Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

R2T8ccXCek.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.977439534348002
Filename:	R2T8ccXCek.exe
Filesize:	50171956
MD5:	a8dfbb9f5cf96f742c05776b0a5b4fe8
SHA1:	600e98dad7e474b7c49557516dfd398087e49914
SHA256:	e788c2cf1c0760d6672ea1ff733581f31c9a2e05019dec1ed1eaa341c8710a05
SHA512:	0ea8aa8886c493815cb3eb016fd3ff0ec4d4d1c76015cc0c5f7d72993c512f6bc0eea5893944637b58d20a8d838f6ecf45cbfa16877939df85da89b1e477aee4
SSDEEP:	786432:aVGyFtrCko6pqBZAgycX1vEDBW9qLvKrt7VOHMrS93SaJ9+BQF6gjQH:6b+kHpBgycFpRflaCIXZjQH
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............{...{...{.3.x...{.3.~.X.{.3.}...{.......{...x...{...~...{.3.....{.3.z...{.3.\|...{...z.8.{.\.r...{.\.....{.......{.\.y...{

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates COM task schedule object (often to register a task for autostart)	Spreading	Scheduled Task/Job
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found evaded block containing many API calls	Malware Analysis System Evasion
Found evasive API chain checking for process token information	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Checks the free space of harddrives	Malware Analysis System Evasion	Process Injection System Information Discovery
Contains functionality for error logging	System Summary
Contains functionality to check free disk space	System Summary	Security Software Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion
Contains functionality to query system information	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Found strings which match to known social media urls	Networking	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary	Security Software Discovery
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Found GUI installer (many successful clicks)	System Summary	Security Software Discovery

C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll
Category:	dropped
Dump:	decoder.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\R2T8ccXCek.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.447659228395253
Encrypted:	false
Ssdeep:	3072:tScXkSa4E7uzTK+NbkuO2DcUC1myXxskH9Xq4fa2KbDI0lSmb9D:Q7sO+EZ9LH2j7Mmb9
Size:	209920
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\R2T8ccXCek.exe

"C:\Users\user\Desktop\R2T8ccXCek.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6516
Target ID:	0
Parent PID:	4004
Name:	R2T8ccXCek.exe
Path:	C:\Users\user\Desktop\R2T8ccXCek.exe
Commandline:	"C:\Users\user\Desktop\R2T8ccXCek.exe"
Size:	50171956
MD5:	A8DFBB9F5CF96F742C05776B0A5B4FE8
Time:	04:09:00
Date:	13/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x9f0000
Modulesize:	3190784
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

2D2E000

stack

page read and write

9F1000

unkown

page execute read

605000

heap

page read and write

26A0000

heap

page read and write

9C0000

heap

page read and write

271E000

stack

page read and write

CB6000

unkown

page readonly

727000

heap

page read and write

704000

heap

page read and write

281E000

stack

page read and write

DFE000

stack

page read and write

9F0000

unkown

page readonly

2FB0000

trusted library allocation

page read and write

C8E000

unkown

page read and write

439000

stack

page read and write

6A0000

heap

page read and write

70F000

heap

page read and write

6B4000

heap

page read and write

2840000

heap

page read and write

9F0000

unkown

page readonly

C08000

unkown

page readonly

6CC000

heap

page read and write

2CEF000

stack

page read and write

26D5000

heap

page read and write

70A000

heap

page read and write

2F20000

heap

page read and write

600000

heap

page read and write

580000

heap

page read and write

38FF000

stack

page read and write

704000

heap

page read and write

6EC000

heap

page read and write

26DB000

heap

page read and write

26D0000

heap

page read and write

6EC000

heap

page read and write

96F000

stack

page read and write

6AA000

heap

page read and write

5CE000

stack

page read and write

64E000

stack

page read and write

53B000

stack

page read and write

670000

heap

page read and write

C97000

unkown

page readonly

2844000

heap

page read and write

C97000

unkown

page readonly

727000

heap

page read and write

C93000

unkown

page write copy

C94000

unkown

page read and write

C92000

unkown

page write copy

C08000

unkown

page readonly

C8E000

unkown

page write copy

37FE000

stack

page read and write

570000

heap

page read and write

CB6000

unkown

page readonly

6B3000

heap

page read and write

9F1000

unkown

page execute read

2BEE000

stack

page read and write

6CF000

heap

page read and write

2E2F000

stack

page read and write

690000

heap

page read and write

There are 48 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
R2T8ccXCek.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportR2T8ccXCek.exe

Files

Processes

Memdumps

IOC Report
R2T8ccXCek.exe