Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

m6tly2Aqw4.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.934926885361668
Filename:	m6tly2Aqw4.exe
Filesize:	4594535
MD5:	51d4e15fa77cf644ee90f42269bced3b
SHA1:	0f54220218afb5d0ea00fb8033509c773e3e8b3d
SHA256:	cc05a4b105428e0c1bd13525c5cab229e67a9eb9ec77b92b158fe6fe419929f6
SHA512:	e9472cce353b50936567f0ab02dfa12566442041b87a4838ecd5ddee0debedba95057336e440c6338e9209bebb2bc298b307cbec014bf00cf50b49096b580caf
SSDEEP:	98304:5OkDYUJQk3X/IRjWt76alE6b3Dg/eELhyYu7ftc0URBT:XM6UalF38/eENdAbU/T
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N .. s.. s.. s%..s.. s...s.. s..Ms.. s...s.. s..[s.. s..!st. s...se. s...s.. s...s.. s...s.. s...s.. sRich.. s...............

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Allows loading of unsigned dll using appinit_dll	Boot Survival	Registry Run Keys / Startup Folder
Creates an undocumented autostart registry key	Boot Survival
Hides threads from debuggers	Anti Debugging	Virtualization/Sandbox Evasion
Machine Learning detection for sample	AV Detection
PE file has nameless sections	System Summary
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Creates files inside the program directory	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Creates a directory in C:\Program Files	Compliance, System Summary	Masquerading
PE file exports many functions	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Program Files\Common Files\System\symsrv.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed

dropped

Details

File:	C:\Program Files\Common Files\System\symsrv.dll
Category:	dropped
Dump:	symsrv.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\m6tly2Aqw4.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.734269834755614
Encrypted:	false
Ssdeep:	1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZL:c8y93KQjy7G55riF1cMo03V
Size:	69337
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected FloodFix	Spreading
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the program directory	System Summary	Masquerading
Creates a directory in C:\Program Files	Compliance, System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\m6tly2Aqw4.exe

"C:\Users\user\Desktop\m6tly2Aqw4.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3252
Target ID:	0
Parent PID:	1028
Name:	m6tly2Aqw4.exe
Path:	C:\Users\user\Desktop\m6tly2Aqw4.exe
Commandline:	"C:\Users\user\Desktop\m6tly2Aqw4.exe"
Size:	4594535
MD5:	51D4E15FA77CF644EE90F42269BCED3B
Time:	11:00:51
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x50000
Modulesize:	15949824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected FloodFix	Spreading
Machine Learning detection for sample	AV Detection
PE file has nameless sections	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
PE file exports many functions	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://5isohu.com/

unknown

http://www.aieov.com/#

unknown

http://www.aieov.com/

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows

RequireSignedAppInit_DLLs

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name:	RequireSignedAppInit_DLLs
Value data:	0

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification	System Summary

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name:	AppInit_DLLs
Value data:	C:\PROGRA~1\COMMON~1\System\symsrv.dll

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification	System Summary

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows

LoadAppInit_DLLs

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name:	LoadAppInit_DLLs
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

DD000

unkown

page execute and write copy

D89000

unkown

page execute and write copy

61C000

unkown

page execute and write copy

196000

unkown

page execute and write copy

30DB000

heap

page read and write

192E000

stack

page read and write

61C000

unkown

page execute and write copy

3EC1000

direct allocation

page execute and read and write

14EE000

stack

page read and write

1002B000

unkown

page execute and read and write

152D000

stack

page read and write

377F000

stack

page read and write

15FD000

stack

page read and write

822000

unkown

page execute and read and write

51000

unkown

page execute and write copy

363E000

stack

page read and write

1550000

heap

page read and write

1002D000

unkown

page execute and write copy

51000

unkown

page execute and write copy

590000

unkown

page execute and write copy

367E000

stack

page read and write

3D10000

heap

page read and write

3ED0000

direct allocation

page execute and read and write

D89000

unkown

page execute and read and write

51000

unkown

page execute and write copy

3ED4000

direct allocation

page execute and read and write

182E000

stack

page read and write

135C000

stack

page read and write

6E5000

unkown

page execute and read and write

10001000

unkown

page execute and read and write

DA000

unkown

page execute and read and write

10025000

unkown

page execute and read and write

1001E000

unkown

page execute and read and write

163E000

heap

page read and write

451000

unkown

page execute and write copy

4140000

heap

page read and write

792000

unkown

page execute and read and write

15A0000

heap

page read and write

3D00000

heap

page read and write

1630000

heap

page read and write

3ED4000

direct allocation

page execute and read and write

6AF000

unkown

page execute and write copy

125C000

stack

page read and write

825000

unkown

page execute and read and write

14A0000

heap

page read and write

15A4000

heap

page read and write

451000

unkown

page execute and write copy

B08000

unkown

page execute and read and write

1002F000

unkown

page read and write

78E000

unkown

page execute and read and write

50000

unkown

page readonly

10000000

unkown

page readonly

50000

unkown

page readonly

163A000

heap

page read and write

3D90000

direct allocation

page execute and read and write

3AC0000

heap

page read and write

6AF000

unkown

page execute and write copy

10020000

unkown

page execute and read and write

7A1000

unkown

page execute and read and write

590000

unkown

page execute and write copy

7EE30000

direct allocation

page execute and read and write

13C0000

heap

page read and write

3BC0000

direct allocation

page execute and read and write

15B0000

heap

page read and write

783000

unkown

page execute and read and write

3EC4000

direct allocation

page execute and read and write

1540000

heap

page read and write

3E90000

direct allocation

page execute and read and write

195000

unkown

page execute and read and write

There are 59 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
m6tly2Aqw4.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportm6tly2Aqw4.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
m6tly2Aqw4.exe