Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.451573518842377
Filename:	file.exe
Filesize:	2865664
MD5:	0d1e5334ceac878a5054ae5dbcfe0942
SHA1:	1e3bdc4a9a1b54c65cd489187c51f41b51f2a3a2
SHA256:	fece7908c91ac1248fe2ac0d2bd28f80c59b6d26669d2f144e8d5f92a7d1166b
SHA512:	d96f09715b513b8bfa277df9524c4da73ad7e761128714f9da21c4fdff354d10f6bfe75936156fc70f2e6ed9fc02a827b29e2967fe3da9234e6f584d7dddf945
SSDEEP:	49152:D2BmPOW1jNQtAmK3qXzuh4gC7rIQP41d5Im7KMGBX:D2YPOW1j4AT3qX66gC7rIQPs7EB
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$........... ,.. ...`....@.. .......................`,.....H.+...`................................

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Disable Windows Defender notifications (registry)	Lowering of HIPS / PFW / Operating System Security Settings
Disables Windows Defender Tamper protection	Lowering of HIPS / PFW / Operating System Security Settings
Hides threads from debuggers	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Machine Learning detection for sample	AV Detection
Modifies windows update settings	Lowering of HIPS / PFW / Operating System Security Settings
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to detect virtual machines (SIDT)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	CSV text
Entropy:	5.360398796477698
Encrypted:	false
Ssdeep:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
Size:	226
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1816
Target ID:	0
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2865664
MD5:	0D1E5334CEAC878A5054AE5DBCFE0942
Time:	00:46:58
Date:	26/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x80000
Modulesize:	2908160
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Binary contains paths to debug symbols	Compliance, System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableIOAVProtection

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Value name:	DisableIOAVProtection
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableRealtimeMonitoring

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Value name:	DisableRealtimeMonitoring
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications

DisableNotifications

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
Value name:	DisableNotifications
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender notifications (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

