Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

7rtK9LWbTc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.29738403146313
Filename:	7rtK9LWbTc.exe
Filesize:	80312
MD5:	d0930dc6939b931c258795a16b59c2cf
SHA1:	1530387224130061e6087f1c57655891a251895e
SHA256:	5cc4012aaf7b2da15f12a47279c9b5c634e8d2daf6e93dff0492cdbc73ba9e7d
SHA512:	6fbd17985aeaf6f1280f3b12a8ac84886f923e93edf876c4081de900e39153843a56e73622e974e812901afec3834eca98f71ef2b6caa0d42f8049d2f6c66cd1
SSDEEP:	1536:nLNIW39SaZTbFARlq7jC1OZstZu0TS3gEdUJCkb0FG5K:nLlbZTZX3BAtTS3gEdUJCkb0FGQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K.mSK.mSK.mS$..Si.mS$..SY.mS$..S-.mSB..SX.mSK.lS5.mS$..SJ.mS$..SJ.mS$..SJ.mSRichK.mS........................PE..L...P..V...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query network adapater information	Malware Analysis System Evasion	Security Software Discovery System Network Configuration Discovery Ingress Tool Transfer
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Security Software Discovery Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Might use command line arguments	System Summary	Command and Scripting Interpreter
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary

C:\ProgramData\Graphics\guifx.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\ProgramData\Graphics\guifx.exe
Category:	dropped
Dump:	guifx.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\7rtK9LWbTc.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.297467049156134
Encrypted:	false
Ssdeep:	1536:nLNIW39SaZTbFARlq7jC1OZstZu0TS3gEdUJCkb0FG5q:nLlbZTZX3BAtTS3gEdUJCkb0FGg
Size:	80316
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Native API
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates mutexes	System Summary
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\SysWOW64\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.580023372597454
Encrypted:	false
Ssdeep:	3:oNWXp5vSX/ocNyn:oNWXpFSXQcNyn
Size:	39
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\7rtK9LWbTc.exe

"C:\Users\user\Desktop\7rtK9LWbTc.exe"

Details

Is windows:	false
Is dropped:	false
PID:	8056
Target ID:	0
Parent PID:	640
Name:	7rtK9LWbTc.exe
Path:	C:\Users\user\Desktop\7rtK9LWbTc.exe
Commandline:	"C:\Users\user\Desktop\7rtK9LWbTc.exe"
Size:	80312
MD5:	D0930DC6939B931C258795A16B59C2CF
Time:	10:56:24
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbc0000
Modulesize:	94208
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\ProgramData\Graphics\guifx.exe

"C:\ProgramData\Graphics\guifx.exe" /run

Details

Is windows:	false
Is dropped:	true
PID:	8080
Target ID:	1
Parent PID:	8056
Name:	guifx.exe
Path:	C:\ProgramData\Graphics\guifx.exe
Commandline:	"C:\ProgramData\Graphics\guifx.exe" /run
Size:	80316
MD5:	A7D9795D178F27CA2CEBB45293CFE3B1
Time:	10:56:24
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf70000
Modulesize:	94208
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\ProgramData\Graphics\guifx.exe

"C:\ProgramData\Graphics\guifx.exe" /run

Details

Is windows:	false
Is dropped:	true
PID:	7340
Target ID:	3
Parent PID:	640
Name:	guifx.exe
Path:	C:\ProgramData\Graphics\guifx.exe
Commandline:	"C:\ProgramData\Graphics\guifx.exe" /run
Size:	80316
MD5:	A7D9795D178F27CA2CEBB45293CFE3B1
Time:	10:56:36
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xf70000
Modulesize:	94208
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\ProgramData\Graphics\guifx.exe

"C:\ProgramData\Graphics\guifx.exe" /run

Details

Is windows:	false
Is dropped:	true
PID:	7804
Target ID:	5
Parent PID:	640
Name:	guifx.exe
Path:	C:\ProgramData\Graphics\guifx.exe
Commandline:	"C:\ProgramData\Graphics\guifx.exe" /run
Size:	80316
MD5:	A7D9795D178F27CA2CEBB45293CFE3B1
Time:	10:56:44
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xf70000
Modulesize:	94208
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\cmd.exe

"C:\windows\system32\cmd.exe" /c del /q "C:\Users\user\Desktop\7rtK9LWbTc.exe" >> NUL

Details

Is windows:	true
Is dropped:	false
PID:	5804
Target ID:	6
Parent PID:	8056
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\windows\system32\cmd.exe" /c del /q "C:\Users\user\Desktop\7rtK9LWbTc.exe" >> NUL
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	10:56:55
Date:	01/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb80000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1796
Target ID:	7
Parent PID:	5804
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	873472
MD5:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Time:	10:56:55
Date:	01/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff720030000
Modulesize:	901120
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://ocsp.thawte.com0

unknown

http://www.initech.com0

unknown

IPs

Domain

Country

Malicious

165.194.123.67

unknown

Korea Republic of

Details

IP:	165.194.123.67
TargetID:	1
Current Path:	C:\ProgramData\Graphics\guifx.exe
Country:	Korea Republic of
Countrycode:	KOR
ASN number:	17575
ASN name:	CAUNET-AS-KRChung-AngUniversityKR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Graphics

