Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.581133758091637
Filename:	file.exe
Filesize:	918016
MD5:	8a053c1ee0f0ad79e8cd1a0788741383
SHA1:	b6e1e501874d798c8978e6e376be936386b87866
SHA256:	a1fb3e3bfa47fcb6a213addb2125c0971eccaba914830be8f9e2104c2edb2268
SHA512:	94490fda5e002d24a4937a6be622848701ce4ce0b3c5e48bd76ea083bdd2f6fb66bf74c6403554ef98ecb8781c92b4005b02d5db64e2fc4d3bca19faeaad8c4f
SSDEEP:	12288:HqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaTTQ:HqDEvCTbMWu7rQYlBQcBiT6rprG8anQ
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

Signature Hits	Behavior Group	Mitre Attack
Binary is likely a compiled AutoIt script file	System Summary
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Disable or Modify Tools Virtualization/Sandbox Evasion Security Software Discovery
Machine Learning detection for sample	AV Detection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools Clipboard Data
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools Input Capture
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
URLs found in memory or binary data	Networking	Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

Chrome Cache Entry: 62

ASCII text, with very long lines (553)

downloaded

Details

File:	Chrome Cache Entry: 62
Category:	downloaded
Dump:	chromecache_62.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (553)
Entropy:	5.792203668061935
Encrypted:	false
Ssdeep:	6144:HVXWBQkPdzg5pTX1ROv/duPzd8C3s891/v:gfd8j91/v
Size:	706790
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 63

MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel

downloaded

Details

File:	Chrome Cache Entry: 63
Category:	downloaded
Dump:	chromecache_63.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Entropy:	3.6534652184263736
Encrypted:	false
Ssdeep:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
Size:	5430
Whitelisted:	true
Reputation:	high

Chrome Cache Entry: 64

Web Open Font Format (Version 2), TrueType, length 52280, version 1.0

downloaded

Details

File:	Chrome Cache Entry: 64
Category:	downloaded
Dump:	chromecache_64.3.dr
ID:	dr_6
Target ID:	3
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Entropy:	7.995413196679271
Encrypted:	true
Ssdeep:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
Size:	52280
Whitelisted:	false
Reputation:	high

Chrome Cache Entry: 65

ASCII text, with no line terminators

downloaded

Details

File:	Chrome Cache Entry: 65
Category:	downloaded
Dump:	chromecache_65.3.dr
ID:	dr_7
Target ID:	3
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with no line terminators
Entropy:	4.875266466142591
Encrypted:	false
Ssdeep:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
Size:	84
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7092
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	918016
MD5:	8A053C1EE0F0AD79E8CD1A0788741383
Time:	19:38:55
Date:	01/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa30000
Modulesize:	942080
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Credential Flusher	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery

Details

Is windows:	true
Is dropped:	false
PID:	7132
Target ID:	1
Parent PID:	7092
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	19:38:55
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2012,i,1735080414500895824,7393849833326395272,262144 --disable-features=CrashRecovery /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	2996
Target ID:	3
Parent PID:	7132
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2012,i,1735080414500895824,7393849833326395272,262144 --disable-features=CrashRecovery /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	19:38:55
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://accounts.google

unknown

Details

Name:	https://accounts.google
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.1650355401.0000000000E58000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

https://apis.google.com/js/api.js

unknown

https://www.google.com/favicon.ico

142.250.184.196

https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=

unknown

Domains

Name

Malicious

youtube-ui.l.google.com

142.250.185.174

www.google.com

142.250.184.196

Details

Name:	www.google.com
IP:	142.250.184.196
TargetID:	3
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

youtube.com

142.250.186.110

Details

Name:	youtube.com
IP:	142.250.186.110
TargetID:	3
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

www.youtube.com

unknown

Details

Name:	www.youtube.com
TargetID:	3
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

86.23.85.13.in-addr.arpa

unknown

IPs

Domain

Country

Malicious

142.250.184.196

www.google.com

United States

192.168.2.4

unknown

239.255.255.250

unknown

Reserved

142.250.185.174

youtube-ui.l.google.com

United States

142.250.186.110

youtube.com

United States

Memdumps

Base Address

Regiontype

Protect

Malicious

CA4000

heap

page read and write

B04000

unkown

page readonly

E50000

heap

page read and write

C60000

heap

page read and write

CA4000

heap

page read and write

AFC000

unkown

page write copy

E82000

heap

page read and write

CA4000

heap

page read and write

E8A000

heap

page read and write

CA4000

heap

page read and write

E85000

heap

page read and write

9CF000

stack

page read and write

329000

stack

page read and write

E82000

heap

page read and write

C2E000

stack

page read and write

A31000

unkown

page execute read

E58000

heap

page read and write

3511000

heap

page read and write

CA4000

heap

page read and write

9BF000

stack

page read and write

3DE000

stack

page read and write

C40000

heap

page read and write

CA4000

heap

page read and write

E6F000

heap

page read and write

AF2000

unkown

page readonly

E82000

heap

page read and write

9DB000

stack

page read and write

B00000

unkown

page write copy

A31000

unkown

page execute read

3511000

heap

page read and write

CA4000

heap

page read and write

AFC000

unkown

page read and write

E7A000

heap

page read and write

E82000

heap

page read and write

390000

heap

page read and write

9FE000

stack

page read and write

E74000

heap

page read and write

CA4000

heap

page read and write

A30000

unkown

page readonly

E40000

heap

page read and write

9EF000

stack

page read and write

C44000

heap

page read and write

E82000

heap

page read and write

3E0000

heap

page read and write

CA0000

heap

page read and write

E82000

heap

page read and write

1A4E000

stack

page read and write

E82000

heap

page read and write

B04000

unkown

page readonly

ACC000

unkown

page readonly

3610000

trusted library allocation

page read and write

3510000

heap

page read and write

E76000

heap

page read and write

A30000

unkown

page readonly

ACC000

unkown

page readonly

CA4000

heap

page read and write

E75000

heap

page read and write

AF2000

unkown

page readonly

E74000

heap

page read and write

164E000

stack

page read and write

There are 50 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe