Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

sample-20240612-unpacked.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	3.557959871664382
Filename:	sample-20240612-unpacked.exe
Filesize:	32768
MD5:	0a781b3f657871233e03d73dc32279e6
SHA1:	c3d1ba24a292c88768514d130a59e28a0cf8471d
SHA256:	d883bb8c9c3263f60ae4c75432f17e2e558bfdbaf00936b4452fbe0d666a0a46
SHA512:	af01b7e537aa840722ad66a3afe0c7d7aca84ad50d1b2c310227f4764cb72fc5278e3a972203c8ad9217060ee58f9a70429456e82295db81225ca09e8766762e
SSDEEP:	192:Lf/WzPkcee3/2E0Hjyf4kiA8JoCcQEFcN4JE7Wtn40ZxUEIZ4CRCjbbE5pz6ekTo:LG8cmmghA8Jo104K7WrxeZ4ACjbb3Il
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i...:...:...:..R:...:...;...:...;...:...;...:...;...:...;...:...;...:...:...:4..;...:4.>:...:4..;...:Rich...:........PE..L..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Found GUI installer (many successful clicks)	System Summary

C:\Users\user\Pictures\pressica.exe

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Pictures\pressica.exe
Category:	dropped
Dump:	pressica.exe.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\SysWOW64\xcopy.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	3.557959871664382
Encrypted:	false
Ssdeep:	192:Lf/WzPkcee3/2E0Hjyf4kiA8JoCcQEFcN4JE7Wtn40ZxUEIZ4CRCjbbE5pz6ekTo:LG8cmmghA8Jo104K7WrxeZ4ACjbb3Il
Size:	32768
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Suspicious Copy From or To System Directory	System Summary
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Found GUI installer (many successful clicks)	System Summary

C:\Users\user\Pictures\pressica.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\Pictures\pressica.exe:Zone.Identifier
Category:	modified
Dump:	pressica.exe_Zone.Identifier.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\SysWOW64\xcopy.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates mutexes	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Found GUI installer (many successful clicks)	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\sample-20240612-unpacked.exe

"C:\Users\user\Desktop\sample-20240612-unpacked.exe"

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Users\user\Pictures\pressica.exe

"C:\Users\user\Pictures\pressica.exe"

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Users\user\Pictures\pressica.exe

"C:\Users\user\Pictures\pressica.exe"

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\xcopy.exe

"C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 1 hidden processes, click here to show them.

Domains

Name

Malicious

S(]H7p#}ho:P4p__.str4ng3l.ov

unknown

Details

Name:	S(]H7p#}ho:P4p__.str4ng3l.ov
TargetID:	10
Current Path:	C:\Users\user\Pictures\pressica.exe

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

VirtualBox Guest Additions Manager

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value name:	VirtualBox Guest Additions Manager
Value data:	C:\Users\user\Pictures\pressica.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

2EF0000

remote allocation

page execute and read and write

461000

heap

page read and write

2B00000

remote allocation

page execute and read and write

591000

heap

page read and write

3290000

remote allocation

page execute and read and write

6F1000

heap

page read and write

40B000

unkown

page readonly

19D000

stack

page read and write

2090000

heap

page read and write

20C4000

heap

page read and write

47FC000

stack

page read and write

40B000

unkown

page readonly

404000

unkown

page readonly

447000

heap

page read and write

41FF000

stack

page read and write

2080000

heap

page read and write

8CF000

stack

page read and write

3D30000

trusted library allocation

page read and write

401000

unkown

page execute read

589000

heap

page read and write

1F5000

heap

page read and write

596000

heap

page read and write

283D000

heap

page read and write

1D0000

heap

page read and write

510000

heap

page read and write

410000

heap

page read and write

3900000

trusted library allocation

page read and write

595000

heap

page read and write

18E000

stack

page read and write

1C0000

heap

page read and write

4D5000

heap

page read and write

400000

unkown

page readonly

19C000

stack

page read and write

40A000

unkown

page read and write

20A5000

heap

page read and write

40A000

unkown

page read and write

252E000

stack

page read and write

58E000

heap

page read and write

2070000

heap

page read and write

18E000

stack

page read and write

55E000

stack

page read and write

401000

unkown

page execute read

404000

unkown

page readonly

401000

unkown

page execute read

6EE000

heap

page read and write

5A0000

heap

page read and write

76F000

stack

page read and write

465000

heap

page read and write

404000

unkown

page readonly

4D0000

heap

page read and write

18E000

stack

page read and write

1F0000

heap

page read and write

440000

heap

page read and write

4A0000

heap

page read and write

40B000

unkown

page readonly

6D0000

heap

page read and write

20A0000

heap

page read and write

5EF000

stack

page read and write

467F000

stack

page read and write

4F0000

heap

page read and write

24CE000

stack

page read and write

8AE000

stack

page read and write

40B000

unkown

page readonly

214E000

stack

page read and write

3D30000

trusted library allocation

page read and write

49E000

stack

page read and write

2109000

heap

page read and write

6AF000

stack

page read and write

74E000

stack

page read and write

99000

stack

page read and write

6F1000

heap

page read and write

45E000

heap

page read and write

88F000

stack

page read and write

2828000

heap

page read and write

515000

heap

page read and write

40A000

unkown

page read and write

19D000

stack

page read and write

6E9000

heap

page read and write

462000

heap

page read and write

400000

unkown

page readonly

578000

heap

page read and write

24D0000

heap

page read and write

18C000

stack

page read and write

401000

unkown

page execute read

45E000

stack

page read and write

401000

unkown

page execute read

54D000

stack

page read and write

18C000

stack

page read and write

570000

heap

page read and write

18C000

stack

page read and write

2470000

heap

page read and write

224F000

stack

page read and write

640000

heap

page read and write

11D000

stack

page read and write

47BF000

stack

page read and write

3960000

heap

page read and write

400000

unkown

page readonly

282B000

heap

page read and write

401000

unkown

page execute read

48FD000

stack

page read and write

461000

heap

page read and write

404000

unkown

page readonly

404000

unkown

page readonly

47E000

heap

page read and write

6D8000

heap

page read and write

2205000

heap

page read and write

47E000

heap

page read and write

40B000

unkown

page readonly

430000

heap

page read and write

42FF000

stack

page read and write

2105000

heap

page read and write

21FE000

stack

page read and write

404000

unkown

page readonly

3964000

heap

page read and write

230F000

stack

page read and write

9A000

stack

page read and write

6C4000

heap

page read and write

400000

unkown

page readonly

400000

unkown

page readonly

40B000

unkown

page readonly

9A000

stack

page read and write

2080000

heap

page read and write

20A9000

heap

page read and write

24EE000

stack

page read and write

459000

heap

page read and write

2209000

heap

page read and write

6F5000

heap

page read and write

78E000

stack

page read and write

410000

heap

page read and write

2090000

heap

page read and write

420000

heap

page read and write

7AE000

stack

page read and write

400000

unkown

page readonly

5B8000

heap

page read and write

2100000

heap

page read and write

6F6000

heap

page read and write

70E000

heap

page read and write

64E000

stack

page read and write

15A000

stack

page read and write

58E000

stack

page read and write

591000

heap

page read and write

2080000

heap

page read and write

46BE000

stack

page read and write

457E000

stack

page read and write

466000

heap

page read and write

6C0000

heap

page read and write

20C0000

heap

page read and write

50D000

stack

page read and write

2820000

heap

page read and write

2200000

heap

page read and write

23CE000

stack

page read and write

2090000

heap

page read and write

There are 142 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sample-20240612-unpacked.exe

Files

Processes

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsample-20240612-unpacked.exe

Files

Processes

Domains

Registry

Memdumps

IOC Report
sample-20240612-unpacked.exe