Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

JIL-_Document_No._2500015903.cmd

Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 39 datablocks, 0 compression

initial sample

Details

Filetype:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 39 datablocks, 0 compression
Entropy:	7.390263772618847
Filename:	JIL-_Document_No._2500015903.cmd
Filesize:	1268675
MD5:	77be0aa379a1cae6efbaa06091238fc0
SHA1:	28e485a4e1de330f0750458b6d5b8841af2fd095
SHA256:	d7ab60ae836fe857b14fdc6e19147e60e8f74ede79562fa60b08cb5c3d4afd5f
SHA512:	c8d4c41808c3f0f9f5859c4cc45cebdb0162e47cae3742df128747bab6aa4ead4dfa5701949d93443a06fcaa781e35c7afe7a2009d6ad7dee1146854d03cbdec
SSDEEP:	24576:gbR0hl6fIBF+3SX7rSgyi3Bng7TUsGTX8j2fW3hh:gdGguKDNIBng7TUhTX8j2fsh
Preview:	MSCF............u.......................'.......cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe".....Z............ .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\x.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\x.exe
Category:	dropped
Dump:	x.exe.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\System32\extrac32.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.390822558230329
Encrypted:	false
Ssdeep:	24576:ebRMhJO7IBx+T+jPrqkmifBnk7fUomfX4nOLWzpF:edSAu6PVABnk7fU1fX4nOLwF
Size:	1268224
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Allocates many large memory junks	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging	Security Software Discovery
Machine Learning detection for dropped file	AV Detection
Abnormal high CPU Usage	System Summary
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains functionality to call native functions	System Summary
Contains functionality to check if a connection to the internet is available	Networking	System Information Discovery System Network Connections Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Access Token Manipulation
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\AppData\Local\Temp\x.exe

"C:\Users\user\AppData\Local\Temp\x.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4256
Target ID:	3
Parent PID:	7164
Name:	x.exe
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Size:	1268224
MD5:	33DE1300C5879C8093B210EA96359783
Time:	07:52:00
Date:	26/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1302528
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected DBatLoader	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "

Details

Is windows:	true
Is dropped:	false
PID:	7164
Target ID:	0
Parent PID:	1028
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	07:51:59
Date:	26/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6f2e10000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4564
Target ID:	1
Parent PID:	7164
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:51:59
Date:	26/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\extrac32.exe

extrac32 /y "C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5252
Target ID:	2
Parent PID:	7164
Name:	extrac32.exe
Class:	system-tools
Path:	C:\Windows\System32\extrac32.exe
Commandline:	extrac32 /y "C:\Users\user\Desktop\JIL-_Document_No._2500015903.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Size:	35328
MD5:	41330D97BF17D07CD4308264F3032547
Time:	07:51:59
Date:	26/12/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7e79a0000
Modulesize:	53248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://programania.com/en.htm