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	Graphics
Value data:	"C:\ProgramData\Graphics\guifx.exe" /run

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

F71000

unkown

page execute read

F80000

unkown

page read and write

F84000

unkown

page readonly

291E000

stack

page read and write

8CE000

heap

page read and write

7E0000

heap

page read and write

2DDF000

stack

page read and write

28F0000

heap

page read and write

93E000

stack

page read and write

540000

heap

page read and write

C9E000

stack

page read and write

28E0000

heap

page read and write

F84000

unkown

page readonly

F80000

unkown

page write copy

94E000

stack

page read and write

2A0000

heap

page read and write

5DE000

stack

page read and write

80E000

stack

page read and write

BD0000

unkown

page read and write

BD4000

unkown

page readonly

9A8000

heap

page read and write

87E000

stack

page read and write

F7C000

unkown

page readonly

3F0000

heap

page read and write

B8F000

stack

page read and write

2BDF000

stack

page read and write

EE0000

heap

page read and write

BCC000

unkown

page readonly

67C000

stack

page read and write

F80000

unkown

page write copy

F7C000

unkown

page readonly

25C0000

heap

page read and write

AC0000

heap

page read and write

F71000

unkown

page execute read

8C0000

heap

page read and write

CDF000

stack

page read and write

F71000

unkown

page execute read

8FC000

stack

page read and write

F80000

unkown

page write copy

9B1000

heap

page read and write

912000

heap

page read and write

880000

heap

page read and write

3BE000

stack

page read and write

9FE000

heap

page read and write

2A1E000

stack

page read and write

9A0000

heap

page read and write

530000

heap

page read and write

2D80000

heap

page read and write

F7C000

unkown

page readonly

90F000

stack

page read and write

805000

heap

page read and write

F71000

unkown

page execute read

A7E000

stack

page read and write

F50000

heap

page read and write

2BE0000

heap

page read and write

F70000

unkown

page readonly

2CE8000

heap

page read and write

9F0000

heap

page read and write

800000

heap

page read and write

6FB000

stack

page read and write

F7C000

unkown

page readonly

2F5C000

stack

page read and write

2CA6000

heap

page read and write

4E0000

heap

page read and write

2D3E000

heap

page read and write

305C000

stack

page read and write

830000

heap

page read and write

8CA000

heap

page read and write

2C9F000

stack

page read and write

32B000

stack

page read and write

E60000

heap

page read and write

C6F000

stack

page read and write

C8F000

stack

page read and write

F70000

unkown

page readonly

BC1000

unkown

page execute read

4F0000

heap

page read and write

2480000

heap

page read and write

F70000

unkown

page readonly

F80000

unkown

page read and write

7C0000

heap

page read and write

E80000

heap

page read and write

9FA000

heap

page read and write

2C22000

heap

page read and write

DE0000

heap

page read and write

5BC000

stack

page read and write

F70000

unkown

page readonly

BC1000

unkown

page execute read

F84000

unkown

page readonly

A09000

heap

page read and write

56C000

stack

page read and write

370000

heap

page read and write

77B000

stack

page read and write

EE5000

heap

page read and write

982000

heap

page read and write

2B5E000

stack

page read and write

2D92000

heap

page read and write

92E000

heap

page read and write

2DD4000

heap

page read and write

BA0000

heap

page read and write

F70000

unkown

page readonly

8FD000

stack

page read and write

2E1E000

stack

page read and write

2DE0000

heap

page read and write

BC0000

unkown

page readonly

F70000

unkown

page readonly

900000

heap

page read and write

A3E000

stack

page read and write

E5E000

stack

page read and write

D6E000

stack

page read and write

77D000

stack

page read and write

2E22000

heap

page read and write

2F1F000

stack

page read and write

960000

heap

page read and write

F7C000

unkown

page readonly

F71000

unkown

page execute read

F84000

unkown

page readonly

29E0000

heap

page read and write

3E0000

heap

page read and write

2A5E000

stack

page read and write

BD4000

unkown

page readonly

BCC000

unkown

page readonly

D9F000

stack

page read and write

F80000

unkown

page read and write

990000

heap

page read and write

2B9E000

stack

page read and write

F7C000

unkown

page readonly

F71000

unkown

page execute read

BD0000

unkown

page write copy

A24000

heap

page read and write

835000

heap

page read and write

2C64000

heap

page read and write

BC0000

unkown

page readonly

8D9000

heap

page read and write

F84000

unkown

page readonly

F84000

unkown

page readonly

820000

heap

page read and write

2CDE000

stack

page read and write

908000

heap

page read and write

There are 128 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
7rtK9LWbTc.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report7rtK9LWbTc.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
7rtK9LWbTc.exe