Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Set-up.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.6236305211780095
Filename:	Set-up.exe
Filesize:	6614719
MD5:	ff8b81c5bdbb09987a4ed216ae0010c2
SHA1:	1d5edf417a676e8e04a69dd94dac6a2a934cdfa6
SHA256:	d6a055bee4a39f5879ff522099df86cd0a0001228cac589b3f07449a5a822fef
SHA512:	9bad1fed2170e923e65f57e8ccbbfbe33fd8f01423469fa8e3d7a4c93c8c97fb84ea98df33901a11fdf8915dc7d9955046faf5c4f9ccf38d8606ccc2b91615fe
SSDEEP:	49152:4pVubXslypSy5wT96CHhbhiwOfHLaorKt5LJ8Vx2jaV9hIaDzNZMV/tIsQ:/jazH7iwOf/rKt38VC49hIMrMH5Q
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..^..&.........#.fG...Y...f...........G...@...................................e....... .........................B..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops large PE files	System Summary
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\service123.exe
Category:	dropped
Dump:	service123.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.0021512794930136233
Encrypted:	false
Size:	314613760
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\ehMlFMzYcqQvKbiEUyBC.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\ehMlFMzYcqQvKbiEUyBC.dll
Category:	dropped
Dump:	ehMlFMzYcqQvKbiEUyBC.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.05300296695813313
Encrypted:	false
Ssdeep:	24576:rvFnL2romyzEHeDRuO1Q1tc5P3mt/a+qqMOO:rvI+DRuOOEy/a+q
Size:	315771904
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Set-up.exe

"C:\Users\user\Desktop\Set-up.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7328
Target ID:	0
Parent PID:	2580
Name:	Set-up.exe
Path:	C:\Users\user\Desktop\Set-up.exe
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Size:	6614719
MD5:	FF8B81C5BDBB09987A4ED216AE0010C2
Time:	18:08:58
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	12967936
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Yara detected Cryptbot	Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

"C:\Users\user\AppData\Local\Temp\service123.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7856
Target ID:	4
Parent PID:	7328
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Size:	314613760
MD5:	62CC0B5676AC91389084FEE3D683DC68
Time:	18:09:58
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x4b0000
Modulesize:	69632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	7876
Target ID:	5
Parent PID:	7328
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	18:09:58
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x130000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	7936
Target ID:	7
Parent PID:	1044
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314613760
MD5:	62CC0B5676AC91389084FEE3D683DC68
Time:	18:10:01
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x4b0000
Modulesize:	69632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	4432
Target ID:	9
Parent PID:	1044
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314613760
MD5:	62CC0B5676AC91389084FEE3D683DC68
Time:	18:11:01
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x4b0000
Modulesize:	69632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7884
Target ID:	6
Parent PID:	7876
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	18:09:59
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

analforeverlovyu.top

+twelvevh12pt.top

twelvevh12pt.top

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://gcc.gnu.org/bugs/):

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://twelvevh12pt.top/v1/upload.php&&

unknown

https://serviceupdate32.com/update

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://twelvevh12pt.top/v1/upload.php

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://twelvevh12pt.top/

unknown

There are 7 hidden URLs, click here to show them.

Domains

Name

Malicious

twelvevh12pt.top

185.244.181.140

Details

Name:	twelvevh12pt.top
IP:	185.244.181.140
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.244.181.140

twelvevh12pt.top

Russian Federation

Details

IP:	185.244.181.140
TargetID:	0
Current Path:	C:\Users\user\Desktop\Set-up.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44901
ASN name:	BELCLOUDBG
Private:	false
Domain:	twelvevh12pt.top

