3230000

remote allocation

page execute and read and write

6A1000

heap

page read and write

410000

heap

page read and write

18C000

stack

page read and write

3D0E000

stack

page read and write

739000

heap

page read and write

410000

heap

page read and write

C30000

heap

page read and write

400000

unkown

page readonly

6BE000

heap

page read and write

227E000

stack

page read and write

5C0000

heap

page read and write

40C000

unkown

page execute and read and write

5D0000

heap

page read and write

75E000

heap

page read and write

5E5000

heap

page read and write

501000

heap

page read and write

741000

heap

page read and write

8F5000

heap

page read and write

3834000

heap

page read and write

5E0000

heap

page read and write

400000

unkown

page readonly

91B000

heap

page read and write

221E000

stack

page read and write

3D10000

trusted library allocation

page read and write

5E5000

heap

page read and write

4FE000

heap

page read and write

40D000

unkown

page execute and write copy

6A6000

heap

page read and write

40A000

unkown

page execute and read and write

505000

heap

page read and write

18E000

stack

page read and write

9F0000

heap

page read and write

4E0000

heap

page read and write

73E000

heap

page read and write

A8F000

stack

page read and write

7BF000

stack

page read and write

40C000

unkown

page execute and write copy

40C000

unkown

page execute and read and write

710000

heap

page read and write

48ED000

stack

page read and write

8BE000

stack

page read and write

720000

heap

page read and write

A00000

heap

page read and write

530000

heap

page read and write

A99000

heap

page read and write

517000

heap

page read and write

6A1000

heap

page read and write

6BE000

heap

page read and write

23BE000

stack

page read and write

410000

heap

page read and write

242E000

stack

page read and write

22EF000

stack

page read and write

49E000

stack

page read and write

4A0000

heap

page read and write

40C000

unkown

page execute and write copy

A95000

heap

page read and write

8C0000

heap

page read and write

18C000

stack

page read and write

51B000

heap

page read and write

67F000

stack

page read and write

A50000

heap

page read and write

57E000

stack

page read and write

40D000

unkown

page execute and write copy

509000

heap

page read and write

18E000

stack

page read and write

9A000

stack

page read and write

400000

unkown

page readonly

A54000

heap

page read and write

45E000

stack

page read and write

3D30000

trusted library allocation

page read and write

8F9000

heap

page read and write

40E000

unkown

page write copy

40E000

unkown

page read and write

24BF000

stack

page read and write

910000

heap

page read and write

5E0000

heap

page read and write

401000

unkown

page execute and read and write

518000

heap

page read and write

2320000

heap

page read and write

A05000

heap

page read and write

8D0000

heap

page read and write

40E000

unkown

page write copy

231F000

stack

page read and write

680000

heap

page read and write

4F9000

heap

page read and write

745000

heap

page read and write

87F000

stack

page read and write

40C000

unkown

page execute and write copy

19D000

stack

page read and write

19D000

stack

page read and write

69E000

heap

page read and write

746000

heap

page read and write

900000

heap

page read and write

8E0000

heap

page read and write

6EE000

stack

page read and write

401000

unkown

page execute and read and write

66D000

stack

page read and write

237F000

stack

page read and write

4E8000

heap

page read and write

8C4000

heap

page read and write

506000

heap

page read and write

728000

heap

page read and write

A90000

heap

page read and write

40E000

unkown

page write copy

720000

heap

page read and write

3A9F000

stack

page read and write

20DE000

stack

page read and write

40C000

unkown

page execute and read and write

99000

stack

page read and write

A4E000

stack

page read and write

18C000

stack

page read and write

21DF000

stack

page read and write

49E000

stack

page read and write

87E000

stack

page read and write

2580000

heap

page read and write

9A000

stack

page read and write

18E000

stack

page read and write

83D000

stack

page read and write

3EA0000

trusted library allocation

page read and write

8BE000

stack

page read and write

501000

heap

page read and write

45E000

stack

page read and write

40E000

unkown

page read and write

699000

heap

page read and write

401000

unkown

page execute and read and write

6F0000

heap

page read and write

6A5000

heap

page read and write

47AF000

stack

page read and write

8F0000

heap

page read and write

232E000

stack

page read and write

400000

unkown

page readonly

4510000

heap

page read and write

9E0000

heap

page read and write

4A0000

heap

page read and write

40A000

unkown

page execute and read and write

8FF000

stack

page read and write

3830000

heap

page read and write

21EE000

stack

page read and write

91F000

stack

page read and write

19D000

stack

page read and write

918000

heap

page read and write

6AA000

stack

page read and write

A09000

heap

page read and write

400000

unkown

page readonly

40D000

unkown

page execute and write copy

6A2000

heap

page read and write

880000

heap

page read and write

400000

unkown

page readonly

47EC000

stack

page read and write

A4E000

stack

page read and write

688000

heap

page read and write

40A000

unkown

page execute and read and write

542000

heap

page read and write

4A5000

heap

page read and write

52E000

stack

page read and write

40E000

unkown

page read and write

There are 151 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sample-20240612.exe

Files

Processes

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsample-20240612.exe

Files

Processes

Domains

Registry

Memdumps

IOC Report
sample-20240612.exe