Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

VXHv7tw0l9.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.61594949314532
Filename:	VXHv7tw0l9.exe
Filesize:	32256
MD5:	22c54abbde95e1f240a8a65343e6faa9
SHA1:	8f6727a8ea3977e1f5fbea78c1390d6cc8a1b36a
SHA256:	ccaa9f9e4a61111b9814917dcb9703768743dffc8faec938bc480c7b091c33dc
SHA512:	86ab53c341cc671e6b8d57bcb12a1f4337e6d36f5586480ec4a90234d73780626020582ea72c9a381392d0f54d6fa9a0f03b0f3d83b32c97c227899e9f40e171
SSDEEP:	768:8J8R5d5rLmzxBuJRSae8H5LPvyQQmIDUu0tiroj:DvKmpj3QVktj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....S.f.................v............... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara signature match	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\VXHv7tw0l9.exe

"C:\Users\user\Desktop\VXHv7tw0l9.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7500
Target ID:	0
Parent PID:	2580
Name:	VXHv7tw0l9.exe
Path:	C:\Users\user\Desktop\VXHv7tw0l9.exe
Commandline:	"C:\Users\user\Desktop\VXHv7tw0l9.exe"
Size:	32256
MD5:	22C54ABBDE95E1F240A8A65343E6FAA9
Time:	23:42:02
Date:	17/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x880000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\Desktop\VXHv7tw0l9.exe" "VXHv7tw0l9.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	7568
Target ID:	1
Parent PID:	7500
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\VXHv7tw0l9.exe" "VXHv7tw0l9.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	23:42:08
Date:	17/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1560000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7576
Target ID:	2
Parent PID:	7568
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	23:42:08
Date:	17/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

49.228.131.165

unknown

Thailand

Details

IP:	49.228.131.165
TargetID:	0
Current Path:	C:\Users\user\Desktop\VXHv7tw0l9.exe
Country:	Thailand
Countrycode:	THA
ASN number:	133481
ASN name:	AIS-FIBRE-AS-APAISFibreTH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\fa6b40864b6c109adbc85023cd1f59d2

