Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Label.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.41578623250506
Filename:	Label.exe
Filesize:	2814800
MD5:	e12f93d462a622f32a4ff1e646549c42
SHA1:	540853beffb0ba9b26cf305bcf92fad82599eb3c
SHA256:	f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5
SHA512:	1def378e0ca7d2e861ad2e3443e471fa797b01fa92f9c539850912307546c4deef54e53e13b8bc23dce2b2156d7d8795e8c51c16e9ea03a5525574a497b44999
SSDEEP:	49152:shQu5h/rBAEcMWGPODLKDakFxxQsEnhrAWKu6j112C4WR:shL/rOA2aDVdEnh8WKu6j11sm
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........a....@...@...@#r.@...@#r.@0..@#r.@...@...@...@...@...@...@...@...@...@...@...@r..A...@r..A...@r..A...@e..A...@e..@...@...@...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Security Software Discovery
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
PE / OLE file has an invalid certificate	System Summary	Security Software Discovery File and Directory Discovery
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API Security Software Discovery System Information Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	Security Software Discovery File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Enumerates the file system	Spreading, Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\Label.exe

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\Desktop\Label.exe
Category:	dropped
Dump:	Label.exe.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	1.6644977792004616
Encrypted:	false
Ssdeep:	3:xyn:gn
Size:	7
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Found large amount of non-executed APIs	Malware Analysis System Evasion
PE / OLE file has an invalid certificate	System Summary
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp

GIF image data, version 89a, 20545 x 7507

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp
Category:	dropped
Dump:	c.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Label.exe
Type:	GIF image data, version 89a, 20545 x 7507
Entropy:	7.999971086114151
Encrypted:	true
Ssdeep:	98304:1nNMt4OEk4QD1LfAVyfaMeTBSgyDVQw31AuQX471A:1NAik4QNfwFMeTBSiiDP
Size:	5209155
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp-

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp-
Category:	dropped
Dump:	c.tmp-.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Label.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.999970639752912
Encrypted:	true
Ssdeep:	98304:FnNMt4OEk4QD1LfAVyfaMeTBSgyDVQw31AuQX471AJ:FNAik4QNfwFMeTBSiiDPU
Size:	5208876
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp~

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp~
Category:	dropped
Dump:	c.tmp~.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Label.exe
Type:	data
Entropy:	6.121611638874144
Encrypted:	false
Ssdeep:	393216:S4exspmNOEmwp15YBV6w9NOEmwGQA7L6oQ+oOEmwV3Lx:S4exspmNOEmwp15YBV6w9NOEmwGQA7Lg
Size:	20652840
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\Users\user\AppData\Local\Temp\~E52D1ACF.tmp

Zip archive data, at least v2.0 to extract, compression method=store

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~E52D1ACF.tmp
Category:	dropped
Dump:	~E52D1ACF.tmp.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Label.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=store
Entropy:	7.999963265858713
Encrypted:	true
Ssdeep:	98304:jICnc/LUeqT15hUaIq3CmeEuzEHvlfQ6H4q2w2uvWkVkkVExk:ctmTPeaIq3CuqmvW6H4uHWOOk
Size:	5210232
Whitelisted:	false
Reputation:	low

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\System32\PING.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	4.937448817509359
Encrypted:	false
Ssdeep:	6:PzLSLzMRfmWxHLThx2LThx2LThx0sW26wGv+wAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeTeT0sKvtAFSkIrxMVlmJHaVz
Size:	380
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Label.exe

"C:\Users\user\Desktop\Label.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6396
Target ID:	0
Parent PID:	1028
Name:	Label.exe
Path:	C:\Users\user\Desktop\Label.exe
Commandline:	"C:\Users\user\Desktop\Label.exe"
Size:	2814800
MD5:	E12F93D462A622F32A4FF1E646549C42
Time:	03:18:00
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000000
Modulesize:	2670592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4444
Target ID:	4
Parent PID:	6396
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	03:18:48
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6fee60000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\PING.EXE

ping -n 3 127.0.0.1

Details

Is windows:	true
Is dropped:	false
PID:	1440
Target ID:	6
Parent PID:	4444
Name:	PING.EXE
Class:	system-tools
Path:	C:\Windows\System32\PING.EXE
Commandline:	ping -n 3 127.0.0.1
Size:	22528
MD5:	2F46799D79D22AC72C241EC0322B011D
Time:	03:18:49
Date:	04/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7cbe80000
Modulesize:	45056
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses ping.exe to check the status of other devices and networks	Networking	System Network Configuration Discovery Remote System Discovery
Uses ping.exe to sleep	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4068
Target ID:	5
Parent PID:	4444
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:18:49
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

127.0.0.1

unknown

Details

IP:	127.0.0.1
TargetID:	6
Current Path:	C:\Windows\System32\PING.EXE
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Uses ping.exe to check the status of other devices and networks	Networking	System Network Configuration Discovery Remote System Discovery
Uses ping.exe to sleep	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

25D1000

heap

page read and write

140000000

unkown

page readonly

4B4000

heap

page read and write

6DE000

stack

page read and write

48C000

heap

page read and write

61185FF000

stack

page read and write

22E557E5000

heap

page read and write

2B0F000

stack

page read and write

49A000

heap

page read and write

1401AF000

unkown

page read and write

1D0000

heap

page read and write

290E000

stack

page read and write

140000000

unkown

page readonly

140278000

unkown

page readonly

4BC000

heap

page read and write

25D7000

heap

page read and write

416000

heap

page read and write

140260000

unkown

page read and write

2C0C000

stack

page read and write

190000

heap

page read and write

61184FF000

unkown

page read and write

611817C000

stack

page read and write

120000

stack

page read and write

2035000

heap

page read and write

22E55A80000

heap

page read and write

140001000

unkown

page execute read

1FC1000

direct allocation

page execute and read and write

2014000

direct allocation

page execute and read and write

1401AF000

unkown

page write copy

140001000

unkown

page execute read

140250000

unkown

page read and write

25D0000

heap

page read and write

22E557A0000

heap

page read and write

213F000

stack

page read and write

487000

heap

page read and write

140262000

unkown

page readonly

22E557CA000

heap

page read and write

22E55A85000

heap

page read and write

140262000

unkown

page readonly

1A0000

heap

page read and write

49A000

heap

page read and write

22E55990000

heap

page read and write

25D1000

heap

page read and write

25CF000

stack

page read and write

140278000

unkown

page readonly

22E557C0000

heap

page read and write

410000

heap

page read and write

2030000

heap

page read and write

487000

heap

page read and write

22E55790000

heap

page read and write

4B7000

heap

page read and write

140251000

unkown

page write copy

22E55A90000

heap

page read and write

44B000

heap

page read and write

7DE000

stack

page read and write

41B000

heap

page read and write

2180000

heap

page read and write

1F80000

direct allocation

page execute and read and write

49E000

heap

page read and write

48B000

heap

page read and write

25E9000

heap

page read and write

14024F000

unkown

page write copy

2A0E000

stack

page read and write

22E557E6000

heap

page read and write

There are 54 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Label.exe

Files

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLabel.exe

Files

Processes

IPs

Memdumps

IOC Report
Label.exe