Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PO#38595.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.802897165564634
Filename:	PO#38595.exe
Filesize:	1532928
MD5:	c4e638a246b7dd028ac2be462ea75582
SHA1:	d19ecd635b9f4c68775956438d0f140d7f04d488
SHA256:	ae2f77ad311caf919d2c2ed85c691d9906185b06b01d153d49bfa8ddb132ee3d
SHA512:	e37ceef34045b929840bf34df381d6849b5e9a173a25ae15dfe706578cfd49f94b734e7a342701e83f3cef68031dfe9f6f9fc4cacba64e9734c218541ee94baa
SSDEEP:	24576:Ytb20pkaCqT5TBWgNQ7authteGoQ8p/bSsFxxmxC6A:hVg5tQ7aoAGoQ8pj3FxN5
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary	Virtualization/Sandbox Evasion Security Software Discovery
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools Security Software Discovery
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	System Information Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection Disable or Modify Tools
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API Disable or Modify Tools
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Security Software Discovery Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\Melber

ASCII text, with very long lines (57348), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Melber
Category:	dropped
Dump:	Melber.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\PO#38595.exe
Type:	ASCII text, with very long lines (57348), with no line terminators
Entropy:	2.789928733323229
Encrypted:	false
Ssdeep:	384:ljTF4Z76n17h8toAs6pZwsPsiKy8Dv0JCjWV+Xv2P05GfW4:lnF4Z76n17ioo5s1+J2WsXNo
Size:	57348
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut3804.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut3804.tmp
Category:	dropped
Dump:	aut3804.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\PO#38595.exe
Type:	data
Entropy:	7.994773456801255
Encrypted:	true
Ssdeep:	6144:08+aHdAVJOtEwH5bEvmYeccRWl3e/R87yS:08PHdAVJOtECJkwgOS7yS
Size:	286720
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut3843.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut3843.tmp
Category:	dropped
Dump:	aut3843.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\PO#38595.exe
Type:	data
Entropy:	7.615610313043063
Encrypted:	false
Ssdeep:	192:RE7FGNNtmlNBngKgUnVXN5yk0QDa6XL6aAYsDmjp6hw97EbU/RCMrljgukT:RcGrtmlXxpnVXf0V6XOgsDCUDBT
Size:	11228
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\harrowment

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\harrowment
Category:	dropped
Dump:	harrowment.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\PO#38595.exe
Type:	data
Entropy:	7.994773456801255
Encrypted:	true
Ssdeep:	6144:08+aHdAVJOtEwH5bEvmYeccRWl3e/R87yS:08PHdAVJOtECJkwgOS7yS
Size:	286720
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PO#38595.exe

"C:\Users\user\Desktop\PO#38595.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6304
Target ID:	0
Parent PID:	2580
Name:	PO#38595.exe
Path:	C:\Users\user\Desktop\PO#38595.exe
Commandline:	"C:\Users\user\Desktop\PO#38595.exe"
Size:	1532928
MD5:	C4E638A246B7DD028AC2BE462EA75582
Time:	12:50:03
Date:	29/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa80000
Modulesize:	1560576
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\svchost.exe

"C:\Users\user\Desktop\PO#38595.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6596
Target ID:	1
Parent PID:	6304
Name:	svchost.exe
Path:	C:\Windows\SysWOW64\svchost.exe
Commandline:	"C:\Users\user\Desktop\PO#38595.exe"
Size:	46504
MD5:	1ED18311E3DA35942DB37D15FA40CC5B
Time:	12:50:04
Date:	29/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x940000
Modulesize:	53248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Uncommon Svchost Parent Process	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

system

page execute and read and write

3440000

direct allocation

page read and write

2E00000

heap

page read and write

158F000

heap

page read and write

168F000

heap

page read and write

1416000

heap

page read and write

1610000

heap

page read and write

171D000

heap

page read and write

3F10000

direct allocation

page read and write

2E13000

heap

page read and write

140D000

heap

page read and write

1686000

heap

page read and write

3005000

heap

page read and write

A81000

unkown

page execute read

16DC000

heap

page read and write

3200000

heap

page read and write

3E43000

direct allocation

page read and write

161B000

heap

page read and write

14DD000

heap

page read and write

1633000

heap

page read and write

40AE000

direct allocation

page read and write

16F3000

heap

page read and write

147E000

heap

page read and write

B96000

unkown

page readonly

2E13000

heap

page read and write

16A7000

heap

page read and write

146E000

heap

page read and write

166D000

heap

page read and write

B88000

unkown

page readonly

1554000

heap

page read and write

3980000

heap

page read and write

3F10000

direct allocation

page read and write

B44000

unkown

page readonly

13DE000

heap

page read and write

38D1000

direct allocation

page execute and read and write

15DD000

heap

page read and write

14FA000

heap

page read and write

16FD000

heap

page read and write

3017000

heap

page read and write

16AF000

heap

page read and write

405E000

direct allocation

page read and write

A80000

unkown

page readonly

1609000

heap

page read and write

333E000

stack

page read and write

156E000

heap

page read and write

1432000

heap

page read and write

13DA000

heap

page read and write

3D70000

direct allocation

page read and write

155F000

heap

page read and write

146E000

heap

page read and write

158F000

heap

page read and write

15EF000

heap

page read and write

2E13000

heap

page read and write

166E000

heap

page read and write

147D000

heap

page read and write

155F000

heap

page read and write

140C000

heap

page read and write

166D000

heap

page read and write

2C70000

heap

page read and write

3017000

heap

page read and write

3490000

direct allocation

page read and write

145B000

heap

page read and write

4039000

direct allocation

page read and write

3490000

direct allocation

page read and write

1564000

heap

page read and write

40AE000

direct allocation

page read and write

166D000

heap

page read and write

147D000

heap

page read and write

4039000

direct allocation

page read and write

2E13000

heap

page read and write

147D000

heap

page read and write

3E43000

direct allocation

page read and write

3EC0000

direct allocation

page read and write

15BC000

heap

page read and write

403D000

direct allocation

page read and write

166D000

heap

page read and write

3490000

direct allocation

page read and write

38CD000

direct allocation

page execute and read and write

1550000

heap

page read and write

147D000

heap

page read and write

16D3000

heap

page read and write

3FE9000

direct allocation

page read and write

3490000

direct allocation

page read and write

B44000

unkown

page readonly

3E43000

direct allocation

page read and write

163E000

heap

page read and write

1416000

heap

page read and write

1440000

heap

page read and write

13AE000

stack

page read and write

3950000

heap

page read and write

2C50000

heap

page read and write

167F000

heap

page read and write

16A7000

heap

page read and write

1330000

heap

page read and write

15C3000

heap

page read and write

2E13000

heap

page read and write

A81000

unkown

page execute read

3970000

direct allocation

page execute and read and write

1360000

heap

page read and write

379E000

direct allocation

page execute and read and write

2E13000

heap

page read and write

172E000

heap

page read and write

1686000

heap

page read and write

2C3C000

stack

page read and write

3A01000

heap

page read and write

3E93000

direct allocation

page read and write

1250000

heap

page read and write

3FED000

direct allocation

page read and write

3529000

heap

page read and write

2D80000

heap

page read and write

B3A000

unkown

page write copy

2E13000

heap

page read and write

156C000

heap

page read and write

1432000

heap

page read and write

B0D000

unkown

page readonly

16F3000

heap

page read and write

167F000

heap

page read and write

4039000

direct allocation

page read and write

2E13000

heap

page read and write

2E13000

heap

page read and write

11BB000

stack

page read and write

40AE000

direct allocation

page read and write

200E000

stack

page read and write

3FED000

direct allocation

page read and write

A80000

unkown

page readonly

343F000

stack

page read and write

A6A000

stack

page read and write

1461000

heap

page read and write

B88000

unkown

page readonly

2E13000

heap

page read and write

3729000

direct allocation

page execute and read and write

1543000

heap

page read and write

