Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.999818697187227
Filename:	file.exe
Filesize:	80591650
MD5:	3f97ee2b5aefb68fc0d7c6383b41385d
SHA1:	1169a86fb0b2ccb367f9cc886b209e77c6418983
SHA256:	3fb4d76805f5d0d3f23f37fea0f19da7a8e11c6e2a6104035511aded0696fc82
SHA512:	0e6827c292643aaf6dd3a4d96e6811e61d8a1c804054f5cb67eaec28cb228565cf1bc46aa683b37c34aea4fa9f63096ce9c4ed51b85c2104824955779abbdd6e
SSDEEP:	1572864:gbQ9z3vD69+yI1/RvrpuV+YS2C4EL9XdMDTw24g21EVGOI0RlR/xojgrYnitOpUd:Zd3rRvrsVRS73bYT9x2WgMReA5r
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

Signature Hits	Behavior Group	Mitre Attack
Creates files with lurking names (e.g. Crack.exe)	System Summary	Masquerading
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
File is packed with WinRar	Data Obfuscation	Software Packing Security Software Discovery
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample reads its own file content	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\IObit.Malware.Fighter.Pro-12.0.0.1433.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\IObit.Malware.Fighter.Pro-12.0.0.1433.exe
Category:	dropped
Dump:	IObit.Malware.Fighter.Pro-12.0.0.1433.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.9989824995755425
Encrypted:	true
Ssdeep:	1572864:iO9tDrNScQik6TAH9MF9gDa9WsBNOoeP6HKWonWYCkEBvbdr2zE9SPSt5NG9lEF:hUQAd6gDad+SHSj8BMSt7GDEF
Size:	77088228
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\crack.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\crack.exe
Category:	dropped
Dump:	crack.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.970506285180278
Encrypted:	false
Ssdeep:	98304:yiqOnX5D2wa4mzAPzlJZ+roUn2G5csZXa8k1Jx1Qi:oIp1sw/+dZ05Qi
Size:	3541575
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files with lurking names (e.g. Crack.exe)	System Summary	Masquerading
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\????? ?????????.cmd

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\????? ?????????.cmd
Category:	dropped
Dump:	????? ?????????.cmd.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with no line terminators
Entropy:	4.450195892351691
Encrypted:	false
Ssdeep:	3:SAN9XLrBdO:SKPB0
Size:	44
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5916
Target ID:	0
Parent PID:	4056
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	80591650
MD5:	3F97EE2B5AEFB68FC0D7C6383B41385D
Time:	12:58:20
Date:	19/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76daf0000
Modulesize:	524288
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://nsis.sf.net/NSIS_ErrorError

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\1e\417C44EB

@%SystemRoot%\System32\ndfapi.dll,-40001

Memdumps

Base Address

Regiontype

Protect

Malicious

205F6831000

heap

page read and write

205F6850000

heap

page read and write

205F687D000

heap

page read and write

205F67E7000

heap

page read and write

205FCD7B000

heap

page read and write

205F6878000

heap

page read and write

205F686F000

heap

page read and write

205F687C000

heap

page read and write

575DAFE000

stack

page read and write

7FF76DB38000

unkown

page readonly

205F68B2000

heap

page read and write

205F6852000

heap

page read and write

205F67E7000

heap

page read and write

205F68B0000

heap

page read and write

205FCD7B000

heap

page read and write

205F6750000

heap

page read and write

205FCD84000

heap

page read and write

205F6854000

heap

page read and write

205F67F6000

heap

page read and write

205FCD58000

heap

page read and write

205F6834000

heap

page read and write

205F6889000

heap

page read and write

205F68B2000

heap

page read and write

205F67A5000

heap

page read and write

205FCD15000

heap

page read and write

205F84E0000

heap

page read and write

205FCE95000

heap

page read and write

205FCD8F000

heap

page read and write

205F6854000

heap

page read and write

205F68B0000

heap

page read and write

205F6862000

heap

page read and write

205FCD13000

heap

page read and write

205F8770000

trusted library allocation

page read and write

205FC630000

heap

page read and write

205F685C000

heap

page read and write

205FCDD3000

heap

page read and write

205F9F1C000

heap

page read and write

205F6990000

heap

page read and write

205F680B000

heap

page read and write

205FCE55000

heap

page read and write

205FCD7C000

heap

page read and write

205F68B2000

heap

page read and write

205FCD8F000

heap

page read and write

205F687F000

heap

page read and write

205FA710000

heap

page read and write

205F6812000

heap

page read and write

205F680B000

heap

page read and write

205FCE95000

heap

page read and write

7FF76DB54000

unkown

page read and write

205FCD91000

heap

page read and write

205F6841000

heap

page read and write

205F687F000

heap

page read and write

205F67F9000

heap

page read and write

205F84E4000

heap

page read and write

205F6884000

heap

page read and write

205F67AE000

heap

page read and write

575D8F5000

stack

page read and write

205F6857000

heap

page read and write

205F85F1000

trusted library allocation

page read and write

205F685A000

heap

page read and write

205F9F10000

trusted library allocation

page read and write

205F689F000

heap

page read and write

205F685F000

heap

page read and write

205F6867000

heap

page read and write

205F67E1000

heap

page read and write

205FCD50000

heap

page read and write

205F9F1A000

heap

page read and write

205F68B0000

heap

page read and write

205F6876000

heap

page read and write

205F6844000

heap

page read and write

205F6881000

heap

page read and write

205F67F3000

heap

page read and write

205FA833000

heap

page read and write

205F6831000

heap

page read and write

205F685D000

heap

page read and write

205F6871000

heap

page read and write

205F6869000

heap

page read and write

205F683C000

heap

page read and write

205FCD68000

heap

page read and write

7FF76DB5F000

unkown

page readonly

205F6760000

heap

page readonly

205FA832000

heap

page read and write

205F685F000

heap

page read and write

205F6850000

heap

page read and write

205FCD69000

heap

page read and write

205F6815000

heap

page read and write

205F686E000

heap

page read and write

7FF76DAF0000

unkown

page readonly

205FCD13000

heap

page read and write

205FCD64000

heap

page read and write

205F6834000

heap

page read and write

205F67E2000

heap

page read and write

205F6840000

heap

page read and write

205FC84D000

heap

page read and write

205FCD13000

heap

page read and write

205F6886000

heap

page read and write

205F689E000

heap

page read and write

205F8620000

heap

page read and write

7FF76DB5E000

unkown

page write copy

205F6818000

heap

page read and write

205FCCD3000

heap

page read and write

205FCC91000

heap

page read and write

7FF76DAF0000

unkown

page readonly

575DCFE000

stack

page read and write

7FF76DB4B000

unkown

page read and write

205F681F000

heap

page read and write

205F67FD000

heap

page read and write

205F6867000

heap

page read and write

205F68B0000

heap

page read and write

205F6875000

heap

page read and write

205FCC51000

heap

page read and write

205F6859000

heap

page read and write

205F6884000

heap

page read and write

575D8EF000

stack

page read and write

205FCD8F000

heap

page read and write

205FCE54000

heap

page read and write

205FCE95000

heap

page read and write

7FF76DB5A000

unkown

page readonly

205F687E000

heap

page read and write

205FCD7D000

heap

page read and write

575D9FE000

stack

page read and write

205FCD92000

heap

page read and write

205F685A000

heap

page read and write

205F6857000

heap

page read and write

205FCCD2000

heap

page read and write

205F680C000

heap

page read and write

7FF76DAF1000

unkown

page execute read

575DEFE000

stack

page read and write

205F67E7000

heap

page read and write

205F6883000

heap

page read and write

7FF76DB5A000

unkown

page readonly

205FCD64000

heap

page read and write

205F6831000

heap

page read and write

205F68A0000

heap

page read and write

205F67FE000

heap

page read and write

205F689F000

heap

page read and write

205F860A000

trusted library allocation

page read and write

205F6818000

heap

page read and write

205F6866000

heap

page read and write

205F684E000

heap

page read and write

7FF76DB38000

unkown

page readonly

205F67F6000

heap

page read and write

205F8750000

heap

page read and write

205FCD13000

heap

page read and write

205F681F000

heap

page read and write

205FCD7E000

heap

page read and write

205F6816000

heap

page read and write

205F6770000

heap

page read and write

205F689F000

heap

page read and write

205F67A0000

heap

page read and write

205F6851000

heap

page read and write

205F6856000

heap

page read and write

205F685A000

heap

page read and write

205F685C000

heap

page read and write

205FCC50000

heap

page read and write

205F681F000

heap

page read and write

205FCE13000

heap

page read and write

205FCD56000

heap

page read and write

205FBC30000

heap

page read and write

205F686C000

heap

page read and write

205FCD62000

heap

page read and write

205F6839000

heap

page read and write

205F684D000

heap

page read and write

205F67F6000

heap

page read and write

205F688D000

heap

page read and write

205F6854000

heap

page read and write

205F6815000

heap

page read and write

205F685B000

heap

page read and write

205F6818000

heap

page read and write

205FB230000

heap

page read and write

205F6832000

heap

page read and write

205F681F000

heap

page read and write

205F6866000

heap

page read and write

205F686E000

heap

page read and write

205F68A1000

heap

page read and write

205FCD51000

heap

page read and write

205F67C8000

heap

page read and write

205FA71A000

heap

page read and write

7FF76DAF1000

unkown

page execute read

205FA830000

heap

page read and write

205F686A000

heap

page read and write

205F6871000

heap

page read and write

205FCE14000

heap

page read and write

205F686E000

heap

page read and write

205FCD8C000

heap

page read and write

205FCE95000

heap

page read and write

205F6854000

heap

page read and write

205F67C0000

heap

page read and write

205F6818000

heap

page read and write

575DFFE000

stack

page read and write

7FF76DB4B000

unkown

page write copy

205FCE95000

heap

page read and write

205F684D000

heap

page read and write

205FCD62000

heap

page read and write

205F6863000

heap

page read and write

205F6865000

heap

page read and write

205FCD90000

heap

page read and write

205FCC92000

heap

page read and write

205FCD13000

heap

page read and write

205F685E000

heap

page read and write

205FCDD2000

heap

page read and write

7FF76DB5E000

unkown

page readonly

205F680B000

heap

page read and write

There are 193 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
file.exe