Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

WhaleInstall.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.280145849104129
Filename:	WhaleInstall.exe
Filesize:	3441498
MD5:	5a5561786e2e4c8c92cad6456fc31c95
SHA1:	b7bd1dc72a2a4e2549ed729e941823af7e9caa03
SHA256:	4243144d5f46c335811d13d712cf53070d3add5876395253df7520903551d138
SHA512:	a313970dc82e1f9fcc8a8fb8c083a0e86e0dd57769abbe862996656f98d3a427d0ae0c9dfbb34864cf2634546b5b7fb92ddd14cc2d8f27055fa08c8af97f7106
SSDEEP:	98304:Grbe8rxB0OzBeuWbHjX7vvZ9ZEm0qRttZYtQ:OwvZ9Z/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f.f.r..8.....&....*.2.......".............@.............................p......v.4...`... ............................

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe
Category:	modified
Dump:	guardservice[1].exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\WhaleInstall.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.08552684521388
Encrypted:	false
Ssdeep:	6144:UNAUAhuQ/F+H0iJWrRju5Vn7Ioppea+GGwZ+RzeRCPGMer5v:UNAeQ/FSTE/oXBRV5v
Size:	307200
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\Desktop\record_hit.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\record_hit.exe
Category:	dropped
Dump:	record_hit.exe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\WhaleInstall.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.08552684521388
Encrypted:	false
Ssdeep:	6144:UNAUAhuQ/F+H0iJWrRju5Vn7Ioppea+GGwZ+RzeRCPGMer5v:UNAeQ/FSTE/oXBRV5v
Size:	307200
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Machine Learning detection for dropped file	AV Detection
Contains functionality to call native functions	System Summary
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to delete services	System Summary	Windows Service Service Execution
Contains functionality to enumerate running services	Malware Analysis System Evasion	System Service Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to create services	System Summary	Windows Service
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to modify services (start/stop/modify)	System Summary	Windows Service Service Execution
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to start windows services	Boot Survival	Service Execution
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\WhaleInstall.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.8400832519721106
Encrypted:	false
Ssdeep:	3:cVJDAmWQGXW6Dr:yJpmNr
Size:	36
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\record_hit.exe

"C:\Users\user\Desktop\record_hit.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5532
Target ID:	3
Parent PID:	3608
Name:	record_hit.exe
Path:	C:\Users\user\Desktop\record_hit.exe
Commandline:	"C:\Users\user\Desktop\record_hit.exe"
Size:	307200
MD5:	2D5F648D414ED7303D00D43ACBF4F315
Time:	15:28:56
Date:	31/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	372736
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\Desktop\WhaleInstall.exe

"C:\Users\user\Desktop\WhaleInstall.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3608
Target ID:	0
Parent PID:	1028
Name:	WhaleInstall.exe
Path:	C:\Users\user\Desktop\WhaleInstall.exe
Commandline:	"C:\Users\user\Desktop\WhaleInstall.exe"
Size:	3441498
MD5:	5A5561786E2E4C8C92CAD6456FC31C95
Time:	15:28:52
Date:	31/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff772a60000
Modulesize:	1798144
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4788
Target ID:	1
Parent PID:	3608
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:28:52
Date:	31/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.kenesrakishevinfo.com

unknown

https://www.kenesrakishevinfo.com/

unknown

https://www.kenesrakishevinfo.comReferer:

unknown

https://www.kenesrakishevinfo.com/api/census/RecordHit

198.185.159.144

https://www.kenesrakishevinfo.com/f

unknown

https://www.kenesrakishevinfo.com/l

unknown

https://www.kenesrakishevinfo.com/api/census/RecordHitsuccess://record_hit.exerunas(X

unknown

http://127.0.0.1:8888/test

unknown

http://www.eyuyan.com)DVarFileInfo$

unknown

http://127.0.0.1:8888/testtestMozilla/5.0

unknown

https://file.znhds.com.cn/pd/update/Update.exeD:

unknown

https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe

159.75.57.69

https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/

unknown

https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/k

unknown

https://file.znhds.com.cn/pd/update/Update.exe

unknown

https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe1

unknown

https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe0

unknown

http://whale.naver.com0

unknown

There are 8 hidden URLs, click here to show them.

