Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

electrumx64.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.997717964812734
Filename:	electrumx64.exe
Filesize:	47521498
MD5:	cf837466c42aa63d4e4df0352a8063ef
SHA1:	461a44b862408c89f16f845b7367b51800344a41
SHA256:	451070b87e0b3acf9de1f6fd858bfadbdaf23fe75cd6f56a29ec817946e70a42
SHA512:	ea7b575b6ccb2df7d6b4d38eab485f20a32a0e361d06cc2956260961829de8414ddf8de25c44b8b23dccf431124071a4a6681fc58c14f6b29fde0f68a5b5a29e
SSDEEP:	786432:0xW5G8CJA5+Uy2zuJHwMseHv0mA/s7emwLTYyJdU6M3z6t99:0c5G8CJoy2aJHw+HvwMeXLVsQ9
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8.....

Signature Hits	Behavior Group	Mitre Attack
Tries to delay execution (extensive OutputDebugStringW loop)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Shutdown/Reboot
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains functionality for error logging	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary
Reads software policies	System Summary
Sample might require command line arguments	System Summary	Security Software Discovery
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Rich Edit Controls	System Summary

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll
Category:	dropped
Dump:	System.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\electrumx64.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.729426875863261
Encrypted:	false
Ssdeep:	192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Size:	11264
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\licence.rtf

Rich Text Format data, version 1, ANSI, code page 936, default language ID 1033

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\licence.rtf
Category:	dropped
Dump:	licence.rtf.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\electrumx64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 936, default language ID 1033
Entropy:	4.311680372462902
Encrypted:	false
Ssdeep:	12:pXFIiYm+6sG+MxWTcL/83+SJkHLHIcEehIuTzL24epekxcwdSMK2jVw169Qf2:kh6+Mu0/rHIcZtTO4UeQvS5I21rf2
Size:	939
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\logo.ico

MS Windows icon resource - 10 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\logo.ico
Category:	dropped
Dump:	logo.ico.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\electrumx64.exe
Type:	MS Windows icon resource - 10 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
Entropy:	5.129021303459069
Encrypted:	false
Ssdeep:	3072:RQd9Jsc2/1NfYiRPcv9H/CzlftbCJ3e0hoCkaKK0N6owWIP2sDGL4dTIoNxK4LdB:ctUYWai7o9Z9p5ENM
Size:	458870
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll
Category:	dropped
Dump:	nsNiuniuSkin.dll.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\electrumx64.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.923369185635811
Encrypted:	false
Ssdeep:	6144:zogxY8ClCBjHY8Sb/ziRCbHa/qh5APgK3nqOSEaGijVEAbzvL39wnk9sqcnBzOsp:8qClWjy/z6CZY3fxVqV5vz9w6sHB/p
Size:	349696
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\skin.zip

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\skin.zip
Category:	dropped
Dump:	skin.zip.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\electrumx64.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.9862763703586825
Encrypted:	false
Ssdeep:	12288:7pP9X8jpWqtEQQiBGqoJtvz8xVjTXfuST4TUJwMiWC6Y:7ptApWq6nYCtvz8TVUTUJfrY
Size:	509403
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\electrumx64.exe

"C:\Users\user\Desktop\electrumx64.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7128
Target ID:	0
Parent PID:	2580
Name:	electrumx64.exe
Path:	C:\Users\user\Desktop\electrumx64.exe
Commandline:	"C:\Users\user\Desktop\electrumx64.exe"
Size:	47521498
MD5:	CF837466C42AA63D4E4DF0352A8063EF
Time:	23:15:59
Date:	29/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1728512
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#

unknown

https://sectigo.com/CPS0

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0

unknown

http://ocsp.sectigo.com0

unknown

http://www.leeqia.com

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

22BE000

stack

page read and write

536000

unkown

page readonly

401000

unkown

page execute read

859000

heap

page read and write

2CFB000

heap

page read and write

859000

heap

page read and write

2CF7000

heap

page read and write

7E0000

heap

page read and write

40C000

unkown

page read and write

534000

unkown

page readonly

86B000

heap

page read and write

859000

heap

page read and write

859000

heap

page read and write

47A3000

heap

page read and write

856000

heap

page read and write

2C00000

heap

page read and write

2B99000

heap

page read and write

6A0000

heap

page read and write

859000

heap

page read and write

6F953000

unkown

page readonly

859000

heap

page read and write

859000

heap

page read and write

409000

unkown

page readonly

2BE9000

heap

page read and write

2BF6000

heap

page read and write

2C13000

heap

page read and write

2C15000

heap

page read and write

6F951000

unkown

page execute read

859000

heap

page read and write

2BC1000

heap

page read and write

859000

heap

page read and write

6D05F000

unkown

page execute and read and write

859000

heap

page read and write

6D062000

unkown

page read and write

2B84000

heap

page read and write

99000

stack

page read and write

859000

heap

page read and write

7B5000

heap

page read and write

81E000

heap

page read and write

2B70000

heap

page read and write

2B80000

heap

page read and write

2B9A000

heap

page read and write

2BE3000

heap

page read and write

84D000

heap

page read and write

2BD4000

heap

page read and write

859000

heap

page read and write

2BA7000

heap

page read and write

859000

heap

page read and write

2CF4000

heap

page read and write

6D061000

unkown

page execute and write copy

2BB9000

heap

page read and write

859000

heap

page read and write

2B9F000

heap

page read and write

2C09000

heap

page read and write

859000

heap

page read and write

400000

unkown

page readonly

84E000

heap

page read and write

859000

heap

page read and write

82C000

heap

page read and write

2C09000

heap

page read and write

2B80000

heap

page read and write

2BF5000

heap

page read and write

2B83000

heap

page read and write

847000

heap

page read and write

192000

stack

page read and write

859000

heap

page read and write

2BC1000

heap

page read and write

760000

heap

page read and write

2BF0000

heap

page read and write

859000

heap

page read and write

2BE9000

heap

page read and write

2BF5000

heap

page read and write

2BD7000

heap

page read and write

84C000

heap

page read and write

2CF0000

heap

page read and write

2CF7000

heap

page read and write

2C0D000

heap

page read and write

2BB0000

heap

page read and write

859000

heap

page read and write

2CFA000

heap

page read and write

6D05A000

unkown

page execute and read and write

2C00000

heap

page read and write

2C4E000

heap

page read and write

85A000

heap

page read and write

859000

heap

page read and write

859000

heap

page read and write

859000

heap

page read and write

2B9A000

heap

page read and write

2C1D000

heap

page read and write

409000

unkown

page readonly

2E30000

heap

page read and write

2C1D000

heap

page read and write

859000

heap

page read and write

2C00000

heap

page read and write

4742000

heap

page read and write

2E9C000

stack

page read and write

859000

heap

page read and write

859000

heap

page read and write

690000

heap

page read and write

2BD2000

heap

page read and write

859000

heap

page read and write

6D047000

unkown

page execute and read and write

285F000

stack

page read and write

859000

heap

page read and write

2BCF000

heap

page read and write

859000

heap

page read and write

6A5000

heap

page read and write

2BE9000

heap

page read and write

871000

heap

page read and write

2BD4000

heap

page read and write

47ED000

heap

page read and write

2BF1000

heap

page read and write

2C59000

heap

page read and write

2B8B000

heap

page read and write

5B0000

heap

page read and write

23D4000

heap

page read and write

2B9C000

heap

page read and write

2B73000

heap

page read and write

2BED000

heap

page read and write

859000

heap

page read and write

420000

unkown

page read and write

84C000

heap

page read and write

275E000

stack

page read and write

2C03000

heap

page read and write

2E50000

heap

page read and write

2BB8000

heap

page read and write

7EA000

heap

page read and write

2BD6000

heap

page read and write

2BB8000

heap

page read and write

2B7D000

heap

page read and write

2C02000

heap

page read and write

400000

unkown

page readonly

859000

heap

page read and write

2F9E000

stack

page read and write

859000

heap

page read and write

2BF0000

heap

page read and write

859000

heap

page read and write

401000

unkown

page execute read

859000

heap

page read and write

2BA2000

heap

page read and write

2BEC000

heap

page read and write

2BF3000

heap

page read and write

859000

heap

page read and write

2BBD000

heap

page read and write

2BB6000

heap

page read and write

859000

heap

page read and write

7EE000

heap

page read and write

6CF60000

unkown

page readonly

2B77000

heap

page read and write

859000

heap

page read and write

2B79000

heap

page read and write

2C13000

heap

page read and write

2AD0000

heap

page read and write

6F950000

unkown

page readonly

859000

heap

page read and write

884000

heap

page read and write

2BD2000

heap

page read and write

859000

heap

page read and write

2980000

heap

page read and write

859000

heap

page read and write

2BF9000

heap

page read and write

859000

heap

page read and write

859000

heap

page read and write

536000

unkown

page readonly

40C000

unkown

page write copy

2C00000

heap

page read and write

23BE000

stack

page read and write

859000

heap

page read and write

859000

heap

page read and write

2BBE000

heap

page read and write

854000

heap

page read and write

2BBD000

heap

page read and write

2BF0000

heap

page read and write

4720000

heap

page read and write

7B0000

heap

page read and write

6CF61000

unkown

page execute and read and write

46B000

unkown

page read and write

534000

unkown

page readonly

23D0000

heap

page read and write

6F955000

unkown

page readonly

2BE1000

heap

page read and write

2B7C000

heap

page read and write

859000

heap

page read and write

849000

heap

page read and write

2C13000

heap

page read and write

There are 175 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
electrumx64.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportelectrumx64.exe

Files

Processes

URLs

Memdumps

IOC Report
electrumx64.exe