Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SOA CONTAINER LINE Oct 24.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	7.912335817097297
Filename:	SOA CONTAINER LINE Oct 24.exe
Filesize:	702976
MD5:	022751194e17f47b1651de3600f08dc1
SHA1:	c6c5b6f8dfc9163a51cd983662a2afdbbce69eb3
SHA256:	cde7e6227b12f407f02e9dfcd2025e6716248f5c8ffc93dd8c00cc8e14ee63ed
SHA512:	c4da34b69757201fc2567dacdfef26219839f9bef36d6b16c808077b0a4f9f01fb6cd498222f5704bea48aff3a0cc8e57ba3028717783211a223f091c391f854
SSDEEP:	12288:KbQ0AlSGvCpQTXKGHILLMh9xm6wk6qHV4p4nxupPXYU8TQqUq4EsKSsm9:6oBxXKGWMVm6h6wGp4noNFqhAs+
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....;g.........."...0.................. .....@..... ....................................@...@......@............... .....

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Modifies the context of a thread in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SOA CONTAINER LINE Oct 24.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SOA CONTAINER LINE Oct 24.exe.log
Category:	dropped
Dump:	SOA CONTAINER LINE Oct 24.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.38398350549571
Encrypted:	false
Ssdeep:	48:MxHKQ71qHGIs0HKjRHmYHKGSI6oPtHTHhAHKKkl+vxp3/elT:iq+wmj0qFGYqGSI6oPtzHeqKksZp/elT
Size:	1598
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

"C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5368
Target ID:	0
Parent PID:	4004
Name:	SOA CONTAINER LINE Oct 24.exe
Path:	C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe
Commandline:	"C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"
Size:	702976
MD5:	022751194E17F47B1651DE3600F08DC1
Time:	12:18:02
Date:	18/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa20000
Modulesize:	712704
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe

"C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"

Details

Is windows:	false
Is dropped:	false
PID:	356
Target ID:	4
Parent PID:	5368
Name:	SOA CONTAINER LINE Oct 24.exe
Path:	C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe
Commandline:	"C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe"
Size:	702976
MD5:	022751194E17F47B1651DE3600F08DC1
Time:	12:18:04
Date:	18/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x9f0000
Modulesize:	712704
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 356 -s 12

Details

Is windows:	true
Is dropped:	false
PID:	6288
Target ID:	7
Parent PID:	356
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 356 -s 12
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	12:18:05
Date:	18/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f5a20000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://checkip.dyndns.org/q

unknown

Details

Name:	http://checkip.dyndns.org/q
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe
Source:	SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.google.com/#q=

unknown

https://reallyfreegeoip.org/xml/

unknown

Details

Name:	https://reallyfreegeoip.org/xml/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SOA CONTAINER LINE Oct 24.exe
Source:	SOA CONTAINER LINE Oct 24.exe, 00000000.00000002.2219079433.0000000013E71000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

