Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

xin.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.992368290949023
Filename:	xin.exe
Filesize:	470904
MD5:	6cd2bc8e57214a9143084b8cad228c75
SHA1:	b71d3c77d96604c904702b45904b72b889808125
SHA256:	fd1da56c56e1143d0b08fe9e139075d8c2d9d5ba70117c9ef6a2f9e715198e37
SHA512:	1caa477c8535b145f00b6e05fa523692aae65ba7d5fe5c646a53024312cf922562ffef7394ce385876d2a297f71bc022a8135aaa0d2e949d0e5e2c1622752db6
SSDEEP:	6144:FRc5LRY9bXsJtSWtTcfgzwOl1YzzDeqiGOXs1fknwgBxwtZ4Z/AHqF8sfmqilXXn:Di2CrfNcaYrwOcVxwtydF0X4xidZ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`......I.....`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains functionality to modify the execution of threads in other processes
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xin.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xin.exe.log
Category:	dropped
Dump:	xin.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\xin.exe
Type:	CSV text
Entropy:	5.353683843266035
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
Size:	425
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Category:	dropped
Dump:	RegAsm.exe.log.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.345080863654519
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
Size:	1119
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xin.exe

"C:\Users\user\Desktop\xin.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7568
Target ID:	0
Parent PID:	3504
Name:	xin.exe
Path:	C:\Users\user\Desktop\xin.exe
Commandline:	"C:\Users\user\Desktop\xin.exe"
Size:	470904
MD5:	6CD2BC8E57214A9143084B8CAD228C75
Time:	11:19:22
Date:	02/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xaa0000
Modulesize:	483328
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7728
Target ID:	3
Parent PID:	7568
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	11:19:24
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7c0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7576
Target ID:	1
Parent PID:	7568
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	11:19:22
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff70f010000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

CAD000

trusted library allocation

page execute and read and write

FB7000

heap

page read and write

125E000

stack

page read and write

5869000

stack

page read and write

3E31000

trusted library allocation

page read and write

5240000

trusted library allocation

page read and write

4C6D000

stack

page read and write

FC0000

trusted library allocation

page read and write

FD0000

heap

page read and write

5082000

trusted library allocation

page read and write

2AD1000

trusted library allocation

page read and write

5070000

trusted library allocation

page execute and read and write

1080000

heap

page read and write

5620000

heap

page read and write

296E000

stack

page read and write

C8D000

trusted library allocation

page execute and read and write

5060000

heap

page read and write

2D8E000

stack

page read and write

D04000

heap

page read and write

B67000

stack

page read and write

CA3000

trusted library allocation

page read and write

551E000

stack

page read and write

4FBE000

trusted library allocation

page read and write

5A2E000

stack

page read and write

12DD000

trusted library allocation

page execute and read and write

4FBB000

trusted library allocation

page read and write

5150000

trusted library allocation

page execute and read and write

C4E000

stack

page read and write

DAF000

heap

page read and write

58AE000

stack

page read and write

5000000

trusted library allocation

page read and write

12D4000

trusted library allocation

page read and write

F9F000

stack

page read and write

DAB000

heap

page read and write

402000

remote allocation

page execute and read and write

5210000

trusted library allocation

page read and write

2E20000

heap

page read and write

5020000

trusted library allocation

page read and write

1030000

trusted library allocation

page read and write

14E0000

heap

page read and write

51D0000

heap

page read and write

4FE2000

trusted library allocation

page read and write

CFD000

heap

page read and write

CD0000

heap

page read and write

F3C000

heap

page read and write

C70000

trusted library allocation

page read and write

C80000

trusted library allocation

page read and write

C83000

trusted library allocation

page execute and read and write

BD0000

heap

page read and write

14D0000

trusted library allocation

page execute and read and write

1010000

heap

page read and write

EFB000

stack

page read and write

CB6000

trusted library allocation

page execute and read and write

1000000

heap

page read and write

540E000

stack

page read and write

4FCE000

stack

page read and write

54B0000

heap

page read and write

1417000

trusted library allocation

page execute and read and write

3AD1000

trusted library allocation

page read and write

F7E000

heap

page read and write

DA3000

heap

page read and write

5130000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

70DE000

stack

page read and write

2E31000

trusted library allocation

page execute and read and write

538E000

stack

page read and write

F72000

heap

page read and write

4FF0000

trusted library allocation

page read and write

A6A000

stack

page read and write

53CE000

stack

page read and write

29AC000

stack

page read and write

CB0000

trusted library allocation

page read and write

2D90000

heap

page read and write

C90000

heap

page read and write

1480000

heap

page execute and read and write

3AD5000

trusted library allocation

page read and write

C84000

trusted library allocation

page read and write

709F000

stack

page read and write

14CC000

stack

page read and write

147E000

stack

page read and write

1085000

heap

page read and write

D11000

heap

page read and write

2E33000

trusted library allocation

page read and write

C95000

heap

page read and write

282E000

stack

page read and write

13EF000

stack

page read and write

6D1E000

stack

page read and write

BAC000

stack

page read and write

1410000

trusted library allocation

page read and write

592D000

stack

page read and write

4FCE000

trusted library allocation

page read and write

12C0000

trusted library allocation

page read and write

4FDD000

trusted library allocation

page read and write

1430000

trusted library allocation

page read and write

1020000

trusted library allocation

page read and write

3E35000

trusted library allocation

page read and write

549D000

stack

page read and write

106E000

stack

page read and write

54D4000

heap

page read and write

12D0000

trusted library allocation

page read and write

BE0000

heap

page read and write

1400000

trusted library allocation

page read and write

5205000

heap

page read and write

12E0000

heap

page read and write

29B0000

trusted library allocation

page read and write

51C0000

trusted library section

page readonly

129E000

stack

page read and write

54A0000

heap

page read and write

141B000

trusted library allocation

page execute and read and write

4FF5000

trusted library allocation

page read and write

6F9E000

stack

page read and write

5250000

heap

page read and write

5260000

trusted library allocation

page execute and read and write

2DB0000

trusted library allocation

page read and write

534E000

stack

page read and write

CBA000

trusted library allocation

page execute and read and write

F52000

heap

page read and write

4FB4000

trusted library allocation

page read and write

D81000

heap

page read and write

AA2000

unkown

page readonly

140A000

trusted library allocation

page execute and read and write

2ACE000

stack

page read and write

F8A000

heap

page read and write

F10000

heap

page read and write

6E5E000

stack

page read and write

5200000

heap

page read and write

450000

remote allocation

page execute and read and write

F1A000

heap

page read and write

4FD6000

trusted library allocation

page read and write

CCB000

trusted library allocation

page execute and read and write

AA0000

unkown

page readonly

292E000

stack

page read and write

561E000

stack

page read and write

5173000

heap

page read and write

29C0000

heap

page execute and read and write

1040000

heap

page read and write

CC2000

trusted library allocation

page read and write

F85000

heap

page read and write

29BF000

trusted library allocation

page read and write

71DE000

stack

page read and write

1010000

trusted library allocation

page read and write

F1E000

heap

page read and write

5170000

heap

page read and write

CC7000

trusted library allocation

page execute and read and write

58EE000

stack

page read and write

FB0000

heap

page read and write

D71000

heap

page read and write

571E000

stack

page read and write

51BB000

stack

page read and write

51E0000

heap

page read and write

12D3000

trusted library allocation

page execute and read and write

F44000

heap

page read and write

72E2000

trusted library allocation

page read and write

2DD0000

trusted library allocation

page read and write

5080000

trusted library allocation

page read and write

4FB0000

trusted library allocation

page read and write

13F4000

trusted library allocation

page read and write

4FD1000

trusted library allocation

page read and write

2B2E000

trusted library allocation

page read and write

1020000

heap

page read and write

5410000

heap

page execute and read and write

FF0000

trusted library allocation

page execute and read and write

6F5E000

stack

page read and write

CDB000

heap

page read and write

52A0000

heap

page execute and read and write

6E1E000

stack

page read and write

13F0000

trusted library allocation

page read and write

There are 157 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xin.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportxin.exe

Files

Processes

Memdumps

IOC Report
xin.exe