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3E34000

heap

page read and write

131F000

heap

page read and write

31DA000

heap

page read and write

31C3000

heap

page read and write

3183000

heap

page read and write

87A000

unkown

page readonly

31CF000

heap

page read and write

D650000

heap

page read and write

467C000

stack

page read and write

31A4000

heap

page read and write

15FE000

stack

page read and write

4B0000

unkown

page readonly

D28C000

heap

page read and write

447C000

stack

page read and write

401000

unkown

page execute read

4BD000

unkown

page write copy

C7F000

unkown

page read and write

F13000

unkown

page read and write

31E0000

heap

page read and write

100000

heap

page read and write

3ADF000

stack

page read and write

DB0000

heap

page read and write

401000

unkown

page execute read

132A000

heap

page read and write

131F000

heap

page read and write

401000

unkown

page execute read

105000

heap

page read and write

1329000

heap

page read and write

3FFE000

stack

page read and write

878000

unkown

page write copy

CFF000

unkown

page read and write

132E000

heap

page read and write

4BA000

unkown

page readonly

1309000

heap

page read and write

4B1000

unkown

page execute read

443F000

stack

page read and write

4C0000

unkown

page readonly

11FC000

stack

page read and write

F30000

unkown

page readonly

1319000

heap

page read and write

400000

unkown

page readonly

4B1000

unkown

page execute read

C57000

heap

page read and write

4C0000

unkown

page readonly

F2D000

unkown

page read and write

1339000

heap

page read and write

365E000

stack

page read and write

130B000

heap

page read and write

12CA000

heap

page read and write

F0000

heap

page read and write

17A0000

heap

page read and write

4BD000

unkown

page read and write

3120000

heap

page read and write

3129000

heap

page read and write

4B1000

unkown

page execute read

6C413000

unkown

page readonly

31CD000

heap

page read and write

B96000

unkown

page read and write

D3E000

unkown

page read and write

131C000

heap

page read and write

1674000

heap

page read and write

1334000

heap

page read and write

4B0000

unkown

page readonly

31A1000

heap

page read and write

7AC000

stack

page read and write

1333000

heap

page read and write

D0C000

stack

page read and write

1660000

remote allocation

page read and write

1660000

remote allocation

page read and write

4B0000

unkown

page readonly

12C0000

heap

page read and write

12A0000

heap

page read and write

D60000

heap

page read and write

41FF000

stack

page read and write

AC2000

unkown

page read and write

4BA000

unkown

page readonly

D569000

heap

page read and write

389F000

stack

page read and write

9FD000

stack

page read and write

C50000

heap

page read and write

341D000

stack

page read and write

6C2F1000

unkown

page execute read

301F000

stack

page read and write

369E000

stack

page read and write

87A000

unkown

page readonly

C70000

heap

page read and write

31CF000

heap

page read and write

6C410000

unkown

page read and write

D6A0000

heap

page read and write

319F000

heap

page read and write

4B0000

unkown

page readonly

314C000

heap

page read and write

A00000

heap

page read and write

8BF000

unkown

page read and write

31C8000

heap

page read and write

AC0000

heap

page read and write

4C0000

unkown

page readonly

BFF000

unkown

page read and write

C8E000

unkown

page read and write

878000

unkown

page read and write

C9B000

unkown

page read and write

4B1000

unkown

page execute read

B02000

unkown

page read and write

3110000

heap

page read and write

D6AA000

heap

page read and write

4B1000

unkown

page execute read

313E000

heap

page read and write

D6E000

heap

page read and write

1E0000

heap

page read and write

345D000

stack

page read and write

C89000

unkown

page read and write

3121000

heap

page read and write

12E8000

heap

page read and write

31C8000

heap

page read and write

3121000

heap

page read and write

4BD000

unkown

page read and write

C90000

unkown

page read and write

12F3000

heap

page read and write

1390000

heap

page read and write

6C2F0000

unkown

page readonly

D860000

heap

page read and write

4BA000

unkown

page readonly

4C0000

unkown

page readonly

31D0000

heap

page read and write

1670000

heap

page read and write

D867000

heap

page read and write

1253000

stack

page read and write

4B0000

unkown

page readonly

318B000

heap

page read and write

D85E000

stack

page read and write

15BF000

stack

page read and write

BFC000

stack

page read and write

12CE000

heap

page read and write

1336000

heap

page read and write

308E000

stack

page read and write

3179000

heap

page read and write

CA1000

unkown

page read and write

F2D000

unkown

page write copy

3190000

heap

page read and write

C00000

heap

page read and write

313A000

heap

page read and write

400000

unkown

page readonly

4BD000

unkown

page write copy

1070000

heap

page read and write

D60000

heap

page read and write

6C3C9000

unkown

page readonly

4B0000

unkown

page readonly

DC0000

heap

page read and write

163E000

stack

page read and write

31CD000

heap

page read and write

879000

unkown

page write copy

31DA000

heap

page read and write

38DE000

stack

page read and write

4BD000

unkown

page read and write

55C000

stack

page read and write

31A1000

heap

page read and write

31C4000

heap

page read and write

D77A000

heap

page read and write

1306000

heap

page read and write

1397000

heap

page read and write

318B000

heap

page read and write

31E1000

heap

page read and write

C81000

unkown

page read and write

4BA000

unkown

page readonly

1660000

remote allocation

page read and write

9B000

stack

page read and write

31CD000

heap

page read and write

1239000

stack

page read and write

DDB1000

heap

page read and write

D89F000

heap

page read and write

1675000

heap

page read and write

4BA000

unkown

page readonly

124F000

stack

page read and write

1400000

heap

page read and write

31A1000

heap

page read and write

6C3C7000

unkown

page read and write

137F000

heap

page read and write

C10000

heap

page read and write

131F000

heap

page read and write

4BD000

unkown

page write copy

316F000

heap

page read and write

31D3000

heap

page read and write

3121000

heap

page read and write

4B1000

unkown

page execute read

31D4000

heap

page read and write

4C0000

unkown

page readonly

423E000

stack

page read and write

D6A000

heap

page read and write

F30000

unkown

page readonly

4BA000

unkown

page readonly

129E000

stack

page read and write

319F000

heap

page read and write

132A000

heap

page read and write

C85000

unkown

page read and write

6C40F000

unkown

page readonly

31C8000

heap

page read and write

132E000

heap

page read and write

5B0000

heap

page read and write

31C8000

heap

page read and write

4C0000

unkown

page readonly

1331000

heap

page read and write

There are 191 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Set-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSet-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Set-up.exe