13E71000

trusted library allocation

page read and write

11FD000

stack

page read and write

13E68000

trusted library allocation

page read and write

7FFD342EB000

trusted library allocation

page execute and read and write

1ABE000

stack

page read and write

1CBF7000

heap

page read and write

17374000

trusted library allocation

page read and write

1422000

heap

page read and write

7FFD34472000

trusted library allocation

page read and write

1BE90000

trusted library allocation

page read and write

3EE0000

trusted library allocation

page read and write

1630000

heap

page read and write

7FFD342CD000

trusted library allocation

page execute and read and write

1CBF5000

heap

page read and write

15889000

trusted library allocation

page read and write

1C9B0000

trusted library allocation

page read and write

3E61000

trusted library allocation

page read and write

7FFD342E4000

trusted library allocation

page read and write

1CFFC000

stack

page read and write

1EE60000

heap

page read and write

4267000

trusted library allocation

page read and write

20FFE000

stack

page read and write

7FFD344D0000

trusted library allocation

page read and write

1FA00000

heap

page read and write

7FFD34476000

trusted library allocation

page read and write

140D000

heap

page read and write

1ED60000

heap

page read and write

203FE000

stack

page read and write

146C000

heap

page read and write

1D83B000

heap

page read and write

BA0000

heap

page read and write

17355000

trusted library allocation

page read and write

7FFD342E0000

trusted library allocation

page read and write

1F462000

trusted library allocation

page read and write

A20000

unkown

page readonly

1330000

heap

page read and write

1CBFC000

heap

page read and write

BF0000

trusted library allocation

page read and write

207FE000

stack

page read and write

1F35D000

stack

page read and write

7FFD34479000

trusted library allocation

page read and write

1635000

heap

page read and write

1680000

trusted library section

page read and write

172F4000

trusted library allocation

page read and write

7FFD34380000

trusted library allocation

page execute and read and write

B50000

heap

page read and write

1353000

heap

page read and write

1D7FE000

stack

page read and write

16B0000

heap

page read and write

1579F000

trusted library allocation

page read and write

7FFD342DD000

trusted library allocation

page execute and read and write

1D3FE000

stack

page read and write

1CBF0000

heap

page read and write

1360000

heap

page execute and read and write

7FFD34470000

trusted library allocation

page read and write

7FFD342ED000

trusted library allocation

page execute and read and write

1DD5D000

stack

page read and write

13C0000

heap

page read and write

1D800000

heap

page read and write

11F4000

stack

page read and write

1D810000

heap

page read and write

1D950000

heap

page execute and read and write

3E5E000

stack

page read and write

1C5DA000

stack

page read and write

1FA25000

heap

page read and write

20BFB000

stack

page read and write

15751000

trusted library allocation

page read and write

7FF419B20000

trusted library allocation

page execute and read and write

7FFD34370000

trusted library allocation

page read and write

22BE000

stack

page read and write

7FFD343E0000

trusted library allocation

page execute and read and write

1424000

heap

page read and write

16B5000

heap

page read and write

1F990000

trusted library section

page read and write

13EC000

heap

page read and write

1EBE000

stack

page read and write

1C9A0000

trusted library section

page read and write

144F000

heap

page read and write

7FFD342C2000

trusted library allocation

page read and write

15F0000

trusted library section

page readonly

7FFD342C3000

trusted library allocation

page execute and read and write

1605000

heap

page read and write

12E0000

trusted library allocation

page read and write

13E61000

trusted library allocation

page read and write

7FFD342C0000

trusted library allocation

page read and write

7FFD344A0000

trusted library allocation

page execute and read and write

A22000

unkown

page readonly

1455000

heap

page read and write

7FFD3437C000

trusted library allocation

page execute and read and write

7FFD3448C000

trusted library allocation

page read and write

1C9C0000

heap

page read and write

7FFD34460000

trusted library allocation

page read and write

1350000

heap

page read and write

B80000

heap

page read and write

7FFD343A6000

trusted library allocation

page execute and read and write

144D000

heap

page read and write

1610000

heap

page read and write

7FFD34376000

trusted library allocation

page read and write

B60000

heap

page read and write

1EF40000

heap

page read and write

13A0000

heap

page read and write

15703000

trusted library allocation

page read and write

7FFD342D0000

trusted library allocation

page read and write

7FFD344B0000

trusted library allocation

page read and write

7FFD34490000

trusted library allocation

page read and write

7FFD3431C000

trusted library allocation

page execute and read and write

1FFFF000

stack

page read and write

7FFD342C4000

trusted library allocation

page read and write

7FFD344C0000

trusted library allocation

page read and write

7FFD3447C000

trusted library allocation

page read and write

1600000

heap

page read and write

13E0000

heap

page read and write

7FFD34481000

trusted library allocation

page read and write

7FFD342D3000

trusted library allocation

page read and write

1410000

heap

page read and write

14BA000

heap

page read and write

7FFD344B4000

trusted library allocation

page read and write

There are 107 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SOA CONTAINER LINE Oct 24.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSOA CONTAINER LINE Oct 24.exe

Files

Processes

URLs

Memdumps

IOC Report
SOA CONTAINER LINE Oct 24.exe