Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

d3r1KVj317.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.646661372611354
Filename:	d3r1KVj317.exe
Filesize:	5066752
MD5:	d5062f9d7dcb69516a2d2af3fb5a0c8d
SHA1:	5991f840b94f7855262e4f85ee3bc2faf1a72a9e
SHA256:	abf5bda7c2cf8a0f7b57b9e0abecee531818144c30d0f11a68b794cd2c3a6371
SHA512:	4d7d926e31ea2eb75e61d2e40e09dea3944a67195b245818aa450baf8e3d9983b5e7583726a65b386566d3a8dd0abc93be2576c4467dc78abfcc9a3dd24cbe8b
SSDEEP:	98304:ApyetVxRosZ4Y113f7MhfJBx/FqZVUzSnGYqdwkLcHHnit:ApyetVxRosZBXmjjAny
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$............u...u...u...j...u...j...u..8i...u...i...u..<i...u...j...u..8}...u...u..pw...j...u...S..gu...S..(u..Sj..>u..Sj...u...u...u.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality to call native functions	System Summary
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found evasive API chain (date check)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Writes ini files	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)	System Summary
Executable creates window controls seldom found in malware	System Summary

C:\Users\user\Desktop\Config.ini

ISO-8859 text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\Desktop\Config.ini
Category:	dropped
Dump:	Config.ini.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\d3r1KVj317.exe
Type:	ISO-8859 text, with CRLF line terminators
Entropy:	5.783477328385473
Encrypted:	false
Ssdeep:	3:pJKAKV6rFI/VCzY2lpgXiZVNXa7aftISbJuok2ubmJkPbmrvh2gtTE7bYU2/OUtG:pEAKVW82nsSVlUEqAklJb4UN7b5tUqjv
Size:	254
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Reads ini files	System Summary	File and Directory Discovery
Writes ini files	System Summary	File and Directory Discovery

C:\Users\user\Desktop\SkinH_EL.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed

dropped

Details

File:	C:\Users\user\Desktop\SkinH_EL.dll
Category:	dropped
Dump:	SkinH_EL.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\d3r1KVj317.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.934132664312091
Encrypted:	false
Ssdeep:	1536:s5Np2dgZgIehUUS3E1Ujmrvl179D53UWnGQRJZiXRmrCnKptnouy8K:s5Np2dlUX0+Cx17F8QRJZKmOK3outK
Size:	88576
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\d3r1KVj317.exe

"C:\Users\user\Desktop\d3r1KVj317.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5596
Target ID:	0
Parent PID:	4084
Name:	d3r1KVj317.exe
Path:	C:\Users\user\Desktop\d3r1KVj317.exe
Commandline:	"C:\Users\user\Desktop\d3r1KVj317.exe"
Size:	5066752
MD5:	D5062F9D7DCB69516A2D2AF3FB5A0C8D
Time:	05:29:46
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	5451776
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://112.74.185.5/3R%E6%8A%80%E6%9C%AF.exe

unknown

http://www.eyuyan.com)DVarFileInfo$

unknown

http://api.ttshitu.com/predict

unknown

http://api.ttshitu.com/predictto16unfunction

unknown

IPs

Domain

Country

Malicious

112.74.185.5

unknown

China

Details

IP:	112.74.185.5
TargetID:	0
Current Path:	C:\Users\user\Desktop\d3r1KVj317.exe
Country:	China
Countrycode:	CHN
ASN number:	37963
ASN name:	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib

1280x1024x32(BGR 0)

Memdumps

Base Address

Regiontype

Protect

Malicious

401000

unkown

page execute read

897000

unkown

page write copy

92C000

unkown

page readonly

2725000

heap

page read and write

2D5E000

stack

page read and write

8A3000

unkown

page write copy

CD2000

heap

page read and write

6AE000

unkown

page readonly

A37000

heap

page read and write

CA3000

heap

page read and write

4680000

trusted library allocation

page read and write

2620000

heap

page read and write

BF0000

heap

page read and write

90F000

unkown

page readonly

287B000

heap

page read and write

8B0000

unkown

page write copy

50BF000

stack

page read and write

2A60000

trusted library allocation

page read and write

C5D000

heap

page read and write

400000

unkown

page readonly

2B9F000

stack

page read and write

4300000

heap

page read and write

1002C000

unkown

page execute and read and write

BD0000

heap

page read and write

6AE000

unkown

page readonly

8B0000

unkown

page read and write

78B000

unkown

page readonly

CC0000

heap

page read and write

287F000

heap

page read and write

C55000

heap

page read and write

10001000

unkown

page execute and read and write

8AC000

unkown

page read and write

400000

unkown

page readonly

C5D000

heap

page read and write

296C000

heap

page read and write

2A60000

trusted library allocation

page read and write

2854000

heap

page read and write

A35000

heap

page read and write

1003A000

unkown

page execute and write copy

ACE000

stack

page read and write

8A7000

unkown

page write copy

2670000

heap

page read and write

76D000

unkown

page readonly

430D000

heap

page read and write

C61000

heap

page read and write

A20000

heap

page read and write

2A60000

trusted library allocation

page read and write

CD6000

heap

page read and write

940000

heap

page read and write

893000

unkown

page write copy

C60000

heap

page read and write

C68000

heap

page read and write

2A60000

trusted library allocation

page read and write

1003C000

unkown

page read and write

2850000

heap

page read and write

BFA000

heap

page read and write

91D000

unkown

page readonly

286E000

heap

page read and write

92000

stack

page read and write

2A60000

trusted library allocation

page read and write

2A9C000

stack

page read and write

907000

unkown

page read and write

CCE000

heap

page read and write

2860000

heap

page read and write

895000

unkown

page read and write

4FBE000

stack

page read and write

78B000

unkown

page readonly

4F7F000

stack

page read and write

8A6000

unkown

page read and write

2961000

heap

page read and write

19B000

stack

page read and write

2A60000

trusted library allocation

page read and write

C9C000

heap

page read and write

2A60000

trusted library allocation

page read and write

8A2000

unkown

page read and write

10030000

unkown

page execute and read and write

C60000

heap

page read and write

BE0000

heap

page read and write

893000

unkown

page write copy

2A60000

trusted library allocation

page read and write

401000

unkown

page execute read

BFE000

heap

page read and write

A30000

heap

page read and write

90F000

unkown

page readonly

C60000

heap

page read and write

C61000

heap

page read and write

90D000

unkown

page read and write

2A60000

trusted library allocation

page read and write

2720000

heap

page read and write

C50000

heap

page read and write

2700000

heap

page read and write

10000000

unkown

page readonly

91D000

unkown

page readonly

DEF000

stack

page read and write

76D000

unkown

page readonly

8BD000

unkown

page read and write

2960000

heap

page read and write

10038000

unkown

page execute and read and write

92C000

unkown

page readonly

There are 89 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
d3r1KVj317.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportd3r1KVj317.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
d3r1KVj317.exe