Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.552918824670273
Filename:	file.exe
Filesize:	15604224
MD5:	3273f078f87cebc3b06e9202e3902b5c
SHA1:	03b1971e04c8e67a32f38446bd8bfac41825f9cc
SHA256:	4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c
SHA512:	2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9
SSDEEP:	196608:Wf/BAe1d4ihvy85JhhYc3BSL1kehn4inje:WfyIhhkRka4i
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........."...0......&......>.... ... ....@.. ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains very large strings	System Summary
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	CSV text
Entropy:	5.3718223239563105
Encrypted:	false
Ssdeep:	48:MxHKQwYHKGSI6o6+vxp3/elZHNp51qHGIs0HKCtHTHhAHKKkb:iqbYqGSI6o9Zp/elZtp5wmj0qCtzHeq/
Size:	1727
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3364
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	15604224
MD5:	3273F078F87CEBC3B06E9202E3902B5C
Time:	10:30:34
Date:	27/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2273e570000
Modulesize:	15630336
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected RUNPE	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram Recon	Language, Device and Operating System Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://pastebin.com/raw/H3wFXmEi

unknown

http://nkprotect.net

unknown

http://exmple.com

unknown

https://api.telegram.org/bot

unknown

https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-386.zip

unknown

https://evilcoder.mysellix.io

unknown

https://nkprotect.net

unknown

https://nkprotect.net/check.txt

82.197.80.96

https://t.me/XCoderGroup

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://www.google.com/maps/place/)icons8-letter-16.png

unknown

http://ip-api.com/csv/?fields=status

unknown

http://ip-api.com/line/?fields=hosting

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

nkprotect.net

82.197.80.96

Details

Name:	nkprotect.net
IP:	82.197.80.96
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

s-part-0015.t-0009.t-msedge.net

13.107.246.43

IPs

Domain

Country

Malicious

82.197.80.96

nkprotect.net

United Kingdom

Details

IP:	82.197.80.96
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	25577
ASN name:	C4L-ASGB
Private:	false
Domain:	nkprotect.net

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\file_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2273EEB7000

