Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

CMCR5hvseX.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	5.834255992022626
Filename:	CMCR5hvseX.exe
Filesize:	72484
MD5:	ba09bf0918b0efca89a7930b86885c9e
SHA1:	396e01db56f1c0dfadc628fd7f880d3f697d79c5
SHA256:	014de3156e730a80563fa607f6e9dd7d6a4487f04e4daf7cafdaa958d2b3a310
SHA512:	c344038d8827a2b752b57a4415a6346351930607f54c9a20e43c59d1a5649b6da9c8a71b505da5b87d023308a69b51ccc636e140621606ff16a5318f5cf78400
SSDEEP:	1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOdIRIRvn:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWP
Preview:	MZ......................@....2..........................................!..L.!This program cannot be run in DOS mode....$.......................................................K.......................`.......Rich....................PE..L......O...........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Creates an autostart registry key pointing to binary in C:\Windows	Boot Survival	File and Directory Discovery
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to query network adapater information	Malware Analysis System Evasion	System Network Configuration Discovery Ingress Tool Transfer
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates files inside the system directory	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading File and Directory Discovery
Found evasive API chain (may stop execution after accessing registry keys)	Malware Analysis System Evasion
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\microsofthelp.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Windows\microsofthelp.exe
Category:	dropped
Dump:	microsofthelp.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\CMCR5hvseX.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	5.821931819526967
Encrypted:	false
Ssdeep:	1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOdIRIRvS:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWK
Size:	72744
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Blihan Stealer	Stealing of Sensitive Information, Remote Access Functionality
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Machine Learning detection for dropped file	AV Detection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates mutexes	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\CMCR5hvseX.exe

"C:\Users\user\Desktop\CMCR5hvseX.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3340
Target ID:	0
Parent PID:	1028
Name:	CMCR5hvseX.exe
Path:	C:\Users\user\Desktop\CMCR5hvseX.exe
Commandline:	"C:\Users\user\Desktop\CMCR5hvseX.exe"
Size:	72484
MD5:	BA09BF0918B0EFCA89A7930B86885C9E
Time:	11:04:12
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	53248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Blihan Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4088
Target ID:	2
Parent PID:	3340
Name:	microsofthelp.exe
Path:	C:\Windows\microsofthelp.exe
Commandline:	"C:\Windows\microsofthelp.exe"
Size:	72744
MD5:	1BF9EFC2A5A6343FD0E3C6E4B4AB5B58
Time:	11:04:13
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	53248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Blihan Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

microsofthelp

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	microsofthelp
Value data:	C:\Windows\microsofthelp.exe

Signature Hits	Behavior Group	Mitre Attack
Creates an autostart registry key pointing to binary in C:\Windows	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

406000

unkown

page execute and write copy

401000

unkown

page execute and write copy

406000

unkown

page execute and write copy

6AE000

heap

page read and write

401000

unkown

page execute and write copy

410000

heap

page read and write

4E0000

heap

page read and write

5DE000

heap

page read and write

405000

unkown

page execute and read and write

405000

unkown

page execute and read and write

408000

unkown

page execute and read and write

40C000

unkown

page write copy

19D000

stack

page read and write

9C000

stack

page read and write

5DA000

heap

page read and write

9F0000

heap

page read and write

40C000

unkown

page read and write

6A0000

heap

page read and write

400000

unkown

page readonly

408000

unkown

page execute and read and write

1F0000

heap

page read and write

400000

unkown

page readonly

409000

unkown

page execute and write copy

40C000

unkown

page read and write

408000

unkown

page execute and write copy

54E000

stack

page read and write

400000

unkown

page readonly

9C000

stack

page read and write

401000

unkown

page execute and write copy

1F0000

heap

page read and write

401000

unkown

page execute and write copy

409000

unkown

page execute and write copy

400000

unkown

page readonly

40C000

unkown

page write copy

A00000

heap

page read and write

500000

heap

page read and write

64F000

stack

page read and write

408000

unkown

page execute and write copy

68E000

stack

page read and write

4A0000

heap

page read and write

89F000

stack

page read and write

6AA000

heap

page read and write

5D0000

heap

page read and write

19D000

stack

page read and write

6C6000

heap

page read and write

There are 35 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
CMCR5hvseX.exe

Files

Processes

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCMCR5hvseX.exe

Files

Processes

Registry

Memdumps

IOC Report
CMCR5hvseX.exe