Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Gxm6KI51wl.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.1587006887290725
Filename:	Gxm6KI51wl.exe
Filesize:	720896
MD5:	1a1debc631daab24c955c28aa18e909b
SHA1:	55e9a22c7d5d1eceffdc9657e78da59ec471f90e
SHA256:	e09370c9adc09c15eb8d05301bd3c74ef76e98b8a2fa2089df9c4ec5d7b4e047
SHA512:	ad13d127931ab0a75d6d6732b52df590b548adf45cd2886ee9cb49fe82a0570c474bd6efa80ae3be8364939df964bc127bdc4cb655313ff8be788d6d2a430c56
SSDEEP:	12288:kOxjCHqsMHuZud8HWtEfGI48z2/Ne7FJTPibnlqap5meCVY4B7gxuLHYuaMPtggw:5Ie81eI48647PT
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Security Software Discovery
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gxm6KI51wl.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gxm6KI51wl.exe.log
Category:	dropped
Dump:	Gxm6KI51wl.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Gxm6KI51wl.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\d3d9x.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\d3d9x.dll
Category:	dropped
Dump:	d3d9x.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Gxm6KI51wl.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.583072660656992
Encrypted:	false
Ssdeep:	12288:LItXaj3jmzqKl/sBFOh2XQifmjlK1L6cfHm8Qqz0w9H4ioVy1ymytypyeyryXyCm:Zjir/6FOh2XQifmjlK1L6cfHm8Qqz0we
Size:	710656
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Category:	dropped
Dump:	MSBuild.exe.log.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.345080863654519
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
Size:	1119
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Gxm6KI51wl.exe

"C:\Users\user\Desktop\Gxm6KI51wl.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4908
Target ID:	0
Parent PID:	4056
Name:	Gxm6KI51wl.exe
Path:	C:\Users\user\Desktop\Gxm6KI51wl.exe
Commandline:	"C:\Users\user\Desktop\Gxm6KI51wl.exe"
Size:	720896
MD5:	1A1DEBC631DAAB24C955C28AA18E909B
Time:	11:06:59
Date:	29/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2c0000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2684
Target ID:	3
Parent PID:	4908
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	11:07:00
Date:	29/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3d0000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2688
Target ID:	1
Parent PID:	4908
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	11:06:59
Date:	29/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.214.172

time.windows.com

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

802000

remote allocation

page execute and read and write

6D86B000

unkown

page read and write

AB8000

heap

page read and write

4CD0000

trusted library allocation

page read and write

880000

heap

page read and write

E07000

trusted library allocation

page execute and read and write

DAE000

stack

page read and write

4DF0000

heap

page read and write

E6E000

stack

page read and write

8C0000

heap

page read and write

AF1000

heap

page read and write

E70000

heap

page read and write

4DFC000

heap

page read and write

63C000

stack

page read and write

4EF0000

trusted library allocation

page read and write

2C0000

unkown

page readonly

2C2000

unkown

page readonly

4C72000

trusted library allocation

page read and write

47AE000

stack

page read and write

2870000

trusted library allocation

page read and write

27E0000

trusted library allocation

page read and write

FA0000

heap

page read and write

AC7000

heap

page read and write

4DF8000

heap

page read and write

5960000

heap

page read and write

4C6D000

trusted library allocation

page read and write

A3B000

heap

page read and write

6D841000

unkown

page execute read

538D000

stack

page read and write

4F70000

trusted library section

page readonly

48FC000

stack

page read and write

800000

remote allocation

page execute and read and write

50C0000

trusted library allocation

page execute and read and write

27F0000

heap

page execute and read and write

4C10000

trusted library allocation

page read and write

A18000

heap

page read and write

4FB5000

heap

page read and write

6A50000

heap

page read and write

B90000

trusted library allocation

page read and write

4C95000

trusted library allocation

page read and write

B77000

trusted library allocation

page execute and read and write

A10000

heap

page read and write

5950000

heap

page read and write

4FA0000

trusted library allocation

page read and write

A5F000

heap

page read and write

A33000

trusted library allocation

page execute and read and write

A4E000

heap

page read and write

4D20000

heap

page read and write

A80000

heap

page read and write

B4D000

trusted library allocation

page execute and read and write

4C44000

trusted library allocation

page read and write

85E000

remote allocation

page execute and read and write

724D000

stack

page read and write

F90000

trusted library allocation

page read and write

523E000

stack

page read and write

4C80000

trusted library allocation

page read and write

AB3000

heap

page read and write

4F6B000

stack

page read and write

EBD000

stack

page read and write

738E000

stack

page read and write

B66000

trusted library allocation

page execute and read and write

50B0000

trusted library allocation

page read and write

7130000

trusted library allocation

page read and write

4CAE000

trusted library allocation

page read and write

A0E000

stack

page read and write

25DE000

stack

page read and write

9CE000

stack

page read and write

7140000

heap

page execute and read and write

4FC0000

trusted library allocation

page execute and read and write

980000

heap

page read and write

4C40000

trusted library allocation

page read and write

DEF000

stack

page read and write

4C4B000

trusted library allocation

page read and write

A34000

trusted library allocation

page read and write

4F00000

trusted library allocation

page read and write

A4E000

heap

page read and write

9CE000

stack

page read and write

BA0000

heap

page read and write

4FB0000

heap

page read and write

A40000

heap

page read and write

B6A000

trusted library allocation

page execute and read and write

B5D000

trusted library allocation

page execute and read and write

41B3000

trusted library allocation

page read and write

4D5E000

stack

page read and write

6D840000

unkown

page readonly

26BB000

trusted library allocation

page read and write

26A0000

heap

page execute and read and write

850000

heap

page read and write

770000

heap

page read and write

AB7000

heap

page read and write

4CA0000

trusted library allocation

page read and write

597000

stack

page read and write

27D0000

trusted library allocation

page read and write

728E000

stack

page read and write

89E000

stack

page read and write

3F68000

trusted library allocation

page read and write

4C61000

trusted library allocation

page read and write

B30000

trusted library allocation

page read and write

4C5E000

trusted library allocation

page read and write

276E000

stack

page read and write

2801000

trusted library allocation

page read and write

985000

heap

page read and write

527E000

stack

page read and write

FA7000

heap

page read and write

F80000

trusted library allocation

page execute and read and write

EC0000

heap

page read and write

36B5000

trusted library allocation

page read and write

AAA000

heap

page read and write

ABD000

heap

page read and write

26BF000

trusted library allocation

page read and write

5280000

heap

page read and write

4DD0000

trusted library allocation

page execute and read and write

4E32000

heap

page read and write

714F000

stack

page read and write

AD3000

heap

page read and write

6D864000

unkown

page readonly

73B000

stack

page read and write

A6B000

heap

page read and write

2690000

trusted library allocation

page read and write

A0E000

stack

page read and write

B44000

trusted library allocation

page read and write

26B1000

trusted library allocation

page read and write

B7B000

trusted library allocation

page execute and read and write

863F000

stack

page read and write

6D8EF000

unkown

page readonly

4B20000

heap

page read and write

4F80000

heap

page read and write

6D8E5000

unkown

page execute read

A2F000

heap

page read and write

718E000

stack

page read and write

4C66000

trusted library allocation

page read and write

27B0000

heap

page read and write

B60000

trusted library allocation

page read and write

26B9000

trusted library allocation

page read and write

51FE000

stack

page read and write

AC2000

heap

page read and write

853E000

stack

page read and write

B40000

trusted library allocation

page read and write

2680000

trusted library allocation

page execute and read and write

2660000

heap

page read and write

E0B000

trusted library allocation

page execute and read and write

711E000

stack

page read and write

4C90000

trusted library allocation

page read and write

36B1000

trusted library allocation

page read and write

A48000

heap

page read and write

4F90000

heap

page read and write

A20000

trusted library allocation

page read and write

B53000

trusted library allocation

page read and write

8C5000

heap

page read and write

CD4000

trusted library allocation

page read and write

27AC000

stack

page read and write

4C8F000

trusted library allocation

page read and write

A74000

heap

page read and write

CE0000

heap

page read and write

B43000

trusted library allocation

page execute and read and write

3801000

trusted library allocation

page read and write

6B60000

trusted library allocation

page execute and read and write

4FD0000

heap

page execute and read and write

4C4E000

trusted library allocation

page read and write

499000

stack

page read and write

B72000

trusted library allocation

page read and write

4AF0000

heap

page read and write

4DE0000

heap

page read and write

873E000

stack

page read and write

4CB0000

trusted library allocation

page read and write

CD0000

trusted library allocation

page read and write

F7E000

stack

page read and write

4B10000

heap

page read and write

4C5E000

stack

page read and write

CAE000

stack

page read and write

960000

heap

page read and write

4DE3000

heap

page read and write

4E0C000

heap

page read and write

There are 163 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Gxm6KI51wl.exe

Files

Processes

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportGxm6KI51wl.exe

Files

Processes

Domains

Memdumps

IOC Report
Gxm6KI51wl.exe