Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

OPyF68i97j.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	3.72525154374232
Filename:	OPyF68i97j.exe
Filesize:	4323328
MD5:	048fe750e586bce2fe5c5f0c77dd208f
SHA1:	cc82bb9ec77116cdea64b52aed1417ff2389b925
SHA256:	84f6d402fc4b76b949a893344b73ae1b4abb21dc9989745728cd18c92991e0ae
SHA512:	dc4031cc1de6a6a455a2799247b78eb8379ce4409b09954f64bb918fd031e9ff4f97ea8c17b5643125e892613f0c10de410cecd2dc2b8fc4b42811910165dcd1
SSDEEP:	24576:y5qN8uQ+0EAVj21SRMQEMvwQ+AJuplwAi6qAu2j:yAN8uQqAI1/CwQDd
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........]..q...q...q...r...q...t.w.q...u...q...t...q...u...q...r...q...p...q...p.w.q.[.y...q.[.q...q.[.s...q.Rich..q................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API Masquerading
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to read the PEB	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	File and Directory Discovery
Creates files inside the system directory	System Summary	Masquerading
Creates or modifies windows services	Boot Survival
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to create services	System Summary	Windows Service
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to modify services (start/stop/modify)	System Summary	Service Execution System Time Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to register a service control handler (likely the sample is a service DLL)	System Summary
Contains functionality to register its own exception handler	Anti Debugging
Contains functionality to start windows services	Boot Survival
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Logs\logs\Secur32.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\Logs\logs\Secur32.dll
Category:	dropped
Dump:	Secur32.dll.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Users\user\Desktop\OPyF68i97j.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	5.888794800317783
Encrypted:	false
Ssdeep:	6144:frkQvCcpytrBOvwGjKgeR0hJ4mze9qAQ6uz9GXTrapA7xEPDimGzMHy:zQcctibjxeORmu8XTS8xlmBy
Size:	448000
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Windows\Logs\logs\brcc.exe

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\Logs\logs\brcc.exe
Category:	dropped
Dump:	brcc.exe.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Users\user\Desktop\OPyF68i97j.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.164528854224287
Encrypted:	false
Ssdeep:	3072:le+COG4lWVKQuCOZx4UdmWDXpjU1DAC8d+RgE/+n2cRkddUTO6gU7xDgtdOk6amP:ljlQKQuCO3dLDXpjUXp/+n2cRYUCy
Size:	175528
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Access Token Manipulation
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\Logs\logs\consent.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\Logs\logs\consent.exe
Category:	dropped
Dump:	consent.exe.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Users\user\Desktop\OPyF68i97j.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.814112583624504
Encrypted:	false
Ssdeep:	768:YEau+nTNe8/BQK9A/obyD8qcJzuGqy1Z832H86OdFero6ZU9QZU97wYgZHix3udL:YbEhKq/StqyzuGP8mHVqFqzkwAqt
Size:	101968
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Windows\Logs\logs\rw32core.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\Logs\logs\rw32core.dll
Category:	dropped
Dump:	rw32core.dll.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Users\user\Desktop\OPyF68i97j.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	2.8230010982146707
Encrypted:	false
Ssdeep:	6144:7sxLJfLy/ZqLltXaB+WdqJZsgaUe/7WoyNpD+2RF:o/L+m3xWMZKTWoMT
Size:	988160
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Machine Learning detection for dropped file	AV Detection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\OPyF68i97j.exe

"C:\Users\user\Desktop\OPyF68i97j.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /tn "TabletPCInputServices"

C:\Users\user\Desktop\OPyF68i97j.exe

"C:\Users\user\Desktop\OPyF68i97j.exe" -service

C:\Users\user\Desktop\OPyF68i97j.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /tn "TabletPCInputServices"

C:\Users\user\Desktop\OPyF68i97j.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /tn "TabletPCInputServices"

C:\Windows\Logs\logs\brcc.exe

"C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

There are 6 hidden processes, click here to show them.

URLs

Name

Malicious

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://ocsp.thawte.com0

unknown

Domains

Name

Malicious

www.uvfr4ep.com

114.55.25.226

Details

Name:	www.uvfr4ep.com
IP:	114.55.25.226
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Detected non-DNS traffic on DNS port	Networking
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

217.20.57.27

IPs

Domain

Country

Malicious

114.55.25.226

www.uvfr4ep.com

China

Details

IP:	114.55.25.226
TargetID:	14
Current Path:	C:\Windows\Logs\logs\brcc.exe
Country:	China
Countrycode:	CHN
ASN number:	37963
ASN name:	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Private:	false
Domain:	www.uvfr4ep.com

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Detected non-DNS traffic on DNS port	Networking
Sigma detected: Communication To Uncommon Destination Ports	System Summary

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DISMsrv

Description

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DISMsrv
Value name:	Description
Value data:	Deployment Image Servicing and Management (DISM) is a command-line tool that is used to mount and service Windows images before deployment.....You can use DISM image management

Signature Hits	Behavior Group	Mitre Attack
Creates or modifies windows services	Boot Survival	Windows Service

HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\DemeterID

Product ID

Memdumps

Base Address

Regiontype

Protect

Malicious

1020000

heap

page read and write

2A168F02000

heap

page read and write

9C000

stack

page read and write

12CA000

heap

page read and write

490000

unkown

page readonly

539000

heap

page read and write

D80000

heap

page read and write

2A168E26000

heap

page read and write

F1E000

heap

page read and write

1342000

direct allocation

page readonly

1B7C000

stack

page read and write

491000

unkown

page execute read

540000

heap

page read and write

CBC000

stack

page read and write

5CD000

unkown

page read and write

8B2000

unkown

page readonly

1517000

heap

page read and write

ECE000

stack

page read and write

12BF000

stack

page read and write

A8BD6FD000

stack

page read and write

4FA000

heap

page read and write

1210000

direct allocation

page execute and read and write

4AE000

unkown

page write copy

6B2000

unkown

page write copy

1120000

direct allocation

page execute and read and write

1320000

direct allocation

page read and write

4A6000

unkown

page readonly

174F000

stack

page read and write

4B2000

unkown

page write copy

15A0000

heap

page read and write

2A168E02000

heap

page read and write

1510000

heap

page read and write

490000

unkown

page readonly

2A168E40000

heap

page read and write

401000

unkown

page execute and read and write

4B0000

unkown

page write copy

4B2000

unkown

page write copy

FC0000

heap

page read and write

12C0000

heap

page read and write

8B2000

unkown

page readonly

490000

heap

page read and write

4E0000

heap

page read and write

490000

unkown

page readonly

440000

heap

page read and write

1321000

direct allocation

page execute read

429000

unkown

page write copy

A8BD4FE000

stack

page read and write

FBE000

stack

page read and write

490000

unkown

page readonly

401000

unkown

page execute and read and write

551000

heap

page read and write

179F000

stack

page read and write

DB0000

heap

page read and write

D70000

heap

page read and write

4A6000

unkown

page readonly

6B2000

unkown

page write copy

6B2000

unkown

page write copy

A8BD5FE000

unkown

page readonly

A8BD7FE000

unkown

page readonly

134F000

direct allocation

page read and write

8B2000

unkown

page readonly

2A168E13000

heap

page read and write

2A169602000

trusted library allocation

page read and write

10D0000

heap

page read and write

737000

unkown

page read and write

D3C000

stack

page read and write

1550000

heap

page read and write

6B2000

unkown

page write copy

F70000

heap

page read and write

4B2000

unkown

page write copy

12FC000

stack

page read and write

4B0000

unkown

page write copy

F80000

heap

page read and write

1360000

heap

page read and write

490000

unkown

page readonly

4A6000

unkown

page readonly

10E0000

heap

page read and write

490000

unkown

page readonly

4A6000

unkown

page readonly

41D000

unkown

page read and write

14EF000

stack

page read and write

6B2000

unkown

page read and write

1220000

direct allocation

page read and write

4B0000

unkown

page write copy

2A168C60000

heap

page read and write

F00000

heap

page read and write

106E000

stack

page read and write

491000

unkown

page execute read

F07000

heap

page read and write

491000

unkown

page execute read

8B2000

unkown

page readonly

1313000

direct allocation

page read and write

4E5000

heap

page read and write

400000

unkown

page readonly

17F0000

heap

page read and write

491000

unkown

page execute read

4AE000

unkown

page write copy

4AE000

unkown

page read and write

4AE000

unkown

page read and write

48E000

stack

page read and write

C3C000

stack

page read and write

8B2000

unkown

page readonly

4A6000

unkown

page readonly

12FC000

stack

page read and write

151F000

stack

page read and write

1233000

direct allocation

page read and write

41D000

unkown

page write copy

42A000

unkown

page readonly

4B2000

unkown

page write copy

4FE000

heap

page read and write

19C000

stack

page read and write

4AE000

unkown

page read and write

1C7C000

stack

page read and write

1410000

heap

page read and write

15A7000

heap

page read and write

8B2000

unkown

page readonly

FD0000

heap

page read and write

4AE000

unkown

page read and write

14BF000

stack

page read and write

491000

unkown

page execute read

491000

unkown

page execute read

42D000

unkown

page execute and read and write

1F0000

heap

page read and write

4B2000

unkown

page write copy

F2C000

stack

page read and write

1221000

direct allocation

page execute read

490000

unkown

page readonly

13BE000

stack

page read and write

490000

unkown

page readonly

4F0000

heap

page read and write

4B2000

unkown

page read and write

10AE000

stack

page read and write

2A168C40000

heap

page read and write

1BD0000

heap

page read and write

4B2000

unkown

page write copy

13F0000

heap

page read and write

4AE000

unkown

page write copy

4B0000

unkown

page write copy

2A168D70000

trusted library allocation

page read and write

4A6000

unkown

page readonly

DBC000

stack

page read and write

2A168E2B000

heap

page read and write

491000

unkown

page execute read

4AE000

unkown

page write copy

D20000

direct allocation

page read and write

42A000

unkown

page readonly

4A6000

unkown

page readonly

6B2000

unkown

page write copy

140E000

stack

page read and write

2A168E00000

heap

page read and write

122D000

direct allocation

page readonly

8B2000

unkown

page readonly

10FF000

stack

page read and write

FCD000

stack

page read and write

F1C000

stack

page read and write

42D000

unkown

page execute and read and write

164E000

stack

page read and write

8B2000

unkown

page readonly

14FE000

stack

page read and write

A8BD17B000

stack

page read and write

1010000

heap

page read and write

4A6000

unkown

page readonly

2A168D40000

heap

page read and write

491000

unkown

page execute read

6B2000

unkown

page write copy

6B2000

unkown

page write copy

7BF000

stack

page read and write

400000

unkown

page readonly

429000

unkown

page read and write

134B000

direct allocation

page read and write

4B2000

unkown

page write copy

12CE000

heap

page read and write

13E0000

heap

page read and write

There are 163 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
OPyF68i97j.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOPyF68i97j.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
OPyF68i97j.exe