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

2B71000

trusted library allocation

page read and write

882000

unkown

page readonly

E40000

heap

page read and write

990000

heap

page read and write

4AB000

heap

page read and write

481000

heap

page read and write

4FE000

heap

page read and write

4B6000

heap

page read and write

534000

heap

page read and write

DC0000

heap

page read and write

F88000

heap

page read and write

509000

heap

page read and write

5071000

trusted library allocation

page read and write

4B1000

heap

page read and write

50F000

heap

page read and write

551000

heap

page read and write

4A8000

heap

page read and write

5310000

trusted library allocation

page execute and read and write

504000

heap

page read and write

501000

heap

page read and write

4FF000

heap

page read and write

2C19000

trusted library allocation

page read and write

50B000

heap

page read and write

535000

heap

page read and write

29C0000

trusted library allocation

page execute and read and write

4FF000

heap

page read and write

534000

heap

page read and write

980000

heap

page read and write

538000

heap

page read and write

E70000

trusted library allocation

page read and write

511000

heap

page read and write

E53000

trusted library allocation

page read and write

481000

heap

page read and write

2B30000

trusted library allocation

page read and write

2B34000

trusted library allocation

page read and write

4FE000

heap

page read and write

538000

heap

page read and write

521C000

stack

page read and write

5730000

heap

page read and write

4BB000

heap

page read and write

505B000

trusted library allocation

page read and write

5090000

trusted library allocation

page read and write

4BA000

heap

page read and write

4F9000

heap

page read and write

4C05000

heap

page read and write

E63000

trusted library allocation

page execute and read and write

507000

heap

page read and write

4C15000

heap

page read and write

50B000

heap

page read and write

4B78000

trusted library allocation

page read and write

538000

heap

page read and write

50E0000

trusted library allocation

page read and write

4CD000

heap

page read and write

4AB000

heap

page read and write

55E000

heap

page read and write

4F6000

heap

page read and write

4BE0000

heap

page read and write

52BE000

stack

page read and write

1C4000

stack

page read and write

4C14000

heap

page read and write

59E000

unkown

page read and write

2B40000

trusted library allocation

page read and write

534000

heap

page read and write

4B9000

heap

page read and write

4EF000

heap

page read and write

EE8000

heap

page read and write

50DC000

stack

page read and write

553000

heap

page read and write

4BA000

heap

page read and write

4B3000

heap

page read and write

4C09000

heap

page read and write

880000

unkown

page readonly

3B71000

trusted library allocation

page read and write

E64000

trusted library allocation

page read and write

2B60000

heap

page read and write

5320000

heap

page execute and read and write

2C0A000

trusted library allocation

page read and write

2B50000

trusted library allocation

page read and write

4C19000

heap

page read and write

506E000

trusted library allocation

page read and write

430000

heap

page read and write

5056000

trusted library allocation

page read and write

55E000

heap

page read and write

7FA40000

trusted library allocation

page execute and read and write

910000

heap

page read and write

507000

heap

page read and write

14DF000

stack

page read and write

966000

heap

page read and write

5E30000

heap

page read and write

4EF000

heap

page read and write

4C07000

heap

page read and write

F20000

heap

page read and write

919000

stack

page read and write

E73000

trusted library allocation

page read and write

4B8F000

stack

page read and write

4F4000

heap

page read and write

4BE1000

heap

page read and write

474000

heap

page read and write

4EF000

heap

page read and write

4D6000

heap

page read and write

55A000

heap

page read and write

4C07000

heap

page read and write

4C1A000

heap

page read and write

4A7000

heap

page read and write

4FE000

heap

page read and write

E80000

trusted library allocation

page read and write

E97000

trusted library allocation

page execute and read and write

E60000

trusted library allocation

page read and write

4AB000

heap

page read and write

556000

heap

page read and write

4C17000

heap

page read and write

507D000

trusted library allocation

page read and write

E9B000

trusted library allocation

page execute and read and write

7ED000

stack

page read and write

4BA000

heap

page read and write

4D0000

heap

page read and write

55E000

heap

page read and write

4CD000

heap

page read and write

558000

heap

page read and write

4B7000

heap

page read and write

5D0000

heap

page read and write

9E0000

heap

page read and write

5260000

trusted library allocation

page read and write

4F0000

heap

page read and write

E7D000

trusted library allocation

page execute and read and write

4AE000

heap

page read and write

E6D000

trusted library allocation

page execute and read and write

4FE000

heap

page read and write

4AE000

heap

page read and write

4F8000

heap

page read and write

4B5000

heap

page read and write

4B4000

heap

page read and write

4C02000

heap

page read and write

4C14000

heap

page read and write

4F1000

heap

page read and write

4F3000

heap

page read and write

2C20000

trusted library allocation

page read and write

4BB000

heap

page read and write

9F0000

heap

page read and write

4C04000

heap

page read and write

4AE000

heap

page read and write

460000

heap

page read and write

29BE000

stack

page read and write

8EE000

stack

page read and write

62F0000

trusted library allocation

page read and write

440000

heap

page read and write

538000

heap

page read and write

9DE000

stack

page read and write

4C00000

heap

page read and write

4F9000

heap

page read and write

4F7000

heap

page read and write

4FC000

heap

page read and write

5054000

trusted library allocation

page read and write

10DE000

stack

page read and write

4AB000

heap

page read and write

2DD9000

trusted library allocation

page read and write

507000

heap

page read and write

505E000

trusted library allocation

page read and write

F23000

heap

page read and write

F07000

heap

page read and write

4C06000

heap

page read and write

4CD000

heap

page read and write

4D0E000

stack

page read and write

54CE000

stack

page read and write

538000

heap

page read and write

4D6000

heap

page read and write

506000

heap

page read and write

5076000

trusted library allocation

page read and write

1CB000

stack

page read and write

E8A000

trusted library allocation

page execute and read and write

4C19000

heap

page read and write

538000

heap

page read and write

6020000

heap

page read and write

4F5000

heap

page read and write

535000

heap

page read and write

535000

heap

page read and write

CB000

stack

page read and write

5F1B000

stack

page read and write

4C17000

heap

page read and write

EC0000

heap

page read and write

4B7000

heap

page read and write

481000

heap

page read and write

50D000

heap

page read and write

2B2C000

stack

page read and write

4C07000

heap

page read and write

E59000

trusted library allocation

page read and write

550000

heap

page read and write

4C17000

heap

page read and write

534000

heap

page read and write

504000

heap

page read and write

50D000

heap

page read and write

4BC000

heap

page read and write

632D000

heap

page read and write

4F7000

heap

page read and write

4C18000

heap

page read and write

5A0000

heap

page read and write

508000

heap

page read and write

4D6000

heap

page read and write

4F1000

heap

page read and write

4C09000

heap

page read and write

7AF000

unkown

page read and write

4B1000

heap

page read and write

4B4000

heap

page read and write

4EF000

heap

page read and write

552000

heap

page read and write

4FF000

heap

page read and write

F50000

heap

page read and write

496000

heap

page read and write

5082000

trusted library allocation

page read and write

4BA000

heap

page read and write

4F4000

heap

page read and write

5259000

stack

page read and write

2D2B000

trusted library allocation

page read and write

5062000

trusted library allocation

page read and write

5050000

trusted library allocation

page read and write

1BE000

stack

page read and write

4F9000

heap

page read and write

4990000

heap

page read and write

534000

heap

page read and write

4F8000

heap

page read and write

29D0000

trusted library allocation

page read and write

4FB000

heap

page read and write

50B000

heap

page read and write

534000

heap

page read and write

5270000

trusted library allocation

page read and write

E50000

trusted library allocation

page read and write

4F9000

heap

page read and write

EE0000

heap

page read and write

E86000

trusted library allocation

page execute and read and write

EEE000

heap

page read and write

1CE000

stack

page read and write

2C13000

trusted library allocation

page read and write

13DE000

stack

page read and write

555000

heap

page read and write

6300000

trusted library allocation

page execute and read and write

555000

heap

page read and write

4A7000

heap

page read and write

4EF000

heap

page read and write

50F000

heap

page read and write

471000

heap

page read and write

51C9000

stack

page read and write

51D3000

heap

page read and write

499000

heap

page read and write

CF7000

stack

page read and write

E45000

heap

page read and write

4B7000

heap

page read and write

4C07000

heap

page read and write

2B37000

trusted library allocation

page read and write

151E000

stack

page read and write

4F1000

heap

page read and write

535000

heap

page read and write

601C000

stack

page read and write

62E0000

trusted library allocation

page read and write

508000

heap

page read and write

960000

heap

page read and write

50E000

heap

page read and write

530000

heap

page read and write

4B9000

heap

page read and write

5D5000

heap

page read and write

4F4000

heap

page read and write

6324000

heap

page read and write

4C17000

heap

page read and write

468000

heap

page read and write

4C0C000

heap

page read and write

E92000

trusted library allocation

page read and write

29E0000

heap

page execute and read and write

51D0000

heap

page read and write

501000

heap

page read and write

2AEE000

stack

page read and write

6320000

heap

page read and write

4CE000

heap

page read and write

4FE000

heap

page read and write

50F000

heap

page read and write

500000

heap

page read and write

4A7000

heap

page read and write

5780000

trusted library allocation

page execute and read and write

2C11000

trusted library allocation

page read and write

55E000

heap

page read and write

4D6000

heap

page read and write

FCB000

heap

page read and write

533000

heap

page read and write

4F1000

heap

page read and write

EB0000

trusted library allocation

page read and write

FA4000

heap

page read and write

There are 274 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
VXHv7tw0l9.exe

Files

Processes

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportVXHv7tw0l9.exe

Files

Processes

IPs

Registry

Memdumps

IOC Report
VXHv7tw0l9.exe