Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Doc.exe

PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy:	6.12525593465114
Filename:	Doc.exe
Filesize:	15875584
MD5:	2746a7120bce30e9230a2e71a9ad909f
SHA1:	506c97a2e62a2c962dbd283b2344e73cac4f8271
SHA256:	4480d314657f84b2f829fb85fe6603c288bd9262e00e752e475c2a315dd2013f
SHA512:	0552f8a0bc9af0b03ab4a0d1b1afc08038aa0fce2b563daf865020414cc5a8c985a55589d8f2af891dd5b302f423bbe05fbfc6889171f74e33728b6b4027fc04
SSDEEP:	98304:43pEB59UU/DVSk8V57vYJDysmvezaIaFiP5wvEx5S/8/yKTqEc:gpEBIIV2YJOsmvaaIaFU5wsxgU/yH
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........<........"...........................@..............................`............`... ............................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Potentially malicious time measurement code found	Anti Debugging
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Installs a raw input device (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara signature match	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Executable is probably coded in Go lang	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

\Device\Mup\user-PC\PIPE\samr

GLS_BINARY_LSB_FIRST

dropped

Details

File:	\Device\Mup\user-PC\PIPE\samr
Category:	dropped
Dump:	samr.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Doc.exe
Type:	GLS_BINARY_LSB_FIRST
Entropy:	4.438743916256937
Encrypted:	false
Ssdeep:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
Size:	160
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Doc.exe

"C:\Users\user\Desktop\Doc.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7440
Target ID:	0
Parent PID:	2580
Name:	Doc.exe
Path:	C:\Users\user\Desktop\Doc.exe
Commandline:	"C:\Users\user\Desktop\Doc.exe"
Size:	15875584
MD5:	2746A7120BCE30E9230A2E71A9AD909F
Time:	00:38:56
Date:	01/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa50000
Modulesize:	16343040
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Sliver Implants	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Communication To Uncommon Destination Ports	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Domains

Name

Malicious

sam.mr

128.65.199.135

Details

Name:	sam.mr
IP:	128.65.199.135
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

128.65.199.135

sam.mr

Switzerland

Details

IP:	128.65.199.135
TargetID:	0
Current Path:	C:\Users\user\Desktop\Doc.exe
Country:	Switzerland
Countrycode:	CHE
ASN number:	29222
ASN name:	INFOMANIAK-ASCH
Private:	false
Domain:	sam.mr

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

C000188000

direct allocation

page read and write

C0001C4000

direct allocation

page read and write

C0000E8000

direct allocation

page read and write

C000096000

direct allocation

page read and write

C000256000

direct allocation

page read and write

C0001B2000

direct allocation

page read and write

C00037A000

direct allocation

page read and write

C0002BA000

direct allocation

page read and write

C000230000

direct allocation

page read and write

1394000

unkown

page readonly

C000051000

direct allocation

page read and write

C000053000

direct allocation

page read and write

C000272000

direct allocation

page read and write

C0001B0000

direct allocation

page read and write

C0003E4000

direct allocation

page read and write

C000022000

direct allocation

page read and write

C0003B0000

direct allocation

page read and write

C000212000

direct allocation

page read and write

C000218000

direct allocation

page read and write

190D000

unkown

page read and write

C000043000

direct allocation

page read and write

C000045000

direct allocation

page read and write

C0002AC000

direct allocation

page read and write

C0000FE000

direct allocation

page read and write

C0000AC000

direct allocation

page read and write

C0000A4000

direct allocation

page read and write

C00022C000

direct allocation

page read and write

15BD000

unkown

page readonly

C0003F2000

direct allocation

page read and write

C00009C000

direct allocation

page read and write

C000236000

direct allocation

page read and write

C000088000

direct allocation

page read and write

C0000F4000

direct allocation

page read and write

C0000AA000

direct allocation

page read and write

1945000

unkown

page write copy

15BD000

unkown

page readonly

C0001FE000

direct allocation

page read and write

EC03DFB000

stack

page read and write

2216636E000

direct allocation

page read and write

C0001AE000

direct allocation

page read and write

C0001F0000

direct allocation

page read and write

2216636C000

direct allocation

page read and write

1981000

unkown

page read and write

221607E6000

direct allocation

page read and write

C000226000

direct allocation

page read and write

C00008E000

direct allocation

page read and write

C000180000

direct allocation

page read and write

C0001CC000

direct allocation

page read and write

C0002AA000

direct allocation

page read and write

C000232000

direct allocation

page read and write

19BD000

unkown

page write copy

2216080C000

heap

page read and write

C0001C8000

direct allocation

page read and write

C000250000

direct allocation

page read and write

15C5000

unkown

page readonly

C0003F6000

direct allocation

page read and write

EC04BFD000

stack

page read and write

C000032000

direct allocation

page read and write

A50000

unkown

page readonly

2216077C000

direct allocation

page read and write

193F000

unkown

page read and write

C0000A6000

direct allocation

page read and write

C000274000

direct allocation

page read and write

EC04DFF000

stack

page read and write

2216636A000

direct allocation

page read and write

C000030000

direct allocation

page read and write

C000260000

direct allocation

page read and write

C000048000

direct allocation

page read and write

19BE000

unkown

page readonly

C00021E000

direct allocation

page read and write

C0003FC000

direct allocation

page read and write

22166360000

direct allocation

page read and write

C0000DC000

direct allocation

page read and write

C0002A1000

direct allocation

page read and write

15C5000

unkown

page readonly

C0000AE000

direct allocation

page read and write

C00000C000

direct allocation

page read and write

C000228000

direct allocation

page read and write

EC047FF000

stack

page read and write

191C000

unkown

page read and write

C000024000

direct allocation

page read and write

C0001EE000

direct allocation

page read and write

C0002AE000

direct allocation

page read and write

22166327000

direct allocation

page read and write

C0003F4000

direct allocation

page read and write

C0003D8000

direct allocation

page read and write

197B000

unkown

page read and write

19BE000

unkown

page readonly

221607E0000

direct allocation

page read and write

C0000E2000

direct allocation

page read and write

C000242000

direct allocation

page read and write

C000026000

direct allocation

page read and write

C000395000

direct allocation

page read and write

221607E2000

direct allocation

page read and write

C000380000

direct allocation

page read and write

C0002A5000

direct allocation

page read and write

C000084000

direct allocation

page read and write

1394000

unkown

page readonly

19A8000

unkown

page read and write

C0000F6000

direct allocation

page read and write

22160800000

heap

page read and write

C000092000

direct allocation

page read and write

EC049FE000

stack

page read and write

1948000

unkown

page read and write

C0003F8000

direct allocation

page read and write

A51000

unkown

page execute read

C000028000

direct allocation

page read and write

A51000

unkown

page execute read

22160730000

heap

page read and write

C00004F000

direct allocation

page read and write

22160650000

heap

page read and write

C0003FA000

direct allocation

page read and write

C0001D6000

direct allocation

page read and write

EC045FE000

stack

page read and write

22160770000

direct allocation

page read and write

C0001E8000

direct allocation

page read and write

22166300000

direct allocation

page read and write

C00020E000

direct allocation

page read and write

C0000C6000

direct allocation

page read and write

C00008C000

direct allocation

page read and write

C0000D4000

direct allocation

page read and write

C00027E000

direct allocation

page read and write

C0000C4000

direct allocation

page read and write

C0000EC000

direct allocation

page read and write

C000222000

direct allocation

page read and write

C000382000

direct allocation

page read and write

C0000B6000

direct allocation

page read and write

22160779000

direct allocation

page read and write

191D000

unkown

page write copy

C0000C8000

direct allocation

page read and write

A50000

unkown

page readonly

19B0000

unkown

page read and write

C000234000

direct allocation

page read and write

C0001C6000

direct allocation

page read and write

19BD000

unkown

page write copy

221607D5000

heap

page read and write

191B000

unkown

page write copy

C0001C2000

direct allocation

page read and write

C0003D0000

direct allocation

page read and write

22160750000

heap

page read and write

C000276000

direct allocation

page read and write

190D000

unkown

page write copy

C000266000

direct allocation

page read and write

C00028C000

direct allocation

page read and write

C0000B2000

direct allocation

page read and write

C000004000

direct allocation

page read and write

EC04FFE000

stack

page read and write

C0002B0000

direct allocation

page read and write

C00039E000

direct allocation

page read and write

EC043FE000

stack

page read and write

221607ED000

direct allocation

page read and write

C00001A000

direct allocation

page read and write

C0002B4000

direct allocation

page read and write

C000020000

direct allocation

page read and write

C0000F2000

direct allocation

page read and write

C000270000

direct allocation

page read and write

C0000A0000

direct allocation

page read and write

C000238000

direct allocation

page read and write

C0001BE000

direct allocation

page read and write

221607D0000

heap

page read and write

C0001FC000

direct allocation

page read and write

C0000FA000

direct allocation

page read and write

C0002A7000

direct allocation

page read and write

C0000E6000

direct allocation

page read and write

C000002000

direct allocation

page read and write

22160774000

direct allocation

page read and write

C000006000

direct allocation

page read and write

C000035000

direct allocation

page read and write

C00003E000

direct allocation

page read and write

C0001F6000

direct allocation

page read and write

C0003EC000

direct allocation

page read and write

C000220000

direct allocation

page read and write

22166320000

direct allocation

page read and write

C00001E000

direct allocation

page read and write

There are 164 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Doc.exe

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDoc.exe

Files

Processes

Domains

IPs

Memdumps

IOC Report
Doc.exe