Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Unlimited HEIC Converter Installer.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.8280478140244485
Filename:	Unlimited HEIC Converter Installer.exe
Filesize:	1058336
MD5:	5a0c501219ce6252e84ecd38d1e7bf3d
SHA1:	cada316be26dbdcc7d4036a85431b2c0a94f8f54
SHA256:	d7737ed305e02b560d5a03c88fbd76115d7a217cf300ef3e320265910c3d2106
SHA512:	c2ea24fe7b85eef2f854a79e0d8235c3e533394a4adb9c76934fdc9309fecaa9eb4a8eb0b69aa9e1be5015493216e61651d7ed617577a9b8ab90bc78f9a5ed5a
SSDEEP:	12288:qvUGQWpy+Tac0RDffXJjyYpcyoNHSy5viczPESsQ3BaE32VfXJjyYpz:lGQB+2DR7BWYpcyo44u0aPVBWYpz
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w.m..........."...0......(........... ........@.. ....................... ............`................................

Signature Hits	Behavior Group	Mitre Attack
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains an invalid checksum	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPF9C8D.tmp

PNG image data, 100 x 100, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPF9C8D.tmp
Category:	dropped
Dump:	WPF9C8D.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Unlimited HEIC Converter Installer.exe
Type:	PNG image data, 100 x 100, 8-bit/color RGBA, non-interlaced
Entropy:	7.925781063647787
Encrypted:	false
Size:	3649
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFDCB2.tmp

PNG image data, 68 x 68, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFDCB2.tmp
Category:	dropped
Dump:	WPFDCB2.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Unlimited HEIC Converter Installer.exe
Type:	PNG image data, 68 x 68, 8-bit/color RGBA, non-interlaced
Entropy:	7.581516394833844
Encrypted:	false
Size:	777
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\Users\user\AppData\Local\Temp\Tmp97F8.tmp

ASCII text, with very long lines (1136), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp97F8.tmp
Category:	dropped
Dump:	Tmp97F8.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Unlimited HEIC Converter Installer.exe
Type:	ASCII text, with very long lines (1136), with no line terminators
Entropy:	5.884313058724772
Encrypted:	false
Size:	1136
Whitelisted:	false

Domains

Name

Malicious

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

184.28.90.29

unknown

United States

20.82.154.241

unknown

United States

23.32.185.103

unknown

United States

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Unlimited HEIC Converter Installer.exe

Files

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportUnlimited HEIC Converter Installer.exe

Files

Domains

IPs

IOC Report
Unlimited HEIC Converter Installer.exe