Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

12.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.583817331975598
Filename:	12.exe
Filesize:	997376
MD5:	d4e6ee6762c4f87650cd3e591ff7f71a
SHA1:	91be75dc4311c405c0267df327330fdaf585ba9b
SHA256:	b53a2e87ac17942649c2fc60f3247c898faf563d84f596344cfacd03350b031a
SHA512:	30b52db708ba2e7fba610825496542ecca38cd9b342ab9e930110c8cc767e0ddb3a9e9ab57a043b9156c2703556a9528193db1495f55d5a0c1eb536d846fc898
SSDEEP:	24576:nS6XklOGApJ6vstNPuPROYrIzOCMPhm3g1gmunB:nS6eOGApsvX5/M6C7geBnB
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}..\|...\|...\|.bV....\|.bV..s.\|.bV....\|..../..\|...y/U.\|...x/..\|.......\|...}.v.\|...y/..\|.}.y/..\|.}.....\|.}.~/..\|.Rich..\|........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Uses 32bit PE files	Compliance, System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\RSADecryptKey\ID.DAT

ASCII text, with no line terminators

dropped

Details

File:	C:\RSADecryptKey\ID.DAT
Category:	dropped
Dump:	ID.DAT.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\12.exe
Type:	ASCII text, with no line terminators
Entropy:	3.321928094887362
Encrypted:	false
Ssdeep:	3:haN:u
Size:	10
Whitelisted:	false
Reputation:	low

C:\RSADecryptKey\KEY.DAT

data

dropped

Details

File:	C:\RSADecryptKey\KEY.DAT
Category:	dropped
Dump:	KEY.DAT.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\12.exe
Type:	data
Entropy:	7.951398094272129
Encrypted:	false
Ssdeep:	96:gHp4E2KCn1S7aNtjF7TCFEhIeg4E1euv24cIWseUbfy6bfbJ:CGcuLyESebEIW5cblUm6HJ
Size:	3873
Whitelisted:	false
Reputation:	low

C:\RSADecryptKey\KEY.txt

very short file (no magic)

dropped

Details

File:	C:\RSADecryptKey\KEY.txt
Category:	dropped
Dump:	KEY.txt.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\12.exe
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:V:V
Size:	1
Whitelisted:	true
Reputation:	high

C:\RSADecryptKey\Public.txt

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\RSADecryptKey\Public.txt
Category:	dropped
Dump:	Public.txt.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\12.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	6.006722588887071
Encrypted:	false
Ssdeep:	12:CZFecQt9jFE9nkfNgQ8lIhfDWv4Bcibkto3moEK5kHY+oUoiByMGF:0ccKFE9kfNgvIhfDSGcGJk5zPQMS
Size:	754
Whitelisted:	false
Reputation:	low

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\12.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.753434386188785
Encrypted:	false
Ssdeep:	3:opI9S1XoyR/:omUqyV
Size:	28
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\12.exe

"C:\Users\user\Desktop\12.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5284
Target ID:	0
Parent PID:	1028
Name:	12.exe
Path:	C:\Users\user\Desktop\12.exe
Commandline:	"C:\Users\user\Desktop\12.exe"
Size:	997376
MD5:	D4E6EE6762C4F87650CD3E591FF7F71A
Time:	07:25:54
Date:	29/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xee0000
Modulesize:	1019904
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5788
Target ID:	1
Parent PID:	5284
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:25:54
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://t.me/mamondec1-Com

unknown

https://t.me/mamondec

unknown

https://t.me/mamondecDOq

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

790000

heap

page read and write

FCB000

unkown

page read and write

FC3000

unkown

page write copy

EE0000

unkown

page readonly

FC3000

unkown

page read and write

760000

heap

page read and write

79A000

heap

page read and write

FC4000

unkown

page write copy

7B7000

heap

page read and write

F95000

unkown

page readonly

FC5000

unkown

page read and write

740000

heap

page read and write

FC9000

unkown

page read and write

EE1000

unkown

page execute read

79E000

heap

page read and write

FC6000

unkown

page write copy

6FB000

stack

page read and write

3DD000

stack

page read and write

EE0000

unkown

page readonly

FCD000

unkown

page readonly

750000

heap

page readonly

EE1000

unkown

page execute read

F95000

unkown

page readonly

7C4000

heap

page read and write

FCD000

unkown

page readonly

780000

heap

page read and write

770000

heap

page read and write

BE0000

heap

page read and write

7AD000

heap

page read and write

775000

heap

page read and write

There are 20 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
12.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report12.exe

Files

Processes

URLs

Memdumps

IOC Report
12.exe