Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\AUCHKVG4Ic.exe

"C:\Users\user\Desktop\AUCHKVG4Ic.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4588
Target ID:	0
Parent PID:	2580
Name:	AUCHKVG4Ic.exe
Path:	C:\Users\user\Desktop\AUCHKVG4Ic.exe
Commandline:	"C:\Users\user\Desktop\AUCHKVG4Ic.exe"
Size:	3655965
MD5:	AE76CB8BA0C29ACF348B81F607C81312
Time:	01:24:04
Date:	02/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe

"C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe" -i

Details

Is windows:	false
Is dropped:	true
PID:	5324
Target ID:	4
Parent PID:	3872
Name:	darelvideostudio32.exe
Path:	C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
Commandline:	"C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe" -i
Size:	3955723
MD5:	E883A0F90D0EBC036ED3C6C494AD5073
Time:	01:24:06
Date:	02/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	3985408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected Socks5Systemz	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Detected Delphi use of System.ParamCount	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp

"C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp" /SL5="$20450,3407737,54272,C:\Users\user\Desktop\AUCHKVG4Ic.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3872
Target ID:	1
Parent PID:	4588
Name:	AUCHKVG4Ic.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
Commandline:	"C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp" /SL5="$20450,3407737,54272,C:\Users\user\Desktop\AUCHKVG4Ic.exe"
Size:	704000
MD5:	40B10288749DE20BB477384387D5FB8A
Time:	01:24:04
Date:	02/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	770048
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" pause darel_video_studio_1215

Details

Is windows:	true
Is dropped:	false
PID:	4008
Target ID:	2
Parent PID:	3872
Name:	net.exe
Path:	C:\Windows\SysWOW64\net.exe
Commandline:	"C:\Windows\system32\net.exe" pause darel_video_studio_1215
Size:	47104
MD5:	31890A7DE89936F922D44D677F681A7F
Time:	01:24:06
Date:	02/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x440000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1060
Target ID:	3
Parent PID:	4008
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	01:24:06
Date:	02/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 pause darel_video_studio_1215

Details

Is windows:	true
Is dropped:	false
PID:	6528
Target ID:	5
Parent PID:	4008
Name:	net1.exe
Path:	C:\Windows\SysWOW64\net1.exe
Commandline:	C:\Windows\system32\net1 pause darel_video_studio_1215
Size:	139776
MD5:	2EFE6ED4C294AB8A39EB59C80813FEC1
Time:	01:24:06
Date:	02/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb90000
Modulesize:	200704
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.innosetup.com/

unknown

https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325

unknown

https://188.119.66.185/1

unknown

http://www.remobjects.com/psU

unknown

https://188.119.66.185/p

unknown

https://188.119.66.185/priseCertificates

unknown

https://188.119.66.185//

unknown

https://188.119.66.185/n

unknown

https://188.119.66.185/mCertificates

unknown

https://188.119.66.185/8

unknown

https://188.119.66.185/rosoft

unknown

https://188.119.66.185/

unknown

https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a

188.119.66.185

http://www.zldo.narod.ru/plugins.html

unknown

https://188.119.66.185/6

unknown

https://188.119.66.185/en-GB

unknown

https://188.119.66.185/C

unknown

http://www.remobjects.com/ps

unknown

https://188.119.66.185/?

unknown

https://www.easycutstudio.com/support.html

unknown

https://188.119.66.185/allowedCert_OS_1

unknown

https://188.119.66.185/icies

unknown

https://188.119.66.185/g

unknown

There are 13 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

188.119.66.185

unknown

Russian Federation

Details

IP:	188.119.66.185
TargetID:	4
Current Path:	C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	209499
ASN name:	FLYNETRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash