Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.826948759100624
Filename:	file.exe
Filesize:	1675264
MD5:	3d6cf2933284333f5d945c062bffcd2b
SHA1:	deb8e888fcea2139a0f91a7a87386c086b71b134
SHA256:	b3058d02ea8c370311e612bd4916e05c8c909b110d3f2c588073c59b2105dba5
SHA512:	2fc2aa55e05740eba7c8de7c686071a6d6f47a0997d722408c902dce860948e5fc5cbf4e94b788c22120336b00adec58582b4c6f5d6439f6b54da77839351cb0
SSDEEP:	49152:Zc2/wgEeoVOwjL4aCd/JajeU8PrbS6rgSvkW:CgEdIi4p/J60d
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m...m...m...m#..m...m...m...m...m...mh..m...m...m...m...m...m...m...m...mRich...m................PE..L......Z...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to register a low level keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion
Sample or dropped binary is a compiled AutoHotkey binary	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Security Software Discovery Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion	Security Software Discovery
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains executable resources (Code or Archives)	System Summary
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)	Malware Analysis System Evasion
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Executes visual basic scripts	System Summary	Scripting
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)	System Summary	Security Software Discovery
Executable creates window controls seldom found in malware	System Summary	Exploitation for Privilege Escalation

C:\Users\user\AppData\Local\Temp\PID8.vbs

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\PID8.vbs
Category:	dropped
Dump:	PID8.vbs.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.14094104394761
Encrypted:	false
Ssdeep:	48:L5YZnAz6MFDuxB7KAN7KBa4iPG9lrRtFf1f0WNoQCvYBBNyJS1GDT:VY1AzpuxB7KAN7KhiuFtHf0XQCwBBNyP
Size:	2155
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Creates temporary files	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\kms.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\kms.log
Category:	dropped
Dump:	kms.log.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.878584802350185
Encrypted:	false
Ssdeep:	3:r1v/IzqQkUQv:ezqT
Size:	35
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\LIC_SWITCH.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\Desktop\LIC_SWITCH.log
Category:	modified
Dump:	LIC_SWITCH.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.9760749324314295
Encrypted:	false
Ssdeep:	12:IdFUUDHuwkXIcNZpwgsjXHbjWCrP5Zu5uwkf:IdFUUuwkYcfpwg6nWAPWuwkf
Size:	707
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7420
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1675264
MD5:	3D6CF2933284333F5D945C062BFFCD2B
Time:	10:19:29
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2527232
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\cmd.exe

C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log

Details

Is windows:	true
Is dropped:	false
PID:	7504
Target ID:	1
Parent PID:	7420
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	10:19:31
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff77a700000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cscript.exe

cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs

Details

Is windows:	true
Is dropped:	false
PID:	7556
Target ID:	3
Parent PID:	7504
Name:	cscript.exe
Class:	system-tools
Path:	C:\Windows\System32\cscript.exe
Commandline:	cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs
Size:	161280
MD5:	24590BF74BBBBFD7D7AC070F4E3C44FD
Time:	10:19:31
Date:	30/09/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6967c0000
Modulesize:	180224
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7512
Target ID:	2
Parent PID:	7504
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:19:31
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://autohotkey.com

unknown

https://autohotkey.comCould

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

3184000

trusted library allocation

page read and write

1EC2A809000

heap

page read and write

2E60000

heap

page read and write

1EC2A849000

heap

page read and write

502E000

stack

page read and write

1500000

heap

page read and write

546E000

stack

page read and write

2D30000

heap

page read and write

4A0000

unkown

page execute and read and write

110000

heap

page read and write

1505000

heap

page read and write

100000

heap

page read and write

135000

heap

page read and write

48369FE000

stack

page read and write

1EC2A844000

heap

page read and write

B68000

heap

page read and write

1EC2A85B000

heap

page read and write

14C0000

heap

page read and write

1EC2A840000

heap

page read and write

1EC2A84A000

heap

page read and write

3180000

trusted library allocation

page read and write

1EC2A864000

heap

page read and write

4FEF000

stack

page read and write

1EC2A84F000

heap

page read and write

1EC2A81B000

heap

page read and write

586F000

stack

page read and write

2D58000

heap

page read and write

483611A000

stack

page read and write

1EC2A80A000

heap

page read and write

1EC2A84D000

heap

page read and write

1EC2C600000

heap

page read and write

4E9000

unkown

page execute and read and write

1EC2A85E000

heap

page read and write

14C4000

heap

page read and write

401000

unkown

page execute and read and write

1EC2A7E8000

heap

page read and write

1EC2AB15000

heap

page read and write

1EC2A770000

heap

page read and write

48364FE000

stack

page read and write

1EC2A850000

heap

page read and write

1EC2A83D000

heap

page read and write

400000

unkown

page readonly

64E000

unkown

page write copy

4836BFF000

stack

page read and write

BC8000

heap

page read and write

B50000

heap

page read and write

5880000

trusted library allocation

page read and write

1EC2A85D000

heap

page read and write

400000

unkown

page readonly

1EC2A844000

heap

page read and write

1EC2A848000

heap

page read and write

A5A000

stack

page read and write

1EC2A83D000

heap

page read and write

4C4000

unkown

page execute and read and write

2D50000

heap

page read and write

542F000

stack

page read and write

BA0000

heap

page read and write

1EC2A831000

heap

page read and write

1EC2A861000

heap

page read and write

B8A000

heap

page read and write

48365FE000

stack

page read and write

1EC2A858000

heap

page read and write

A63000

stack

page read and write

1EC2A863000

heap

page read and write

1EC2A84F000

heap

page read and write

14BE000

stack

page read and write

1EC2A81E000

heap

page read and write

1EC2A858000

heap

page read and write

1EC2A83E000

heap

page read and write

1EC2A800000

heap

page read and write

64E000

unkown

page read and write

1EC2A84F000

heap

page read and write

1EC2A844000

heap

page read and write

1EC2A832000

heap

page read and write

2D5E000

heap

page read and write

1EC2A740000

heap

page read and write

1EC2A816000

heap

page read and write

1EC2A857000

heap

page read and write

1EC2A868000

heap

page read and write

2E90000

heap

page read and write

4B1000

unkown

page execute and read and write

1EC2A815000

heap

page read and write

1EC2A750000

heap

page read and write

A55000

stack

page read and write

14D0000

heap

page read and write

B60000

heap

page read and write

2E51000

heap

page read and write

1EC2A7F2000

heap

page read and write

1EC2A86B000

heap

page read and write

1EC2A85D000

heap

page read and write

48367FE000

stack

page read and write

130000

heap

page read and write

4CF000

unkown

page execute and read and write

1EC2A85F000

heap

page read and write

150A000

heap

page read and write

A32000

stack

page read and write

B87000

heap

page read and write

1EC2A7E0000

heap

page read and write

BCC000

heap

page read and write

64D000

unkown

page execute and write copy

B8A000

heap

page read and write

1EC2A83D000

heap

page read and write

97000

stack

page read and write

48368FE000

stack

page read and write

1EC2A844000

heap

page read and write

1EC2A852000

heap

page read and write

1EC2A85A000

heap

page read and write

1EC2AB10000

heap

page read and write

1EC2A7D0000

heap

page read and write

B81000

heap

page read and write

4836AFF000

stack

page read and write

B8B000

heap

page read and write

4D0000

unkown

page execute and write copy

A68000

stack

page read and write

2D60000

heap

page read and write

1EC2A85D000

heap

page read and write

1E0000

heap

page read and write

A42000

stack

page read and write

BAC000

heap

page read and write

1EC2A7FC000

heap

page read and write

1EC2A846000

heap

page read and write

1EC2A868000

heap

page read and write

There are 112 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Memdumps

IOC Report
file.exe