AUOptions

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

AutoInstallMinorUpdates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

NoAutoRebootWithLoggedOnUsers

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

UseWUServer

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

DoNotConnectToWindowsUpdateInternetLocations

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features

TamperProtection

Memdumps

Base Address

Regiontype

Protect

Malicious

415F000

stack

page read and write

233000

unkown

page execute and write copy

4651000

heap

page read and write

340000

unkown

page execute and read and write

26F000

unkown

page execute and read and write

32B000

unkown

page execute and write copy

1F3000

unkown

page execute and read and write

3B10000

heap

page read and write

4620000

heap

page read and write

340000

unkown

page execute and write copy

6DFE000

stack

page read and write

34CF000

stack

page read and write

3A0E000

stack

page read and write

429F000

stack

page read and write

29CE000

stack

page read and write

300E000

stack

page read and write

2A1000

unkown

page execute and read and write

6CBD000

stack

page read and write

4640000

direct allocation

page read and write

6F4E000

stack

page read and write

24BE000

stack

page read and write

4640000

direct allocation

page read and write

1F5000

unkown

page execute and write copy

4640000

direct allocation

page read and write

270000

unkown

page execute and write copy

4640000

direct allocation

page read and write

865000

heap

page read and write

419E000

stack

page read and write

49F0000

trusted library allocation

page read and write

4640000

direct allocation

page read and write

8A000

unkown

page execute and write copy

20F000

unkown

page execute and read and write

98D000

heap

page read and write

B8F000

stack

page read and write

4640000

direct allocation

page read and write

342000

unkown

page execute and write copy

4651000

heap

page read and write

4640000

direct allocation

page read and write

47F0000

direct allocation

page execute and read and write

274000

unkown

page execute and read and write

6E4E000

stack

page read and write

2D4F000

stack

page read and write

950000

heap

page read and write

270F000

stack

page read and write

4651000

heap

page read and write

320000

unkown

page execute and read and write

288E000

stack

page read and write

4640000

direct allocation

page read and write

6CFE000

stack

page read and write

38CE000

stack

page read and write

374F000

stack

page read and write

338F000

stack

page read and write

86000

unkown

page write copy

31E000

unkown

page execute and write copy

491B000

trusted library allocation

page execute and read and write

CCE000

stack

page read and write

26E000

unkown

page execute and write copy

47FA000

trusted library allocation

page execute and read and write

3C5F000

stack

page read and write

405E000

stack

page read and write

A8E000

stack

page read and write

830000

heap

page read and write

6F8E000

stack

page read and write

2D8E000

stack

page read and write

2C1000

unkown

page execute and write copy

47A0000

direct allocation

page read and write

4A10000

heap

page read and write

2ECE000

stack

page read and write

2DA000

unkown

page execute and write copy

95E000

heap

page read and write

BCE000

stack

page read and write

4651000

heap

page read and write

3F1E000

stack

page read and write

328E000

stack

page read and write

260B000

stack

page read and write

4640000

direct allocation

page read and write

39CF000

stack

page read and write

4640000

direct allocation

page read and write

708E000

stack

page read and write

213000

unkown

page execute and read and write

310F000

stack

page read and write

4651000

heap

page read and write

33CE000

stack

page read and write

96000

unkown

page execute and write copy

226000

unkown

page execute and write copy

4651000

heap

page read and write

4640000

direct allocation

page read and write

3B5E000

stack

page read and write

4651000

heap

page read and write

4990000

trusted library allocation

page read and write

4800000

heap

page read and write

5B45000

trusted library allocation

page read and write

285000

unkown

page execute and write copy

2C0000

unkown

page execute and read and write

28D000

unkown

page execute and read and write

4930000

direct allocation

page execute and read and write

4600000

direct allocation

page read and write

3B0F000

stack

page read and write

332000

unkown

page execute and write copy

378E000

stack

page read and write

24C7000

heap

page read and write

2B7000

unkown

page execute and write copy

251000

unkown

page execute and write copy

4640000

direct allocation

page read and write

4BC000

stack

page read and write

4651000

heap

page read and write

3D9F000

stack

page read and write

47A0000

direct allocation

page read and write

259000

unkown

page execute and write copy

2B0E000

stack

page read and write

25CF000

stack

page read and write

82000

unkown

page execute and read and write

4651000

heap

page read and write

5B9000

stack

page read and write

29F000

unkown

page execute and write copy

5B21000

trusted library allocation

page read and write

2B0000

unkown

page execute and read and write

4651000

heap

page read and write

2ACF000

stack

page read and write

274E000

stack

page read and write

263000

unkown

page execute and read and write

3DDE000

stack

page read and write

3EDF000

stack

page read and write

21C000

unkown

page execute and write copy

8A000

unkown

page execute and read and write

4B21000

trusted library allocation

page read and write

297000

unkown

page execute and read and write

5B24000

trusted library allocation

page read and write

82000

unkown

page execute and write copy

490E000

stack

page read and write

2C4E000

stack

page read and write

2BC000

unkown

page execute and read and write

21D000

unkown

page execute and read and write

224000

unkown

page execute and read and write

4917000

trusted library allocation

page execute and read and write

324F000

stack

page read and write

8A000

unkown

page execute and write copy

21F000

unkown

page execute and write copy

2AB000

unkown

page execute and write copy

820000

heap

page read and write

27B000

unkown

page execute and read and write

4750000

trusted library allocation

page read and write

288000

unkown

page execute and write copy

388F000

stack

page read and write

4794000

trusted library allocation

page read and write

4770000

trusted library allocation

page read and write

98F000

heap

page read and write

4651000

heap

page read and write

80000

unkown

page read and write

236000

unkown

page execute and read and write

4640000

direct allocation

page read and write

47F0000

trusted library allocation

page read and write

342000

unkown

page execute and write copy

284F000

stack

page read and write

6E00000

heap

page execute and read and write

2C9000

unkown

page execute and read and write

997000

heap

page read and write

860000

heap

page read and write

86000

unkown

page write copy

4651000

heap

page read and write

49A0000

heap

page execute and read and write

9AC000

heap

page read and write

350E000

stack

page read and write

4651000

heap

page read and write

4B1F000

stack

page read and write

360F000

stack

page read and write

2BD000

unkown

page execute and write copy

4651000

heap

page read and write

210000

unkown

page execute and write copy

4980000

trusted library allocation

page execute and read and write

4651000

heap

page read and write

231000

unkown

page execute and read and write

227000

unkown

page execute and read and write

364E000

stack

page read and write

4640000

direct allocation

page read and write

3C9E000

stack

page read and write

4651000

heap

page read and write

47DB000

stack

page read and write

497E000

stack

page read and write

298F000

stack

page read and write

4651000

heap

page read and write

230000

unkown

page execute and write copy

4790000

trusted library allocation

page read and write

2E8F000

stack

page read and write

95A000

heap

page read and write

4784000

trusted library allocation

page read and write

294000

unkown

page execute and write copy

401F000

stack

page read and write

2C0F000

stack

page read and write

252000

unkown

page execute and read and write

332000

unkown

page execute and write copy

4783000

trusted library allocation

page execute and read and write

276000

unkown

page execute and write copy

4650000

heap

page read and write

4660000

heap

page read and write

21C000

unkown

page execute and write copy

277000

unkown

page execute and read and write

80000

unkown

page readonly

278000

unkown

page execute and write copy

24C0000

heap

page read and write

47A0000

direct allocation

page read and write

314E000

stack

page read and write

2FCF000

stack

page read and write

49EC000

stack

page read and write

2DB000

unkown

page execute and read and write

4930000

trusted library allocation

page read and write

287000

unkown

page execute and read and write

478D000

trusted library allocation

page execute and read and write

4910000

trusted library allocation

page read and write

There are 199 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

Registry

Memdumps

IOC Report
file.exe