Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

essetup.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.99647901070941
Filename:	essetup.exe
Filesize:	1335024
MD5:	3cb6d589a774c51a099ab6ef738e3e36
SHA1:	e597a0d1fa0bc47ac06d13fe2efc4637fa7c0416
SHA256:	fbb8e38c891b8f385804a2b4ff540830cef7c440ea34ebb696d15224cfbbfe6b
SHA512:	d5fb428190ce539eb0358c9cde02228737c5de625b16c2971e2907487af7d7e0c37835dee172fd8edf08e6d392b8a5121e8bfd6f519f308378cdf57def0df8eb
SSDEEP:	24576:KXJAMgUJXKu3FSwdndX74wpfDH3UMQqbfm14I2D3Nrq7yF3lqnYwt:02pu3l2wpfDEjqa14IS5qfn/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.!z..O)..O)..O)...)..O)..N)3.O)...)..O)...)..O)...)..O)Rich..O)................PE..L...nZ{f...................................

Signature Hits	Behavior Group	Mitre Attack
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	System Information Discovery
Sample might require command line arguments	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\n1s\nchdata.cab

Microsoft Cabinet archive data, Windows 2000/XP setup, 433993 bytes, 1 file, at 0x2c +A "resource.dat", number 1, 25 datablocks, 0x1503 compression

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n1s\nchdata.cab
Category:	dropped
Dump:	nchdata.cab.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\essetup.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 433993 bytes, 1 file, at 0x2c +A "resource.dat", number 1, 25 datablocks, 0x1503 compression
Entropy:	7.9991830347405966
Encrypted:	true
Ssdeep:	12288:mlbsSAMgUHrFXAlJu32OS6nyadnqoFfnRHDfs4:mJAMgUJXKu3FSwdndXn
Size:	433993
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n1s\nchdata.dat
Category:	dropped
Dump:	nchdata.dat.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\essetup.exe
Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy:	5.994837242938757
Encrypted:	false
Ssdeep:	12288:QFzS6ZJfchnqF2XXCUCo6B706kqwx1EADjWCsDOmfZs:izSok22XSFn7UTiSmfZs
Size:	805215
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\n1s\nchsetup.cab

Microsoft Cabinet archive data, Windows 2000/XP setup, 864221 bytes, 1 file, at 0x2c +A "Scribe.exe", number 1, 71 datablocks, 0x1503 compression

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n1s\nchsetup.cab
Category:	dropped
Dump:	nchsetup.cab.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\essetup.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 864221 bytes, 1 file, at 0x2c +A "Scribe.exe", number 1, 71 datablocks, 0x1503 compression
Entropy:	7.999734709500922
Encrypted:	true
Ssdeep:	24576:04wpfDH3UMQqbfm14I2D3Nrq7yF3lqnYwU:NwpfDEjqa14IS5qfni
Size:	864221
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n1s\nchsetup.exe
Category:	dropped
Dump:	nchsetup.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\essetup.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.268152982076055
Encrypted:	false
Ssdeep:	24576:/pyFpD64I/zLKECN0qYViCwxsGZJVBS+BCXtOGmh8EpRq5sWAMODrUY:eNI/TPrMd4AGmKlKMov
Size:	2294512
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Found GUI installer (many successful clicks)	System Summary

C:\Users\user\AppData\Local\Temp\n2s\nchdata.cab

Microsoft Cabinet archive data, Windows 2000/XP setup, 433993 bytes, 1 file, at 0x2c +A "resource.dat", number 1, 25 datablocks, 0x1503 compression

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n2s\nchdata.cab
Category:	dropped
Dump:	nchdata.cab.5.dr
ID:	dr_6
Target ID:	5
Process:	C:\Users\user\Desktop\essetup.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 433993 bytes, 1 file, at 0x2c +A "resource.dat", number 1, 25 datablocks, 0x1503 compression
Entropy:	7.9991830347405966
Encrypted:	true
Ssdeep:	12288:mlbsSAMgUHrFXAlJu32OS6nyadnqoFfnRHDfs4:mJAMgUJXKu3FSwdndXn
Size:	433993
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n2s\nchdata.dat
Category:	dropped
Dump:	nchdata.dat.5.dr
ID:	dr_7
Target ID:	5
Process:	C:\Users\user\Desktop\essetup.exe
Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy:	5.994837242938757
Encrypted:	false
Ssdeep:	12288:QFzS6ZJfchnqF2XXCUCo6B706kqwx1EADjWCsDOmfZs:izSok22XSFn7UTiSmfZs
Size:	805215
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\n2s\nchsetup.cab

Microsoft Cabinet archive data, Windows 2000/XP setup, 864221 bytes, 1 file, at 0x2c +A "Scribe.exe", number 1, 71 datablocks, 0x1503 compression

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n2s\nchsetup.cab
Category:	dropped
Dump:	nchsetup.cab.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Users\user\Desktop\essetup.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 864221 bytes, 1 file, at 0x2c +A "Scribe.exe", number 1, 71 datablocks, 0x1503 compression
Entropy:	7.999734709500922
Encrypted:	true
Ssdeep:	24576:04wpfDH3UMQqbfm14I2D3Nrq7yF3lqnYwU:NwpfDEjqa14IS5qfni
Size:	864221
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\n2s\nchsetup.exe
Category:	dropped
Dump:	nchsetup.exe.5.dr
ID:	dr_5
Target ID:	5
Process:	C:\Users\user\Desktop\essetup.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.268152982076055
Encrypted:	false
Ssdeep:	24576:/pyFpD64I/zLKECN0qYViCwxsGZJVBS+BCXtOGmh8EpRq5sWAMODrUY:eNI/TPrMd4AGmKlKMov
Size:	2294512
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading