Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

-pdf.bat.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.064447166020408
Filename:	-pdf.bat.exe
Filesize:	915912
MD5:	c8c2fa1b682b0bca8ed9de83455e8977
SHA1:	ff96ea1f052d0e7745a4fe30bacb8362ea57ba2c
SHA256:	4af23250a740fc8e855879c8f0492b8be3613ef015db4347d14885f57e25ee93
SHA512:	d692404d369b4755e760599a50078f0240dd3a5af2af5953ad86d00eaa788c812bed59b22f19c1251bdd192a8d81a10c4d10ec9cc6a15b1e7a44bfb51c20c258
SSDEEP:	24576:ZFZsHTO9u9XKhrmod1RYTy7OQJs+45oi4:Z3n9i61RYeiQJBGf4
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.;!wuUrwuUrwuUr<.QsuuUr<.SsvuUr<.TsxuUrwuTr.uUr..Qs\|uUr...rvuUr..WsvuUrRichwuUr........................PE..L...*..c...........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API Security Software Discovery
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found evaded block containing many API calls	Malware Analysis System Evasion	Access Token Manipulation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Local\Anvilled\Baadehavnes.Ugo

data

dropped

Details

File:	C:\Users\user\AppData\Local\Anvilled\Baadehavnes.Ugo
Category:	dropped
Dump:	Baadehavnes.Ugo.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\-pdf.bat.exe
Type:	data
Entropy:	4.599221882863509
Encrypted:	false
Ssdeep:	3072:auH/EMGAIZ02UvVMGQHl0HrpFkCd3/z9M:JHwAIqV4F0HdFk4y
Size:	153292
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Anvilled\Martyrizations.Sim

data

dropped

Details

File:	C:\Users\user\AppData\Local\Anvilled\Martyrizations.Sim
Category:	dropped
Dump:	Martyrizations.Sim.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\-pdf.bat.exe
Type:	data
Entropy:	7.653699193742095
Encrypted:	false
Ssdeep:	6144:UL2HS/TAnZUvR3jz2Fwo5jCBVy7b4tqdG8lI08e9N1lr9ITNdfOHNkX0KVSb:UL2HS/q6vR33A5mzy7bpG6l2TNdfO+Hq
Size:	355536
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Anvilled\Opsamlingsbeholdere119.bes

data

dropped

Details

File:	C:\Users\user\AppData\Local\Anvilled\Opsamlingsbeholdere119.bes
Category:	dropped
Dump:	Opsamlingsbeholdere119.bes.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\-pdf.bat.exe
Type:	data
Entropy:	1.2524422116890421
Encrypted:	false
Ssdeep:	768:r1/VRVN7GaY97mbexftA4Z+RRCLDHuPxfARLhzR+9wBhtOxALX5Wa/5X6dJddvt2:LMxA4/Lf6dHgeGxN37ruZwuLi+OLj
Size:	415743
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Anvilled\ammunitionsfabrikken.txt

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Anvilled\ammunitionsfabrikken.txt
Category:	dropped
Dump:	ammunitionsfabrikken.txt.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\-pdf.bat.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.25510206166015
Encrypted:	false
Ssdeep:	12:jXkvaDziGwRUF27KIqXVskejAECJX7lIHLGsvxAtbH1PIwp5Ayq1Bglj4UriJxMJ:jErRUWOjEM7lYLj5AtbB1Bq1U8hJxMJ
Size:	624
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Anvilled\teleph.all

data

dropped

Details

File:	C:\Users\user\AppData\Local\Anvilled\teleph.all
Category:	dropped
Dump:	teleph.all.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Users\user\Desktop\-pdf.bat.exe
Type:	data
Entropy:	1.2455738850105664
Encrypted:	false
Ssdeep:	768:kFtpdTjsz/zhmhiCGrJI7rqVQuEB7QCGqvL2f0SQ1E2IC67MpqrchPadg+nlwAGP:mPGDDdQxvn1Xmrizhj8H3hE3MA
Size:	315351
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nsbF5BA.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsbF5BA.tmp
Category:	dropped
Dump:	nsbF5BA.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\-pdf.bat.exe
Type:	data
Entropy:	3.9929201101659686
Encrypted:	false
Ssdeep:	12288:JL2HS/q6vR33A5mzy7bpG6l2TNdfO+H43XREQABQtA:JL2HS/q6vR33GBpBudfO+H4REqA
Size:	1261154
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll
Category:	modified
Dump:	System.dll.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Users\user\Desktop\-pdf.bat.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.9764977667479
Encrypted:	false
Ssdeep:	192:CVA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:CrR7SrtTv53tdtTgwF4SQbGPX36wJMw
Size:	12288
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\-pdf.bat.exe

"C:\Users\user\Desktop\-pdf.bat.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7644
Target ID:	0
Parent PID:	4056
Name:	-pdf.bat.exe
Path:	C:\Users\user\Desktop\-pdf.bat.exe
Commandline:	"C:\Users\user\Desktop\-pdf.bat.exe"
Size:	915912
MD5:	C8C2FA1B682B0BCA8ED9DE83455E8977
Time:	05:21:10
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	696320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

http://nsis.sf.net/NSIS_ErrorError

unknown

Domains

Name

Malicious

s-part-0017.t-0009.fb-t-msedge.net

13.107.253.45

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\factorised\afrohaar

bytteret

HKEY_CURRENT_USER\atomforsgsstation\hydramnios

spenderingerne

Memdumps

Base Address

Regiontype

Protect

Malicious

54C5000

direct allocation

page execute and read and write

19A000

stack

page read and write

864000

heap

page read and write

427000

unkown

page read and write

6A0000

heap

page read and write

408000

unkown

page readonly

40A000

unkown

page read and write

70440000

unkown

page readonly

4990000

heap

page read and write

287E000

heap

page read and write

5EC5000

direct allocation

page execute and read and write

48E000

unkown

page readonly

2788000

heap

page read and write

49A0000

trusted library allocation

page read and write

70446000

unkown

page readonly

450000

unkown

page readonly

42E000

unkown

page read and write

8EB000

heap

page read and write

400000

unkown

page readonly

7B0000

heap

page read and write

44E000

unkown

page readonly

890000

heap

page read and write

610000

heap

page read and write

401000

unkown

page execute read

879000

heap

page read and write

7AF000

stack

page read and write

8DE000

heap

page read and write

8FF000

heap

page read and write

8E2000

heap

page read and write

8CF000

heap

page read and write

870000

heap

page read and write

51DC000

stack

page read and write

4B0000

heap

page read and write

6A5000

heap

page read and write

2770000

heap

page read and write

860000

heap

page read and write

52DE000

stack

page read and write

434000

unkown

page read and write

490000

unkown

page readonly

897000

heap

page read and write

2778000

heap

page read and write

490000

unkown

page readonly

70444000

unkown

page readonly

42C000

unkown

page read and write

98000

stack

page read and write

875000

heap

page read and write

408000

unkown

page readonly

52E0000

direct allocation

page execute and read and write

8D3000

heap

page read and write

400000

unkown

page readonly

44E000

unkown

page readonly

70441000

unkown

page execute read

36B0000

trusted library allocation

page read and write

31A0000

heap

page read and write

8DF000

heap

page read and write

5CE000

stack

page read and write

401000

unkown

page execute read

40A000

unkown

page write copy

8DF000

heap

page read and write

48E000

unkown

page readonly

450000

unkown

page readonly

There are 51 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
-pdf.bat.exe

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report-pdf.bat.exe

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
-pdf.bat.exe