Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.44113909439315
Filename:	file.exe
Filesize:	2908160
MD5:	0088235be044c8a88124dd1b58b186e7
SHA1:	31107b10e2d6f4d9b928aaf8fc53ec209823c0c4
SHA256:	9ba473c3f4b60970545a8756d91f2461a84c6236aee185f89f064e0fbc60599e
SHA512:	795f3faf3ea95e0e796ef62353072a5cb6eaa00884694b62b747e43492dd4591cede7fae2a280711fcd8dc7ee6f509e46259564942d3448c403e2bc31ac85fd2
SSDEEP:	49152:UdM4Oztvu0r2INNaWBx9XcCdZ+c9GEFkRY:U7Ozt2w2INNamXfd8QGEFR
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............,.. ...`....@.. ........................-......]-...`................................

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Disable Windows Defender notifications (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Bypass User Account Control Disable or Modify Tools
Disables Windows Defender Tamper protection	Lowering of HIPS / PFW / Operating System Security Settings
Hides threads from debuggers	Anti Debugging
Machine Learning detection for sample	AV Detection
Modifies windows update settings	Lowering of HIPS / PFW / Operating System Security Settings
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)	System Summary	Obfuscated Files or Information
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary
Sample might require command line arguments	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	CSV text
Entropy:	5.360398796477698
Encrypted:	false
Ssdeep:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
Size:	226
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)	System Summary	Obfuscated Files or Information
Creates files inside the user directory	System Summary	Masquerading
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7488
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2908160
MD5:	0088235BE044C8A88124DD1B58B186E7
Time:	23:16:14
Date:	21/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb80000
Modulesize:	2949120
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)	System Summary	Obfuscated Files or Information
Creates files inside the user directory	System Summary	Masquerading
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Binary contains paths to debug symbols	Compliance, System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableIOAVProtection

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Value name:	DisableIOAVProtection
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableRealtimeMonitoring

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Value name:	DisableRealtimeMonitoring
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications

DisableNotifications

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
Value name:	DisableNotifications
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender notifications (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

AUOptions

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

AutoInstallMinorUpdates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

NoAutoRebootWithLoggedOnUsers

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

UseWUServer

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

DoNotConnectToWindowsUpdateInternetLocations

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features

TamperProtection

Memdumps

Base Address

Regiontype

Protect

Malicious

DC1000

unkown

page execute and write copy

4DD0000

trusted library allocation

page read and write

B86000

unkown

page write copy

313E000

stack

page read and write

4B11000

heap

page read and write

323F000

stack

page read and write

E4C000

unkown

page execute and write copy

71DE000

stack

page read and write

4B11000

heap

page read and write

4B00000

direct allocation

page read and write

4B11000

heap

page read and write

740E000

stack

page read and write

E8A000

heap

page read and write

3B3E000

stack

page read and write

4C50000

trusted library allocation

page read and write

4B23000

heap

page read and write

EC0000

heap

page read and write

AF0000

heap

page read and write

4B11000

heap

page read and write

467E000

stack

page read and write

453E000

stack

page read and write

E4A000

unkown

page execute and write copy

2A9F000

stack

page read and write

D28000

unkown

page execute and write copy

427F000

stack

page read and write

7200000

heap

page execute and read and write

337F000

stack

page read and write

B82000

unkown

page execute and write copy

4DCA000

trusted library allocation

page execute and read and write

4B00000

direct allocation

page read and write

B00000

heap

page read and write

E80000

heap

page read and write

4C60000

direct allocation

page read and write

DE7000

unkown

page execute and write copy

4B11000

heap

page read and write

EDD000

heap

page read and write

6AC000

stack

page read and write

4C10000

trusted library allocation

page read and write

3EFE000

stack

page read and write

4D9E000

stack

page read and write

2D7E000

stack

page read and write

463F000

stack

page read and write

DD3000

unkown

page execute and write copy

417E000

stack

page read and write

4C4D000

trusted library allocation

page execute and read and write

E32000

unkown

page execute and write copy

34BF000

stack

page read and write

4FB0000

trusted library allocation

page read and write

4E10000

heap

page read and write

4B00000

direct allocation

page read and write

363E000

stack

page read and write

DB6000

unkown

page execute and read and write

D9C000

unkown

page execute and write copy

B86000

unkown

page write copy

4E00000

trusted library allocation

page execute and read and write

299E000

stack

page read and write

DD2000

unkown

page execute and read and write

4B11000

heap

page read and write

B6E000

stack

page read and write

4B11000

heap

page read and write

35FF000

stack

page read and write

D2A000

unkown

page execute and write copy

B80000

unkown

page readonly

43BF000

stack

page read and write

7A9000

stack

page read and write

4B00000

direct allocation

page read and write

4B11000

heap

page read and write

4B00000

direct allocation

page read and write

DF8000

unkown

page execute and read and write

B8A000

unkown

page execute and read and write

39FE000

stack

page read and write

DB2000

unkown

page execute and write copy

E27000

unkown

page execute and write copy

38BE000

stack

page read and write

D3B000

unkown

page execute and write copy

D7C000

unkown

page execute and write copy

4FA0000

trusted library allocation

page read and write

D5B000

unkown

page execute and read and write

2FBF000

stack

page read and write

AF5000

heap

page read and write

CFF000

unkown

page execute and read and write

E34000

unkown

page execute and write copy

730E000

stack

page read and write

4B11000

heap

page read and write

11BF000

stack

page read and write

B80000

unkown

page read and write

43FE000

stack

page read and write

D3C000

unkown

page execute and read and write

4C30000

trusted library allocation

page read and write

D95000

unkown

page execute and read and write

4DDB000

trusted library allocation

page execute and read and write

4B11000

heap

page read and write

2E7F000

stack

page read and write

DC5000

unkown

page execute and write copy

D01000

unkown

page execute and write copy

2FFE000

stack

page read and write

4DC0000

direct allocation

page execute and read and write

D5A000

unkown

page execute and write copy

E4C000

unkown

page execute and write copy

D1D000

unkown

page execute and write copy

4DB0000

heap

page read and write

4B00000

direct allocation

page read and write

E8E000

heap

page read and write

4DC0000

trusted library allocation

page read and write

4F9C000

stack

page read and write

4B00000

direct allocation

page read and write

107F000

stack

page read and write

39BF000

stack

page read and write

744E000

stack

page read and write

5001000

trusted library allocation

page read and write

6004000

trusted library allocation

page read and write

D6B000

unkown

page execute and read and write

B96000

unkown

page execute and write copy

ED1000

heap

page read and write

DC2000

unkown

page execute and read and write

D44000

unkown

page execute and read and write

4FEE000

stack

page read and write

DC3000

unkown

page execute and write copy

377E000

stack

page read and write

4AE0000

heap

page read and write

E3B000

unkown

page execute and write copy

DC4000

unkown

page execute and read and write

4B11000

heap

page read and write

D3E000

unkown

page execute and write copy

E3B000

unkown

page execute and write copy

DE9000

unkown

page execute and read and write

44FF000

stack

page read and write

4B30000

heap

page read and write

4B11000

heap

page read and write

D62000

unkown

page execute and write copy

4C60000

direct allocation

page read and write

33BE000

stack

page read and write

30FF000

stack

page read and write

387F000

stack

page read and write

4E5E000

stack

page read and write

4DF0000

direct allocation

page execute and read and write

DCF000

unkown

page execute and write copy

4C54000

trusted library allocation

page read and write

6025000

trusted library allocation

page read and write

373F000

stack

page read and write

B8A000

unkown

page execute and write copy

4DD7000

trusted library allocation

page execute and read and write

4AC0000

direct allocation

page read and write

403E000

stack

page read and write

2B30000

heap

page read and write

2C3F000

stack

page read and write

4B11000

heap

page read and write

4B00000

direct allocation

page read and write

EC9000

heap

page read and write

D7F000

unkown

page execute and read and write

3C7E000

stack

page read and write

B82000

unkown

page execute and read and write

4C44000

trusted library allocation

page read and write

D31000

unkown

page execute and read and write

4B11000

heap

page read and write

4B00000

direct allocation

page read and write

3EBF000

stack

page read and write

DA3000

unkown

page execute and read and write

4B00000

direct allocation

page read and write

4B10000

heap

page read and write

4C43000

trusted library allocation

page execute and read and write

F0E000

heap

page read and write

3FFF000

stack

page read and write

D8C000

unkown

page execute and write copy

4DF0000

trusted library allocation

page read and write

6001000

trusted library allocation

page read and write

2B37000

heap

page read and write

3D7F000

stack

page read and write

4B00000

direct allocation

page read and write

E29000

unkown

page execute and read and write

4FF0000

heap

page execute and read and write

327E000

stack

page read and write

719D000

stack

page read and write

DD6000

unkown

page execute and read and write

2EBE000

stack

page read and write

DCE000

unkown

page execute and read and write

4F5E000

stack

page read and write

4C60000

direct allocation

page read and write

4B00000

direct allocation

page read and write

DC9000

unkown

page execute and read and write

4B11000

heap

page read and write

D20000

unkown

page execute and read and write

754F000

stack

page read and write

2B1E000

stack

page read and write

3AFF000

stack

page read and write

A10000

heap

page read and write

D2E000

unkown

page execute and write copy

42BE000

stack

page read and write

413F000

stack

page read and write

3DBE000

stack

page read and write

2ADC000

stack

page read and write

4C9C000

stack

page read and write

4B00000

direct allocation

page read and write

DF7000

unkown

page execute and write copy

4B11000

heap

page read and write

E60000

heap

page read and write

34FE000

stack

page read and write

E4A000

unkown

page execute and read and write

DCA000

unkown

page execute and write copy

3C3F000

stack

page read and write

D1C000

unkown

page execute and read and write

2D3F000

stack

page read and write

D2A000

unkown

page execute and read and write

477F000

stack

page read and write

E33000

unkown

page execute and read and write

4B00000

direct allocation

page read and write

10BE000

stack

page read and write

EBE000

heap

page read and write

There are 198 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

Registry

Memdumps

IOC Report
file.exe