Domains

Name

Malicious

ext-sq.squarespace.com

198.185.159.144

gz.file.myqcloud.com

159.75.57.69

www.kenesrakishevinfo.com

unknown

Details

Name:	www.kenesrakishevinfo.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

sgz-1302338321.cos.ap-guangzhou.myqcloud.com

unknown

Details

Name:	sgz-1302338321.cos.ap-guangzhou.myqcloud.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

198.185.159.144

ext-sq.squarespace.com

United States

Details

IP:	198.185.159.144
TargetID:	0
Current Path:	C:\Users\user\Desktop\WhaleInstall.exe
Country:	United States
Countrycode:	USA
ASN number:	53831
ASN name:	SQUARESPACEUS
Private:	false
Domain:	ext-sq.squarespace.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

159.75.57.69

gz.file.myqcloud.com

China

Details

IP:	159.75.57.69
TargetID:	0
Current Path:	C:\Users\user\Desktop\WhaleInstall.exe
Country:	China
Countrycode:	CHN
ASN number:	1257
ASN name:	TELE2EU
Private:	false
Domain:	gz.file.myqcloud.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2AA289C8000

heap

page read and write

7FF772C04000

unkown

page readonly

42A000

unkown

page read and write

BCFE3F7000

stack

page read and write

2AA289C0000

heap

page read and write

2AA289B0000

remote allocation

page read and write

680000

heap

page read and write

2AA26D16000

heap

page read and write

BCFEDFB000

stack

page read and write

7FF772A61000

unkown

page execute read

2AA28C50000

heap

page read and write

7FF772B6E000

unkown

page write copy

42F000

unkown

page write copy

570000

heap

page read and write

2AA26CCD000

heap

page read and write

2AA26C97000

heap

page read and write

400000

unkown

page readonly

7FF772B6F000

unkown

page write copy

2AA26C00000

heap

page read and write

7FF772B6B000

unkown

page read and write

68A000

heap

page read and write

2AA26C9B000

heap

page read and write

2AA26E55000

heap

page read and write

433000

unkown

page write copy

BCFF1FD000

stack

page read and write

9D000

stack

page read and write

BCFF3FF000

stack

page read and write

2AA26C55000

heap

page read and write

BCFEBFB000

stack

page read and write

7FF772B35000

unkown

page write copy

BCFE9FF000

stack

page read and write

2AA26C81000

heap

page read and write

7FF772A60000

unkown

page readonly

2AA26CF2000

heap

page read and write

42F000

unkown

page write copy

433000

unkown

page write copy

BCFEFFF000

stack

page read and write

540000

heap

page read and write

2AA26E50000

heap

page read and write

400000

unkown

page readonly

7FF772C04000

unkown

page readonly

7FF772B39000

unkown

page readonly

2AA26CCB000

heap

page read and write

2AA26CEA000

heap

page read and write

7FF772B37000

unkown

page write copy

2AA26CEA000

heap

page read and write

2AA289C1000

heap

page read and write

460000

heap

page read and write

2AA26CCD000

heap

page read and write

2AA26CCD000

heap

page read and write

2AA289D5000

heap

page read and write

401000

unkown

page execute read

7FF772B39000

unkown

page readonly

2AA26C08000

heap

page read and write

19D000

stack

page read and write

42B000

unkown

page readonly

401000

unkown

page execute read

7FF772B72000

unkown

page readonly

7FF772A61000

unkown

page execute read

2AA289DC000

heap

page read and write

2AA26BC0000

heap

page read and write

2AA26CA3000

heap

page read and write

2AA289B0000

remote allocation

page read and write

2AA289B0000

remote allocation

page read and write

7FF772B6E000

unkown

page read and write

2AA26BA0000

heap

page read and write

42A000

unkown

page readonly

2AA26CCB000

heap

page read and write

7FF772A60000

unkown

page readonly

444000

unkown

page readonly

7FF772B35000

unkown

page read and write

7FF772B72000

unkown

page readonly

68E000

heap

page read and write

2AA26CF5000

heap

page read and write

444000

unkown

page readonly

2AA26AC0000

heap

page read and write

2AA26CCB000

heap

page read and write

2AA26C8C000

heap

page read and write

There are 68 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
WhaleInstall.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportWhaleInstall.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
WhaleInstall.exe