Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Set-up.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	2.783791186500191
Filename:	Set-up.exe
Filesize:	9979392
MD5:	d9bdb4ba2a45c67f4da4e431ff988605
SHA1:	4cdd27ca0a92a35e5eea6e588422339bdd9b05ba
SHA256:	9e61196ade3f31620d62422741e66bd19f0bd4744e2f6a5f8a2481cfb8f9b9d9
SHA512:	158db8f37207b0e33738dee684247f1feed9cadabdc64e5edd0aad1525a58419e4f5944b71197aac9d1d4e398f4467b3d92f54459ebacdb02ad51ba3a0efe906
SSDEEP:	49152:nrKPo82V5LYBuqHcnifzmg3I+ajuxueO63nsk0FAIp5a2GWPi/LbLo4xBxh:nrKw8qJYuq8xH+aj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..f...............(..,..B...............0,...@.................................2.....@... ......................0..B..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Drops large PE files	System Summary
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\service123.exe
Category:	dropped
Dump:	service123.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.0023405998898324786
Encrypted:	false
Size:	314617856
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\HXocObpYbsjxnCpoVLwZ.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\HXocObpYbsjxnCpoVLwZ.dll
Category:	dropped
Dump:	HXocObpYbsjxnCpoVLwZ.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.05435888001096333
Encrypted:	false
Ssdeep:	24576:FDEHgBO/vtLYgCIPScl78IsBDIhTb8EWDnflTfknVz0rIQldVE:EMIN3WDnxf6Vo1ldVE
Size:	315803136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Set-up.exe

"C:\Users\user\Desktop\Set-up.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7100
Target ID:	0
Parent PID:	2580
Name:	Set-up.exe
Path:	C:\Users\user\Desktop\Set-up.exe
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Size:	9979392
MD5:	D9BDB4BA2A45C67F4DA4E431FF988605
Time:	18:45:07
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x440000
Modulesize:	10010624
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Yara detected Cryptbot	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

"C:\Users\user\AppData\Local\Temp\service123.exe"

Details

Is windows:	false
Is dropped:	true
PID:	332
Target ID:	4
Parent PID:	7100
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Size:	314617856
MD5:	374EA50194727C58BB86AD240B785CB6
Time:	18:46:07
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6f0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	1216
Target ID:	5
Parent PID:	7100
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	18:46:07
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf20000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	3428
Target ID:	7
Parent PID:	1044
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	374EA50194727C58BB86AD240B785CB6
Time:	18:46:09
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff72bec0000
Modulesize:	135168
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	2596
Target ID:	9
Parent PID:	1044
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	374EA50194727C58BB86AD240B785CB6
Time:	18:47:02
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x6f0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3512
Target ID:	6
Parent PID:	1216
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	18:46:07
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

@elevenvh11pt.top

analforeverlovyu.top

11pt.top

elevenvh11pt.top

+elevenvh11pt.top

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://gcc.gnu.org/bugs/):

unknown

http://elevenvh11pt.top/v1/upload.phpP

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://elevenvh11pt.top/v1/upload.php

unknown

https://serviceupdate32.com/update

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 8 hidden URLs, click here to show them.

Domains

Name

Malicious

elevenvh11pt.top

185.244.181.140

Details

Name:	elevenvh11pt.top
IP:	185.244.181.140
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.244.181.140

elevenvh11pt.top

Russian Federation

Details

IP:	185.244.181.140
TargetID:	0
Current Path:	C:\Users\user\Desktop\Set-up.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44901
ASN name:	BELCLOUDBG
Private:	false
Domain:	elevenvh11pt.top

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3F99000

heap

page read and write

D79F000

heap

page read and write

369F000

heap

page read and write

36C8000

heap

page read and write

142F000

heap

page read and write

6FA000

unkown

page readonly

6F0000

unkown

page readonly

440000

unkown

page readonly

3685000

heap

page read and write

1A30000

heap

page read and write

D6C6000

heap

page read and write

6F1000

unkown

page execute read

12D0000

heap

page read and write

36A1000

heap

page read and write

FBC000

stack

page read and write

F00000

heap

page read and write

441000

unkown

page execute read

6F0000

unkown

page readonly

5B0000

heap

page read and write

6FE000

unkown

page write copy

31DF000

unkown

page read and write

1455000

heap

page read and write

A4A000

unkown

page read and write

1B1F000

stack

page read and write

6FA000

unkown

page readonly

325F000

stack

page read and write

12B0000

heap

page read and write

E80000

heap

page read and write

D760000

heap

page read and write

703000

unkown

page write copy

1A34000

heap

page read and write

D0A000

unkown

page read and write

E8E000

heap

page read and write

3673000

heap

page read and write

701000

unkown

page readonly

1438000

heap

page read and write

146D000

heap

page read and write

321E000

stack

page read and write

5DC000

stack

page read and write

12D5000

heap

page read and write

6F1000

unkown

page execute read

16EE000

stack

page read and write

1A1E000

stack

page read and write

14B0000

heap

page read and write

141A000

heap

page read and write

36CD000

heap

page read and write

36E1000

heap

page read and write

13EE000

stack

page read and write

CE0000

heap

page read and write

14A0000

heap

page read and write

42BF000

stack

page read and write

1460000

heap

page read and write

147F000

heap

page read and write

1464000

heap

page read and write

3060000

heap

page read and write

40BE000

stack

page read and write

145F000

heap

page read and write

A50000

unkown

page read and write

36C8000

heap

page read and write

805000

unkown

page read and write

1450000

heap

page read and write

1450000

heap

page read and write

A58000

unkown

page read and write

36D4000

heap

page read and write

36A1000

heap

page read and write

36C3000

heap

page read and write

36E0000

heap

page read and write

670000

heap

page read and write

1425000

heap

page read and write

13F0000

heap

page read and write

600000

heap

page read and write

364C000

heap

page read and write

1473000

heap

page read and write

E7A000

stack

page read and write

3590000

heap

page read and write

1257000

stack

page read and write

144F000

heap

page read and write

363A000

heap

page read and write

D8D4000

heap

page read and write

3629000

heap

page read and write

306A000

heap

page read and write

36C8000

heap

page read and write

1450000

heap

page read and write

EE0000

heap

page read and write

701000

unkown

page readonly

6FE000

unkown

page read and write

6FE000

unkown

page write copy

146E000

heap

page read and write

105B000

stack

page read and write

844000

unkown

page read and write

D84000

unkown

page write copy

36A4000

heap

page read and write

6F0000

unkown

page readonly

35D0000

heap

page read and write

6C3E8000

unkown

page readonly

620000

heap

page read and write

6F0000

unkown

page readonly

440000

unkown

page readonly

D3E6000

heap

page read and write

3F5F000

stack

page read and write

6FE000

unkown

page read and write

36CE000

heap

page read and write

3620000

heap

page read and write

3670000

heap

page read and write

640000

heap

page read and write

36DA000

heap

page read and write

13FA000

heap

page read and write

CF0000

heap

page read and write

36CD000

heap

page read and write

D87000

unkown

page readonly

145E000

stack

page read and write

19DE000

stack

page read and write

12C0000

heap

page read and write

319E000

unkown

page read and write

701000

unkown

page readonly

1910000

heap

page read and write

3675000

heap

page read and write

3621000

heap

page read and write

36A1000

heap

page read and write

A4C000

unkown

page read and write

172E000

stack

page read and write

6F0000

unkown

page readonly

33F0000

heap

page read and write

6C39D000

unkown

page read and write

391D000

stack

page read and write

1253000

stack

page read and write

D75000

unkown

page readonly

143C000

heap

page read and write

35DA000

heap

page read and write

6C2C0000

unkown

page readonly

6C39F000

unkown

page readonly

9C9000

unkown

page read and write

3D5E000

stack

page read and write

42FC000

stack

page read and write

6FA000

unkown

page readonly

E3D000

stack

page read and write

6C3E9000

unkown

page read and write

123D000

stack

page read and write

CE7000

heap

page read and write

6F0000

unkown

page readonly

1425000

heap

page read and write

1455000

heap

page read and write

6F1000

unkown

page execute read

703000

unkown

page read and write

701000

unkown

page readonly

6FA000

unkown

page readonly

6C3EC000

unkown

page readonly

441000

unkown

page execute read

1410000

heap

page read and write

3621000

heap

page read and write

D767000

heap

page read and write

15C0000

heap

page read and write

149E000

stack

page read and write

A5A000

unkown

page read and write

36C8000

heap

page read and write

6FE000

unkown

page read and write

6FA000

unkown

page readonly

D84000

unkown

page read and write

DE6E000

heap

page read and write

6FE000

unkown

page write copy

36CD000

heap

page read and write

BFC000

stack

page read and write

3F70000

remote allocation

page read and write

55C000

stack

page read and write

A6B000

unkown

page read and write

3678000

heap

page read and write

192E000

stack

page read and write

630000

heap

page read and write

3F70000

remote allocation

page read and write

36D3000

heap

page read and write

6FA000

unkown

page readonly

369F000

heap

page read and write

D87000

unkown

page readonly

3621000

heap

page read and write

1A35000

heap

page read and write

1460000

heap

page read and write

D20000

heap

page read and write

A09000

unkown

page read and write

141F000

heap

page read and write

3621000

heap

page read and write

363E000

heap

page read and write

AC9000

unkown

page read and write

EF0000

heap

page read and write

BFC000

stack

page read and write

36CF000

heap

page read and write

A53000

unkown

page read and write

A66000

unkown

page read and write

D750000

heap

page read and write

1940000

heap

page read and write

3690000

heap

page read and write

1473000

heap

page read and write

1239000

stack

page read and write

3F70000

remote allocation

page read and write

13FE000

heap

page read and write

6F1000

unkown

page execute read

6C2C1000

unkown

page execute read

368B000

heap

page read and write

146C000

heap

page read and write

1438000

heap

page read and write

3B1E000

stack

page read and write

14B4000

heap

page read and write

44FC000

stack

page read and write

36CF000

heap

page read and write

D75000

unkown

page readonly

E8A000

heap

page read and write

199D000

stack

page read and write

13FC000

stack

page read and write

701000

unkown

page readonly

368B000

heap

page read and write

701000

unkown

page readonly

189F000

stack

page read and write

6F1000

unkown

page execute read

14B7000

heap

page read and write

36DA000

heap

page read and write

3D1F000

stack

page read and write

6F1000

unkown

page execute read

1455000

heap

page read and write

There are 207 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Set-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSet-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Set-up.exe