Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Set-up.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	2.7822577969630338
Filename:	Set-up.exe
Filesize:	9979904
MD5:	aa8809ce5384175be7c0efb2604787f6
SHA1:	4cfdea7c7b47f16e767901d733be97a6635fd455
SHA256:	78e8980aa18bea446cd21ba2c19fa7a3f79fafb3d713e03376d691900bf9d24e
SHA512:	20951db2274ea7d0456509adf85f162fea3770e362ccee4c0dcc57f721da469b98faada08e3f21927a6de9943384761725ba3a619f33b022c72bf6d4e75227a0
SSDEEP:	49152:WZ+hf/Tx8kxnYWQenEYez4gHTBF9NiqaSDT8:Yuf/tDhYL8vQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..f...............(..,..D...............0,...@.......................................@... ......................0..B..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops large PE files	System Summary
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\service123.exe
Category:	dropped
Dump:	service123.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.0023404957167422586
Encrypted:	false
Size:	314617856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\HwYuaUvXqdEkCixuJard.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\HwYuaUvXqdEkCixuJard.dll
Category:	dropped
Dump:	HwYuaUvXqdEkCixuJard.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.05440071376348931
Encrypted:	false
Ssdeep:	24576:UrAG1Bm/PeTvaTFOXGT+ZBQUGDXo2yWNnREdP1YX/uHJ0H8wsi:/eGjIWNn0PeXhHD
Size:	315803136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Set-up.exe

"C:\Users\user\Desktop\Set-up.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6244
Target ID:	0
Parent PID:	4004
Name:	Set-up.exe
Path:	C:\Users\user\Desktop\Set-up.exe
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Size:	9979904
MD5:	AA8809CE5384175BE7C0EFB2604787F6
Time:	08:44:32
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb30000
Modulesize:	10010624
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Yara detected Cryptbot	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

"C:\Users\user\AppData\Local\Temp\service123.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5608
Target ID:	4
Parent PID:	6244
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Size:	314617856
MD5:	49859361F2114985E390C5057AAADD9A
Time:	08:45:34
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1e0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	2748
Target ID:	5
Parent PID:	6244
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	08:45:35
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	3512
Target ID:	7
Parent PID:	1064
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	49859361F2114985E390C5057AAADD9A
Time:	08:45:37
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x1e0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	6888
Target ID:	8
Parent PID:	1064
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	49859361F2114985E390C5057AAADD9A
Time:	08:46:02
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x1e0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4560
Target ID:	6
Parent PID:	2748
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:45:35
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

analforeverlovyu.top

fiftvx15pt.top

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://gcc.gnu.org/bugs/):

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://serviceupdate32.com/update

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://fiftvx15pt.top/v1/u/

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

fiftvx15pt.top

185.244.181.140

Details

Name:	fiftvx15pt.top
IP:	185.244.181.140
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.244.181.140

fiftvx15pt.top

Russian Federation

Details

IP:	185.244.181.140
TargetID:	0
Current Path:	C:\Users\user\Desktop\Set-up.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44901
ASN name:	BELCLOUDBG
Private:	false
Domain:	fiftvx15pt.top

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

445D000

heap

page read and write

2E10000

heap

page read and write

B31000

unkown

page execute read

1477000

unkown

page readonly

3939000

heap

page read and write

380000

heap

page read and write

7CE000

stack

page read and write

3939000

heap

page read and write

3890000

heap

page read and write

1F1000

unkown

page readonly

1880000

heap

page read and write

17CE000

heap

page read and write

1E1000

unkown

page execute read

770000

heap

page read and write

175B000

heap

page read and write

394B000

heap

page read and write

1700000

remote allocation

page read and write

1749000

heap

page read and write

1768000

heap

page read and write

DAB7000

heap

page read and write

6C889000

unkown

page read and write

780000

heap

page read and write

3944000

heap

page read and write

6C888000

unkown

page readonly

3CE000

stack

page read and write

3914000

heap

page read and write

301A000

heap

page read and write

3850000

heap

page read and write

1EA000

unkown

page readonly

9F7000

heap

page read and write

1E0000

unkown

page readonly

EF4000

unkown

page read and write

174E000

heap

page read and write

1474000

unkown

page read and write

1720000

heap

page read and write

1EA000

unkown

page readonly

178E000

heap

page read and write

DABD000

heap

page read and write

1E0000

unkown

page readonly

178A000

heap

page read and write

172E000

heap

page read and write

2BAA000

stack

page read and write

370000

heap

page read and write

16B4000

stack

page read and write

464F000

stack

page read and write

1143000

unkown

page read and write

1760000

heap

page read and write

1464000

unkown

page readonly

38FB000

heap

page read and write

1155000

unkown

page read and write

3FCE000

stack

page read and write

71B000

stack

page read and write

484F000

stack

page read and write

1EA000

unkown

page readonly

18A5000

heap

page read and write

114A000

unkown

page read and write

1754000

heap

page read and write

2F9F000

unkown

page read and write

DCE0000

heap

page read and write

13BA000

heap

page read and write

1796000

heap

page read and write

3940000

heap

page read and write

CEF000

stack

page read and write

1139000

unkown

page read and write

390F000

heap

page read and write

13B0000

heap

page read and write

3939000

heap

page read and write

3891000

heap

page read and write

DAB0000

heap

page read and write

113B000

unkown

page read and write

F34000

unkown

page read and write

1477000

unkown

page readonly

37CB000

stack

page read and write

10F9000

unkown

page read and write

1E1000

unkown

page execute read

D97000

heap

page read and write

1EE000

unkown

page read and write

424D000

stack

page read and write

11B8000

unkown

page read and write

1F1000

unkown

page readonly

314E000

stack

page read and write

1885000

heap

page read and write

DAEF000

heap

page read and write

16B7000

stack

page read and write

6C760000

unkown

page readonly

B31000

unkown

page execute read

1F1000

unkown

page readonly

3911000

heap

page read and write

115B000

unkown

page read and write

1EA000

unkown

page readonly

3939000

heap

page read and write

15CF000

stack

page read and write

DACD000

heap

page read and write

3010000

heap

page read and write

38A9000

heap

page read and write

7E0000

heap

page read and write

13F9000

unkown

page read and write

B30000

unkown

page readonly

BFC000

stack

page read and write

1775000

heap

page read and write

DE70000

heap

page read and write

38FB000

heap

page read and write

393E000

heap

page read and write

1E0000

unkown

page readonly

DF3000

unkown

page write copy

13BE000

heap

page read and write

302E000

heap

page read and write

2E60000

heap

page read and write

1EE000

unkown

page write copy

D0E000

stack

page read and write

2B6D000

stack

page read and write

2FDE000

stack

page read and write

1884000

heap

page read and write

1EE000

unkown

page write copy

DAD3000

heap

page read and write

185D000

stack

page read and write

DAC4000

heap

page read and write

32F0000

heap

page read and write

3B8D000

stack

page read and write

1EE000

unkown

page read and write

1148000

unkown

page read and write

176A000

heap

page read and write

38BB000

heap

page read and write

1EE000

unkown

page read and write

113F000

unkown

page read and write

3939000

heap

page read and write

DAD5000

heap

page read and write

3891000

heap

page read and write

172A000

heap

page read and write

DADB000

heap

page read and write

7EE000

stack

page read and write

D10000

heap

page read and write

DCEA000

heap

page read and write

12D0000

heap

page read and write

2E80000

heap

page read and write

38AE000

heap

page read and write

DAC7000

heap

page read and write

1EA000

unkown

page readonly

1EE000

unkown

page write copy

2E5E000

unkown

page read and write

7FC000

stack

page read and write

3899000

heap

page read and write

1768000

heap

page read and write

31C000

stack

page read and write

444E000

stack

page read and write

1AEE000

unkown

page read and write

108F000

stack

page read and write

3950000

heap

page read and write

DAB1000

heap

page read and write

6C761000

unkown

page execute read

1773000

heap

page read and write

1464000

unkown

page readonly

1E1000

unkown

page execute read

DE0000

heap

page read and write

73C000

stack

page read and write

1699000

stack

page read and write

3934000

heap

page read and write

1754000

heap

page read and write

3944000

heap

page read and write

940000

heap

page read and write

1E1000

unkown

page execute read

1E1000

unkown

page execute read

3911000

heap

page read and write

DAB7000

heap

page read and write

390F000

heap

page read and write

3DCD000

stack

page read and write

1E1000

unkown

page execute read

3940000

heap

page read and write

DAD0000

heap

page read and write

6C83F000

unkown

page readonly

1F1000

unkown

page readonly

DB89000

heap

page read and write

1390000

heap

page read and write

1775000

heap

page read and write

1E0000

unkown

page readonly

3891000

heap

page read and write

393F000

heap

page read and write

1AAE000

stack

page read and write

3D0000

heap

page read and write

7F0000

heap

page read and write

3900000

heap

page read and write

4A4C000

stack

page read and write

1700000

remote allocation

page read and write

6C83D000

unkown

page read and write

1EA000

unkown

page readonly

3911000

heap

page read and write

11FC000

stack

page read and write

DF3000

unkown

page read and write

1700000

remote allocation

page read and write

7A0000

heap

page read and write

1775000

heap

page read and write

DF0000

heap

page read and write

770000

heap

page read and write

1F1000

unkown

page readonly

E585000

heap

page read and write

1474000

unkown

page write copy

D90000

heap

page read and write

393E000

heap

page read and write

16FD000

stack

page read and write

9F0000

heap

page read and write

1C7E000

stack

page read and write

DD93000

heap

page read and write

420F000

stack

page read and write

3891000

heap

page read and write

400E000

stack

page read and write

D8A2000

heap

page read and write

18A0000

heap

page read and write

3D8D000

stack

page read and write

1E0000

unkown

page readonly

1F1000

unkown

page readonly

B30000

unkown

page readonly

D8C000

stack

page read and write

6C88C000

unkown

page readonly

1E0000

unkown

page readonly

There are 204 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Set-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSet-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Set-up.exe