unknown

http://programania.com/en.zip

unknown

http://programania.com/en_source.zip

unknown

http://programania.com/index_ru.htm

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

2276000

direct allocation

page read and write

7FB80000

direct allocation

page read and write

2079A000

direct allocation

page read and write

24E0000

heap

page read and write

20F87284000

heap

page read and write

20F84A50000

heap

page read and write

20F87283000

heap

page read and write

7F430000

direct allocation

page read and write

7FA40000

direct allocation

page read and write

20773000

direct allocation

page read and write

7FA50000

direct allocation

page read and write

20F84ADB000

heap

page read and write

7FDB0000

direct allocation

page read and write

7F430000

direct allocation

page read and write

660000

heap

page read and write

7ECD0000

direct allocation

page read and write

20F84CF3000

heap

page read and write

26E0C8B000

stack

page read and write

20F84AF8000

heap

page read and write

207A8000

direct allocation

page read and write

2891000

direct allocation

page execute and read and write

20F84DAC000

heap

page read and write

7FC00000

direct allocation

page read and write

20F84AF4000

heap

page read and write

20F84ACB000

heap

page read and write

20F84DA0000

heap

page read and write

2077C000

direct allocation

page read and write

2313000

direct allocation

page read and write

20F84A40000

heap

page read and write

720000

heap

page read and write

26E0D0E000

stack

page read and write

20F84AC7000

heap

page read and write

2075E000

direct allocation

page read and write

75E000

heap

page read and write

7F1C0000

direct allocation

page read and write

A4F000

stack

page read and write

22FD000

direct allocation

page read and write

7F910000

direct allocation

page read and write

20F84AF8000

heap

page read and write

20F84AF8000

heap

page read and write

2986000

direct allocation

page execute and read and write

665000

heap

page read and write

208AA000

stack

page read and write

20F84B13000

heap

page read and write

20F84CC0000

heap

page read and write

20F84AB7000

heap

page read and write

20F84AC7000

heap

page read and write

483000

unkown

page readonly

730000

direct allocation

page execute and read and write

47E000

unkown

page write copy

21060000

heap

page read and write

20F86A80000

trusted library allocation

page read and write

231A000

direct allocation

page read and write

209EF000

stack

page read and write

7F300000

direct allocation

page read and write

478000

unkown

page read and write

7F2F0000

direct allocation

page read and write

7FD10000

direct allocation

page read and write

20F84AD6000

heap

page read and write

285D000

direct allocation

page read and write

7FC70000

direct allocation

page read and write

20F84ACB000

heap

page read and write

7F2F0000

direct allocation

page read and write

20F84DA5000

heap

page read and write

6C0000

heap

page read and write

1F0000

heap

page read and write

20F84ACB000

heap

page read and write

21070000

heap

page read and write

2321000

direct allocation

page read and write

2073F000

direct allocation

page read and write

20784000

direct allocation

page read and write

759000

heap

page read and write

208AF000

stack

page read and write

20765000

direct allocation

page read and write

610000

heap

page read and write

478000

unkown

page write copy

20F84AF8000

heap

page read and write

20F84A70000

heap

page read and write

401000

unkown

page execute read

7FA50000

direct allocation

page read and write

65E000

stack

page read and write

6C6000

heap

page read and write

208AE000

stack

page execute and read and write

21050000

heap

page read and write

20F84AB0000

heap

page read and write

2831000

direct allocation

page execute read

22E0000

direct allocation

page read and write

2328000

direct allocation

page read and write

20F84B13000

heap

page read and write

2988000

direct allocation

page execute and read and write

208EE000

stack

page read and write

20757000

direct allocation

page read and write

207A1000

direct allocation

page read and write

288E000

direct allocation

page read and write

19D000

stack

page read and write

2304000

direct allocation

page read and write

400000

unkown

page readonly

7A7000

heap

page read and write

7F55B000

direct allocation

page read and write

6AE000

stack

page read and write

9B000

stack

page read and write

20DBF000

stack

page read and write

26E107F000

stack

page read and write

20F84ADB000

heap

page read and write

700000

heap

page read and write

2340000

heap

page read and write

94F000

stack

page read and write

2830000

direct allocation

page readonly

7ECD0000

direct allocation

page read and write

20793000

direct allocation

page read and write

230C000

direct allocation

page read and write

26E0D8E000

stack

page read and write

7F300000

direct allocation

page read and write

750000

heap

page read and write

20F84AF3000

heap

page read and write

20F84CF0000

heap

page read and write

20F87280000

heap

page read and write

24E3000

heap

page read and write

7F910000

direct allocation

page read and write

249C000

stack

page read and write

20CBE000

stack

page read and write

20F84AC3000

heap

page read and write

There are 112 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
JIL-_Document_No._2500015903.cmd

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportJIL-_Document_No._2500015903.cmd

Files

Processes

URLs

Memdumps

IOC Report
JIL-_Document_No._2500015903.cmd