unkown

page readonly

2273F209000

unkown

page readonly

91B4BFE000

stack

page read and write

2273EB1D000

unkown

page readonly

2273E973000

unkown

page readonly

2273F895000

heap

page read and write

2273EE34000

unkown

page readonly

2273E9F6000

unkown

page readonly

2273E572000

unkown

page readonly

2273E5FF000

unkown

page readonly

91B52FE000

stack

page read and write

2273E9AA000

unkown

page readonly

7FF848D7D000

trusted library allocation

page execute and read and write

91B4CFF000

stack

page read and write

2273F860000

heap

page read and write

2273F702000

heap

page read and write

22741282000

heap

page read and write

2273EAA9000

unkown

page readonly

91B54FE000

stack

page read and write

2273EB61000

unkown

page readonly

7FF848E06000

trusted library allocation

page read and write

2274151F000

trusted library allocation

page read and write

2273F0A5000

unkown

page readonly

2273F1A1000

unkown

page readonly

2273F1DD000

unkown

page readonly

91B4FFB000

stack

page read and write

2273F4E0000

heap

page read and write

2273F650000

trusted library allocation

page read and write

2273F670000

trusted library allocation

page read and write

7FF848D74000

trusted library allocation

page read and write

7FF848EF1000

trusted library allocation

page read and write

7FF848D63000

trusted library allocation

page read and write

2273E965000

unkown

page readonly

7FF848D54000

trusted library allocation

page read and write

7FF848F10000

trusted library allocation

page read and write

2273F6EA000

heap

page read and write

2274152D000

trusted library allocation

page read and write

91B4EFD000

stack

page read and write

7FF848E00000

trusted library allocation

page read and write

2273F0BE000

unkown

page readonly

22759D00000

heap

page read and write

2273F6EF000

heap

page read and write

2273EB54000

unkown

page readonly

2273E9E8000

unkown

page readonly

227413F0000

heap

page read and write

7FF848D5D000

trusted library allocation

page execute and read and write

227412F4000

heap

page read and write

91B55FE000

stack

page read and write

2273F5C0000

heap

page read and write

22741260000

heap

page read and write

2273ED79000

unkown

page readonly

91B47C3000

stack

page read and write

7FF848E70000

trusted library allocation

page execute and read and write

2273EA64000

unkown

page readonly

2273F89E000

heap

page read and write

2273E9DD000

unkown

page readonly

2273EAB8000

unkown

page readonly

2274153E000

trusted library allocation

page read and write

22759CF0000

heap

page execute and read and write

91B59FE000

stack

page read and write

22751468000

trusted library allocation

page read and write

7FF848F00000

trusted library allocation

page read and write

2273F72C000

heap

page read and write

91B51FE000

stack

page read and write

2273EE76000

unkown

page readonly

91B56FE000

stack

page read and write

227412E2000

heap

page read and write

91B58FF000

stack

page read and write

2273F600000

heap

page read and write

2275146D000

trusted library allocation

page read and write

2273EE41000

unkown

page readonly

22741306000

heap

page read and write

2273F905000

heap

page read and write

22741531000

trusted library allocation

page read and write

22741461000

trusted library allocation

page read and write

7FF848EFB000

trusted library allocation

page read and write

2273F6C6000

heap

page read and write

227414EC000

trusted library allocation

page read and write

2273EA71000

unkown

page readonly

2275B650000

trusted library allocation

page read and write

227414E8000

trusted library allocation

page read and write

2273E9C4000

unkown

page readonly

7FF848D6D000

trusted library allocation

page execute and read and write

22751461000

trusted library allocation

page read and write

2273F1A5000

unkown

page readonly

2273F6C0000

heap

page read and write

2273EC1F000

unkown

page readonly

91B50FE000

stack

page read and write

7FF848D70000

trusted library allocation

page read and write

227412E0000

heap

page read and write

2273F6E3000

heap

page read and write

2273F7A8000

heap

page read and write

2273F0F7000

unkown

page readonly

2273EE19000

unkown

page readonly

2273EB36000

unkown

page readonly

7FF848DAC000

trusted library allocation

page execute and read and write

2273F0CC000

unkown

page readonly

227414DA000

trusted library allocation

page read and write

2273EA11000

unkown

page readonly

7FF4BB150000

trusted library allocation

page execute and read and write

2273EEA1000

unkown

page readonly

2273EA2A000

unkown

page readonly

7FF848E10000

trusted library allocation

page execute and read and write

2273F05B000

unkown

page readonly

2273E5F2000

unkown

page readonly

2273E94A000

unkown

page readonly

2273F900000

heap

page read and write

2273EDB1000

unkown

page readonly

22741502000

trusted library allocation

page read and write

2273E99C000

unkown

page readonly

7FF848E36000

trusted library allocation

page execute and read and write

2273EAB3000

unkown

page readonly

7FF848F20000

trusted library allocation

page execute and read and write

2273F0B3000

unkown

page readonly

2273EA56000

unkown

page readonly

2273F5E0000

heap

page read and write

2273EC2C000

unkown

page readonly

91B4AFE000

stack

page read and write

2273F125000

unkown

page readonly

7FF848D53000

trusted library allocation

page execute and read and write

2273EA38000

unkown

page readonly

91B53FB000

stack

page read and write

22741331000

heap

page read and write

2273EA7F000

unkown

page readonly

2273E9B7000

unkown

page readonly

7FF848E0C000

trusted library allocation

page execute and read and write

2273E570000

unkown

page readonly

2273F6DF000

heap

page read and write

2274150D000

trusted library allocation

page read and write

91B57FD000

stack

page read and write

22741450000

heap

page execute and read and write

2273F79E000

heap

page read and write

2273F6CC000

heap

page read and write

2273E970000

unkown

page readonly

2273F890000

heap

page read and write

227414D7000

trusted library allocation

page read and write

2273E96C000

unkown

page readonly

22741270000

heap

page read and write

91B4DFE000

stack

page read and write

227413F3000

heap

page read and write

2273F0FC000

unkown

page readonly

2273E959000

unkown

page readonly

2273F117000

unkown

page readonly

2273EE68000

unkown

page readonly

2273E570000

unkown

page readonly

7FF848D7B000

trusted library allocation

page execute and read and write

2273EAE3000

unkown

page readonly

2273EAF4000

unkown

page readonly

2273ED6B000

unkown

page readonly

There are 139 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe