Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	5.833180945394466
Filename:	file.exe
Filesize:	2427392
MD5:	ed7e56bb217c2448ad3b61f5bfd83e16
SHA1:	92d994024ff61db1726d0ace38e6b4f22a8ef522
SHA256:	36214001aad5a561e3e8e17334adb7e507f937510978302c860df84ec647be2b
SHA512:	4a7aa240a034023e4453cbd4b408b977431912132a4dd058f60d39a8d13547f7cfb2cb7e0666ac4401c6a490e1cb214af7c6d9d4c95037f638c817b302f59b33
SSDEEP:	49152:n1EofVNQzBWKHqP6qhw6rb1eNhuQk/FJjnDViNgi:n1EofCqhw6rb1eNhuln0gi
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.............4..Q....4.......4.......1.......1.......1.......1.......4...............0.......0.......0......Rich...........

Signature Hits	Behavior Group	Mitre Attack
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Archive Collected Data
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary	System Information Discovery
Sample might require command line arguments	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\example.txt

ISO-8859 text, with no line terminators

dropped

Details

File:	C:\Users\user\Desktop\example.txt
Category:	dropped
Dump:	example.txt.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ISO-8859 text, with no line terminators
Entropy:	3.251629167387823
Encrypted:	false
Ssdeep:	3:uV7:uV7
Size:	12
Whitelisted:	false
Reputation:	low

C:\Users\user\Music\vkiwdonilg\Builder.dll

PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\Music\vkiwdonilg\Builder.dll
Category:	dropped
Dump:	Builder.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	4.8740045721641545
Encrypted:	false
Ssdeep:	3072:YMPzUfhHQzO0rYJwudIDZ08lxJ/qEz/zWPbi4h3P5NdrRH44sYnWjoNcdhCPsw7S:WHQaXdIDZ0O5z/zMKug
Size:	352256
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3836
Target ID:	0
Parent PID:	4084
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2427392
MD5:	ED7E56BB217C2448AD3B61F5BFD83E16
Time:	21:26:20
Date:	02/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76bc10000
Modulesize:	2461696
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3576
Target ID:	1
Parent PID:	3836
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	21:26:20
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://curl.se/docs/hsts.html

unknown

https://curl.se/docs/alt-svc.html

unknown

https://curl.se/docs/http-cookies.html

unknown

http://72.5.42.222:8568/api/newLog

unknown

IPs

Domain

Country

Malicious

72.5.42.222

unknown

United States

Details

IP:	72.5.42.222
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16769
ASN name:	UNASSIGNED
Private:	false

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2B9C5AE5000

heap

page read and write

2B9C5D10000

trusted library allocation

page read and write

2B9C5A11000

heap

page read and write

2B9C5942000

heap

page read and write

2B9C5AE5000

heap

page read and write

2B9CA73C000

heap

page read and write

7FF76BE5F000

unkown

page readonly

2B9C5BE3000

heap

page read and write

2B9C5B66000

heap

page read and write

2B9C5AE7000

heap

page read and write

7FF76BE65000

unkown

page readonly

2B9C5A11000

heap

page read and write

2B9C5AE5000

heap

page read and write

2B9C6810000

heap

page read and write

7FF76BC2C000

unkown

page execute read

2B9C5E11000

heap

page read and write

7FF76BC26000

unkown

page execute read

2B9C5890000

trusted library allocation

page read and write

2B9C5BD6000

heap

page read and write

2B9C619B000

heap

page read and write

7FF76BC11000

unkown

page execute read

2B9CBC62000

heap

page read and write

2B9C5942000

heap

page read and write

2B9C58E3000

heap

page read and write

2B9CA82D000

heap

page read and write

2B9C5942000

heap

page read and write

7FF76BE42000

unkown

page write copy

2B9C780D000

heap

page read and write

2B9C5A24000

heap

page read and write

2B9C5B11000

heap

page read and write

2B9C5BD6000

heap

page read and write

2B9C5943000

heap

page read and write

2B9CA985000

heap

page read and write

2B9C5890000

trusted library allocation

page read and write

7FF76BC10000

unkown

page readonly

2B9C5AE6000

heap

page read and write

2B9C5A65000

heap

page read and write

2B9C5A65000

heap

page read and write

7FF76BDEC000

unkown

page readonly

2B9C58CB000

heap

page read and write

2B9C58D6000

heap

page read and write

2B9C6955000

heap

page read and write

2B9C5890000

trusted library allocation

page read and write

2B9C7279000

heap

page read and write

2B9CB262000

heap

page read and write

2B9C5A11000

heap

page read and write

2B9C8959000

heap

page read and write

2B9C5890000

trusted library allocation

page read and write

2B9C64B2000

heap

page read and write

2B9C5890000

trusted library allocation

page read and write

2B9C5BE3000

heap

page read and write

2B9C5B66000

heap

page read and write

7FF76BDE4000

unkown

page execute read

2B9C5AE5000

heap

page read and write

2B9C5BE4000

heap

page read and write

2B9CA0B9000

heap

page read and write

2B9C5B64000

heap

page read and write

2B9C5B66000

heap

page read and write

2B9C5D10000

trusted library allocation

page read and write

7FF76BE49000

unkown

page readonly

2B9C8F6D000

heap

page read and write

2B9C5AE7000

heap

page read and write

2B9C5E10000

heap

page read and write

2B9C5A65000

heap

page read and write

2B9C5D10000

trusted library allocation

page read and write

2B9C820D000

heap

page read and write

2B9C5F7A000

heap

page read and write

2B9C58CC000

heap

page read and write

2B9C6879000

heap

page read and write

2B9C5D10000

trusted library allocation

page read and write

2B9CA78B000

heap

page read and write

2B9C5D10000

trusted library allocation

page read and write

2B9C5B64000

heap

page read and write

2B9C5B11000

heap

page read and write

2B9C5AE5000

heap

page read and write

2B9C996D000

heap

page read and write

2B9C5943000

heap

page read and write

7FF76BDE1000

unkown

page execute read

7FF76BC21000

unkown

page execute read

There are 69 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
file.exe