Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.96603032667569
Filename:	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Filesize:	5883824
MD5:	07dd73909e1a74b92498058afc918ede
SHA1:	2f3f9ab4f17ccd2dfe0c4aada522b00c580c454d
SHA256:	40122c3fc307277bbcb516dce390f74f27e2f798cb351a692f820ba7d3ffd735
SHA512:	97f66cd575203cfbd0d584475c6696b160071e95466e5dde8b71d66138108f0b4d544af24706720960509fd7fd21bef07e443995457de3805168672844901853
SSDEEP:	98304:XUd9wETbKHs4+b4EmeICxgHxC6qz1loJoYFqQ5dn6uqhAoCVtxnz+oEIWoJd:MwgbKM44YCxwxmzLOFfdrq+P/xnCoEIh
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........A.../.../.../.Sj..../.Sj..G./.Sj..../.yV..../...,.../...+.../...*.../......./......./......./.....i./.../.../.&.+.../.L.&.../

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism Process Discovery
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Potentially malicious time measurement code found	Anti Debugging	Process Discovery
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)	Malware Analysis System Evasion, Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API Process Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
PE / OLE file has an invalid certificate	System Summary	File and Directory Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\bvhk

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\bvhk
Category:	dropped
Dump:	bvhk.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\SysWOW64\cmd.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.309192877646325
Encrypted:	false
Ssdeep:	6144:KlPi8WYtUokCulxMfpb7fefYxyFacU77+Uw3N/RQv8Yt9v:GHtUoH3BfQbFfI7x8/Ret9v
Size:	320512
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\16f361f8

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\16f361f8
Category:	dropped
Dump:	16f361f8.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Type:	data
Entropy:	7.558029440197468
Encrypted:	false
Ssdeep:	24576:sHoc64zc8Uku9hjo8r8sthbuc5h9aCHBt2fOEFP:sHB64zgBtFZP9aCHgd
Size:	1051621
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

"C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6320
Target ID:	0
Parent PID:	2580
Name:	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Path:	C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Commandline:	"C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe"
Size:	5883824
MD5:	07DD73909E1A74B92498058AFC918EDE
Time:	11:56:57
Date:	03/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1445888
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\cmd.exe

Details

Is windows:	true
Is dropped:	false
PID:	6520
Target ID:	1
Parent PID:	6320
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\SysWOW64\cmd.exe
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	11:56:57
Date:	03/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Proxy Execution Via Explorer.exe	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\explorer.exe

Details

Is windows:	true
Is dropped:	false
PID:	2536
Target ID:	3
Parent PID:	6520
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\SysWOW64\explorer.exe
Commandline:	C:\Windows\SysWOW64\explorer.exe
Size:	4514184
MD5:	DD6597597673F72E10C9DE7901FBA0A8
Time:	11:57:09
Date:	03/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xaf0000
Modulesize:	4493312
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Launches a second explorer.exe instance	System Summary
Sigma detected: Proxy Execution Via Explorer.exe	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6468
Target ID:	2
Parent PID:	6520
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	11:56:57
Date:	03/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://5.188.87.43/29087f1d398f0eec.php

https://sectigo.com/CPS0

unknown

http://www.vmware.com/0

unknown

https://fastcopy.jp/help/fastcopy_cn.htm

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0

unknown

http://ocsp.sectigo.com0

unknown

http://www.symauth.com/rpa00

unknown

https://fastcopy.jpF

unknown

https://fastcopy.jp.https://github.com/FastCopyLab/FastCopy/issues

unknown

http://www.info-zip.org/

unknown

https://fastcopy.jp.https://github.com/FastCopyLab/FastCopy/issuesVThis

unknown

https://fastcopy.jp/pro/

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#

unknown

http://www.vmware.com/0/

unknown

https://fastcopy.jp

unknown

https://fastcopy.jp/help/fastcopy.htm

unknown

http://ocsp.digicert.c

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#

unknown

http://c0rl.m%L

unknown

http://www.symauth.com/cps0(

unknown

http://crl3.digicert.

unknown

There are 12 hidden URLs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

611000

unkown

page execute and write copy

5BD0000

direct allocation

page read and write

2D51000

heap

page read and write

90F000

stack

page read and write

684000

heap

page read and write

8B0000

heap

page read and write

2AA2000

heap

page read and write

2CAF000

heap

page read and write

584D000

direct allocation

page read and write

6CE000

stack

page read and write

2B52000

heap

page read and write

34CB000

heap

page read and write

3B6D000

trusted library allocation

page read and write

3B69000

trusted library allocation

page read and write

21FD000

heap

page read and write

36F0000

unkown

page read and write

282E000

stack

page read and write

36DF000

stack

page read and write

45D000

unkown

page readonly

3144000

unkown

page read and write

4945000

heap

page read and write

650000

heap

page read and write

570000

heap

page read and write

3144000

unkown

page read and write

3DD000

stack

page read and write

40EF000

unkown

page read and write

70E000

stack

page read and write

3BDE000

trusted library allocation

page read and write

350E000

unkown

page read and write

805000

heap

page read and write

53D3000

heap

page read and write

401000

unkown

page execute read

2F96000

heap

page read and write

871000

unkown

page write copy

86C000

unkown

page readonly

A0F000

stack

page read and write

45D000

unkown

page readonly

684000

heap

page read and write

2900000

heap

page read and write

3180000

heap

page read and write

3F14000

unkown

page read and write

39C000

stack

page read and write

32B0000

direct allocation

page read and write

22B0000

heap

page read and write

313A000

stack

page read and write

71B000

heap

page read and write

4EDD000

direct allocation

page read and write

2A00000

heap

page read and write

2AA5000

heap

page read and write

63B000

unkown

page write copy

34CF000

unkown

page read and write

684000

heap

page read and write

5720000

direct allocation

page read and write

4A68000

heap

page read and write

481000

unkown

page read and write

32A0000

unkown

page read and write

30A7000

heap

page read and write

484000

unkown

page read and write

2B55000

heap

page read and write

684000

heap

page read and write

4CF5000

trusted library allocation

page read and write

2D51000

heap

page read and write

498000

unkown

page read and write

A10000

heap

page read and write

55A000

unkown

page readonly

3144000

unkown

page read and write

303C000

stack

page read and write

26F1000

heap

page read and write

3160000

unkown

page readonly

380A000

heap

page read and write

329E000

unkown

page read and write

3170000

unkown

page readonly

3A40000

trusted library allocation

page read and write

684000

heap

page read and write

684000

heap

page read and write

19C000

stack

page read and write

483000

unkown

page write copy

36F4000

unkown

page read and write

55A000

unkown

page readonly

40A7000

unkown

page read and write

49A000

unkown

page readonly

2AD9000

heap

page read and write

21E0000

heap

page read and write

4F4E000

direct allocation

page read and write

5AD0000

unkown

page read and write

400000

unkown

page readonly

2FD0000

heap

page read and write

680000

heap

page read and write

4DB0000

direct allocation

page read and write

401000

unkown

page execute read

22B4000

heap

page read and write

30A0000

heap

page read and write

2E53000

heap

page read and write

2867000

heap

page read and write

3402000

heap

page read and write

32DC000

heap

page read and write

684000

heap

page read and write

2C0A000

heap

page read and write

481000

unkown

page write copy

3144000

unkown

page read and write

3521000

heap

page read and write

62E000

unkown

page readonly

2FB0000

heap

page read and write

3150000

unkown

page readonly

565B000

trusted library allocation

page read and write

36F4000

unkown

page read and write

684000

heap

page read and write

4ED9000

direct allocation

page read and write

32D0000

heap

page read and write

5613000

trusted library allocation

page read and write

3FA0000

unkown

page read and write

22A0000

heap

page read and write

A20000

heap

page read and write

360F000

unkown

page read and write

9B000

stack

page read and write

684000

heap

page read and write

3144000

unkown

page read and write

400000

unkown

page readonly

4CAD000

trusted library allocation

page read and write

5AD1000

unkown

page read and write

5C1C000

direct allocation

page read and write

3140000

heap

page read and write

5849000

direct allocation

page read and write

49A000

unkown

page readonly

3144000

unkown

page read and write

52B0000

heap

page read and write

5AD1000

unkown

page read and write

36E7000

heap

page read and write

58BE000

direct allocation

page read and write

710000

heap

page read and write

2D50000

heap

page read and write

3DF1000

unkown

page read and write

36C0000

heap

page read and write

3144000

unkown

page read and write

3144000

unkown

page read and write

3144000

unkown

page read and write

There are 126 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Files

Processes

URLs

Memdumps

IOC Report
40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe