Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Set-up.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	2.7973553454084135
Filename:	Set-up.exe
Filesize:	10006016
MD5:	bb85c40120dac356bfc311f4774d3439
SHA1:	bdcc094a88aa8971753da0c86e05c68578e5ce84
SHA256:	cff579e5facdd493e0b023979049f4504ffc611c352a7d97928943e61c66dd0d
SHA512:	d15e22befdcc9de94b68552e87d3175694e5d70cc4577d9916a523e34bbaee65991730fe71cc4075561c7247ff8d8e7126ce1b4a7f795d2fa3c7276604a32e05
SSDEEP:	49152:G+ACxZPpFDaaekodusejnK99nJeO+3nXn0Ext9V6qrzDTAQg0JZ+Wm+vfYM8sF1K:G+zxZxhUkIeG
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z.f...............(.v,...................,...@..........................0............@... .........................B..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Drops large PE files	System Summary
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Security Software Discovery
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Security Software Discovery Data from Local System
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection Security Software Discovery
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	Native API Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Enumerates the file system	Spreading, Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\service123.exe
Category:	dropped
Dump:	service123.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.0023405119908208173
Encrypted:	false
Size:	314617856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\NrIpUDVFuuHZveDEtrIh.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\NrIpUDVFuuHZveDEtrIh.dll
Category:	dropped
Dump:	NrIpUDVFuuHZveDEtrIh.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.05437844090555279
Encrypted:	false
Ssdeep:	24576:fmZBOBm/NEVpgdn8dIpfXXHgw/GddSWknpmkPPOXnRbl:24wuKWkn3P2XRR
Size:	315803136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Set-up.exe

"C:\Users\user\Desktop\Set-up.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7652
Target ID:	0
Parent PID:	3504
Name:	Set-up.exe
Path:	C:\Users\user\Desktop\Set-up.exe
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Size:	10006016
MD5:	BB85C40120DAC356BFC311F4774D3439
Time:	09:48:03
Date:	01/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1000000
Modulesize:	10039296
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Yara detected Cryptbot	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

"C:\Users\user\AppData\Local\Temp\service123.exe"

Details

Is windows:	false
Is dropped:	true
PID:	8148
Target ID:	5
Parent PID:	7652
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Size:	314617856
MD5:	3FFF09206AC36D06CF8352458CA5573E
Time:	09:49:05
Date:	01/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x660000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	8168
Target ID:	6
Parent PID:	7652
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	09:49:05
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x650000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	7280
Target ID:	8
Parent PID:	1124
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	3FFF09206AC36D06CF8352458CA5573E
Time:	09:49:07
Date:	01/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x660000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	5268
Target ID:	10
Parent PID:	1124
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	3FFF09206AC36D06CF8352458CA5573E
Time:	09:50:02
Date:	01/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x660000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	8176
Target ID:	7
Parent PID:	8168
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:49:05
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff70f010000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

zx11pn.top

analforeverlovyu.top

|Xl@elevenvx11pn.top

elevenvx11pn.top

~elevenvx11pn.top

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://gcc.gnu.org/bugs/):

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://serviceupdate32.com/update

unknown

http://elevenvx11pn.top/v1/upload.php

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 7 hidden URLs, click here to show them.

Domains

Name

Malicious

elevenvx11pn.top

185.244.181.140

Details

Name:	elevenvx11pn.top
IP:	185.244.181.140
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.244.181.140

elevenvx11pn.top

Russian Federation

Details

IP:	185.244.181.140
TargetID:	0
Current Path:	C:\Users\user\Desktop\Set-up.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44901
ASN name:	BELCLOUDBG
Private:	false
Domain:	elevenvx11pn.top

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3BDE000

heap

page read and write

1610000

unkown

page read and write

3BBF000

stack

page read and write

1631000

unkown

page read and write

3281000

heap

page read and write

7E4000

heap

page read and write

3FDC000

stack

page read and write

32F0000

heap

page read and write

1616000

unkown

page read and write

170000

heap

page read and write

800000

heap

page read and write

66E000

unkown

page write copy

32FF000

heap

page read and write

FFC000

stack

page read and write

D25B000

heap

page read and write

3281000

heap

page read and write

D237000

heap

page read and write

3331000

heap

page read and write

D26F000

heap

page read and write

671000

unkown

page readonly

6F0000

heap

page read and write

12C9000

unkown

page read and write

D237000

heap

page read and write

7DC000

heap

page read and write

1001000

unkown

page execute read

307F000

stack

page read and write

C30000

heap

page read and write

F80000

heap

page read and write

41DC000

stack

page read and write

3120000

heap

page read and write

17FF000

stack

page read and write

13CB000

unkown

page read and write

1240000

heap

page read and write

A8E000

stack

page read and write

D244000

heap

page read and write

397F000

stack

page read and write

671000

unkown

page readonly

7F2000

heap

page read and write

32E3000

heap

page read and write

660000

unkown

page readonly

329E000

heap

page read and write

140A000

unkown

page read and write

3301000

heap

page read and write

1110000

heap

page read and write

194E000

unkown

page readonly

FF0000

remote allocation

page read and write

3324000

heap

page read and write

332E000

heap

page read and write

303E000

stack

page read and write

3304000

heap

page read and write

6D5000

heap

page read and write

79E000

heap

page read and write

1000000

unkown

page readonly

10BF000

stack

page read and write

168F000

unkown

page read and write

3323000

heap

page read and write

D4CA000

heap

page read and write

1117000

heap

page read and write

11B0000

heap

page read and write

3328000

heap

page read and write

377D000

stack

page read and write

1001000

unkown

page execute read

78D000

stack

page read and write

801000

heap

page read and write

7C4000

heap

page read and write

3333000

heap

page read and write

D255000

heap

page read and write

80A000

heap

page read and write

801000

heap

page read and write

66E000

unkown

page write copy

66A000

unkown

page readonly

D30A000

heap

page read and write

332F000

heap

page read and write

1590000

heap

page read and write

1300000

heap

page read and write

6C941000

unkown

page execute read

661000

unkown

page execute read

1BE000

stack

page read and write

C8F000

stack

page read and write

6C940000

unkown

page readonly

660000

unkown

page readonly

160000

heap

page read and write

32FF000

heap

page read and write

66A000

unkown

page readonly

7E4000

heap

page read and write

FF0000

remote allocation

page read and write

D230000

heap

page read and write

6CA6C000

unkown

page readonly

D232000

heap

page read and write

5F6000

stack

page read and write

1050000

heap

page read and write

66E000

unkown

page write copy

D23D000

heap

page read and write

3D9E000

stack

page read and write

6CA69000

unkown

page read and write

1070000

heap

page read and write

7F5000

heap

page read and write

194E000

unkown

page readonly

32AC000

heap

page read and write

5D2000

stack

page read and write

32D9000

heap

page read and write

333A000

heap

page read and write

3333000

heap

page read and write

D69E000

stack

page read and write

805000

heap

page read and write

74D000

stack

page read and write

D515000

heap

page read and write

3F9F000

stack

page read and write

79A000

heap

page read and write

7AC000

stack

page read and write

2E3A000

stack

page read and write

39BE000

stack

page read and write

DD0000

heap

page read and write

7D8000

heap

page read and write

6D0000

heap

page read and write

661000

unkown

page execute read

671000

unkown

page readonly

FFC000

stack

page read and write

2BED000

stack

page read and write

D231000

heap

page read and write

80A000

heap

page read and write

66E000

unkown

page read and write

6CA1D000

unkown

page read and write

C00000

heap

page read and write

332D000

heap

page read and write

D253000

heap

page read and write

C3E000

heap

page read and write

6D4000

heap

page read and write

1040000

heap

page read and write

3280000

heap

page read and write

BCE000

stack

page read and write

671000

unkown

page readonly

18D0000

unkown

page read and write

3301000

heap

page read and write

671000

unkown

page readonly

194B000

unkown

page write copy

312B000

heap

page read and write

3281000

heap

page read and write

D4C0000

heap

page read and write

EFE000

stack

page read and write

66A000

unkown

page readonly

150000

heap

page read and write

3301000

heap

page read and write

D490000

heap

page read and write

805000

heap

page read and write

790000

heap

page read and write

193B000

unkown

page readonly

660000

unkown

page readonly

660000

unkown

page readonly

2FAE000

unkown

page read and write

B2C000

stack

page read and write

3340000

heap

page read and write

1190000

heap

page read and write

66A000

unkown

page readonly

5F2000

stack

page read and write

32EB000

heap

page read and write

32CF000

heap

page read and write

3328000

heap

page read and write

158F000

unkown

page read and write

155000

heap

page read and write

FCE000

stack

page read and write

671000

unkown

page readonly

C3A000

heap

page read and write

BD0000

heap

page read and write

D027000

heap

page read and write

15FF000

stack

page read and write

FB000

stack

page read and write

BFC000

stack

page read and write

3328000

heap

page read and write

805000

heap

page read and write

6CA68000

unkown

page readonly

7F4000

heap

page read and write

66A000

unkown

page readonly

1FE000

stack

page read and write

194B000

unkown

page read and write

1308000

heap

page read and write

66E000

unkown

page read and write

357E000

stack

page read and write

2FB0000

heap

page read and write

6CA1F000

unkown

page readonly

329A000

heap

page read and write

3328000

heap

page read and write

1620000

unkown

page read and write

660000

unkown

page readonly

D247000

heap

page read and write

161E000

unkown

page read and write

661000

unkown

page execute read

660000

unkown

page readonly

2E90000

heap

page read and write

3334000

heap

page read and write

12C9000

unkown

page write copy

3080000

heap

page read and write

661000

unkown

page execute read

C10000

heap

page read and write

14DF000

stack

page read and write

2FFF000

unkown

page read and write

66E000

unkown

page read and write

15CF000

unkown

page read and write

162C000

unkown

page read and write

30C0000

heap

page read and write

661000

unkown

page execute read

D24D000

heap

page read and write

BEC000

stack

page read and write

1612000

unkown

page read and write

B80000

heap

page read and write

D250000

heap

page read and write

5FA000

stack

page read and write

193B000

unkown

page readonly

110E000

stack

page read and write

1000000

unkown

page readonly

5EE000

stack

page read and write

DBDA000

heap

page read and write

66A000

unkown

page readonly

3289000

heap

page read and write

FF0000

remote allocation

page read and write

1619000

unkown

page read and write

661000

unkown

page execute read

There are 207 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Set-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSet-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Set-up.exe