163D000

heap

page read and write

405E000

direct allocation

page read and write

2E13000

heap

page read and write

2E13000

heap

page read and write

1680000

heap

page read and write

16FD000

heap

page read and write

147D000

heap

page read and write

2E13000

heap

page read and write

15D3000

heap

page read and write

B96000

unkown

page readonly

165F000

heap

page read and write

2E13000

heap

page read and write

1543000

heap

page read and write

1633000

heap

page read and write

3D70000

direct allocation

page read and write

13D0000

heap

page read and write

3000000

heap

page read and write

B3F000

unkown

page write copy

147D000

heap

page read and write

2E13000

heap

page read and write

3FE9000

direct allocation

page read and write

3CD0000

direct allocation

page read and write

1475000

heap

page read and write

171E000

heap

page read and write

B4C000

unkown

page readonly

2E13000

heap

page read and write

1609000

heap

page read and write

1BCE000

stack

page read and write

1414000

heap

page read and write

2E13000

heap

page read and write

11DB000

stack

page read and write

1609000

heap

page read and write

2CA0000

heap

page read and write

2E13000

heap

page read and write

3D20000

direct allocation

page read and write

3984000

heap

page read and write

B2E000

unkown

page readonly

3D70000

direct allocation

page read and write

2E13000

heap

page read and write

2E13000

heap

page read and write

1661000

heap

page read and write

1535000

heap

page read and write

1554000

heap

page read and write

2E13000

heap

page read and write

157F000

heap

page read and write

3F10000

direct allocation

page read and write

1726000

heap

page read and write

146E000

heap

page read and write

16AF000

heap

page read and write

2E13000

heap

page read and write

156E000

heap

page read and write

1698000

heap

page read and write

405E000

direct allocation

page read and write

147D000

heap

page read and write

3600000

direct allocation

page execute and read and write

147D000

heap

page read and write

170D000

heap

page read and write

B85000

unkown

page readonly

359E000

heap

page read and write

2E02000

heap

page read and write

3323000

heap

page read and write

156C000

heap

page read and write

B3A000

unkown

page read and write

3D20000

direct allocation

page read and write

11FC000

stack

page read and write

3EC0000

direct allocation

page read and write

16BA000

heap

page read and write

15A3000

heap

page read and write

15AC000

heap

page read and write

29DD000

stack

page read and write

2E13000

heap

page read and write

2E13000

heap

page read and write

1634000

heap

page read and write

403D000

direct allocation

page read and write

3490000

direct allocation

page read and write

2E13000

heap

page read and write

16D3000

heap

page read and write

168F000

heap

page read and write

372D000

direct allocation

page execute and read and write

1535000

heap

page read and write

1416000

heap

page read and write

147D000

heap

page read and write

3E93000

direct allocation

page read and write

B4C000

unkown

page readonly

161C000

heap

page read and write

1414000

heap

page read and write

147D000

heap

page read and write

3012000

heap

page read and write

3FED000

direct allocation

page read and write

16B9000

heap

page read and write

B85000

unkown

page readonly

16D3000

heap

page read and write

158F000

heap

page read and write

158F000

heap

page read and write

11CF000

stack

page read and write

147D000

heap

page read and write

2D90000

direct allocation

page read and write

3101000

heap

page read and write

21B0000

heap

page read and write

15F8000

heap

page read and write

1C0E000

stack

page read and write

3EC0000

direct allocation

page read and write

B2E000

unkown

page readonly

15E7000

heap

page read and write

3D20000

direct allocation

page read and write

147D000

heap

page read and write

B0D000

unkown

page readonly

15B3000

heap

page read and write

403D000

direct allocation

page read and write

352D000

heap

page read and write

15CE000

heap

page read and write

32FF000

stack

page read and write

15C3000

heap

page read and write

3005000

heap

page read and write

2E13000

heap

page read and write

3490000

direct allocation

page read and write

1676000

heap

page read and write

149D000

heap

page read and write

2E13000

heap

page read and write

3FE9000

direct allocation

page read and write

3942000

direct allocation

page execute and read and write

2E13000

heap

page read and write

1600000

heap

page read and write

1564000

heap

page read and write

2DCE000

stack

page read and write

1588000

heap

page read and write

3E93000

direct allocation

page read and write

3400000

heap

page read and write

1594000

heap

page read and write

There are 251 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PO#38595.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPO#38595.exe

Files

Processes

Memdumps

IOC Report
PO#38595.exe