Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ungziped_file.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.98212496391384
Filename:	ungziped_file.exe
Filesize:	698368
MD5:	8a0c4eed07d28836f39cf33bc6640940
SHA1:	281603fb0f6c50b97db2b6835762c7f5c4c6a94f
SHA256:	f7a37ab3f4c3f7e67fc347335869a9616f6658f3a45465697a58585ddb7e7caf
SHA512:	8fb0a40af99d51f1e20ef08f58d97b967480f258019d9d61de79a2f9bac59ed2042f2471348b5b530d3bb1ef71f6e755745f137faccb3259251c84beded47197
SSDEEP:	12288:Y1f0wVVYUhiFHya93Yp6jpxKtah8BrGgZreGYpYwv0WGTA4OM0G:Y1rVV/63YsKthGgZa+WYAQ0G
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...uz.g..............0.................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ungziped_file.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ungziped_file.exe.log
Category:	dropped
Dump:	ungziped_file.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ungziped_file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ungziped_file.exe

"C:\Users\user\Desktop\ungziped_file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5364
Target ID:	0
Parent PID:	4056
Name:	ungziped_file.exe
Path:	C:\Users\user\Desktop\ungziped_file.exe
Commandline:	"C:\Users\user\Desktop\ungziped_file.exe"
Size:	698368
MD5:	8A0C4EED07D28836F39CF33BC6640940
Time:	04:39:02
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfe0000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\ungziped_file.exe

"C:\Users\user\Desktop\ungziped_file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7220
Target ID:	10
Parent PID:	5364
Name:	ungziped_file.exe
Path:	C:\Users\user\Desktop\ungziped_file.exe
Commandline:	"C:\Users\user\Desktop\ungziped_file.exe"
Size:	698368
MD5:	8A0C4EED07D28836F39CF33BC6640940
Time:	04:39:03
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb60000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

1940000

direct allocation

page read and write

400000

remote allocation

page execute and read and write

1980000

trusted library allocation

page read and write

7DFE000

stack

page read and write

38CF000

trusted library allocation

page read and write

1B17000

heap

page read and write

39CD000

trusted library allocation

page read and write

37EB000

trusted library allocation

page read and write

D9D000

stack

page read and write

171E000

heap

page read and write

7045D000

unkown

page read and write

5E7E000

heap

page read and write

1290000

heap

page read and write

394B000

trusted library allocation

page read and write

184E000

stack

page read and write

38F8000

trusted library allocation

page read and write

18B6000

direct allocation

page execute and read and write

5B90000

trusted library section

page readonly

7F730000

trusted library allocation

page execute and read and write

15D0000

heap

page read and write

1AEC000

stack

page read and write

19B0000

trusted library allocation

page read and write

45F2000

trusted library allocation

page read and write

3814000

trusted library allocation

page read and write

19FE000

stack

page read and write

38A5000

trusted library allocation

page read and write

A8AE000

stack

page read and write

5C80000

heap

page read and write

1710000

heap

page read and write

36CA000

trusted library allocation

page read and write

7D79000

trusted library allocation

page read and write

801E000

stack

page read and write

1960000

trusted library allocation

page read and write

5890000

trusted library allocation

page read and write

18BD000

direct allocation

page execute and read and write

39D4000

trusted library allocation

page read and write

7C90000

trusted library allocation

page read and write

7D80000

trusted library allocation

page read and write

1973000

trusted library allocation

page read and write

36B2000

trusted library allocation

page read and write

1992000

trusted library allocation

page read and write

3867000

trusted library allocation

page read and write

375A000

trusted library allocation

page read and write

33FD000

trusted library allocation

page read and write

1000000

heap

page read and write

171D000

direct allocation

page execute and read and write

399E000

trusted library allocation

page read and write

1997000

trusted library allocation

page execute and read and write

108E000

stack

page read and write

39D9000

trusted library allocation

page read and write

38E3000

trusted library allocation

page read and write

387C000

trusted library allocation

page read and write

3800000

trusted library allocation

page read and write

18A1000

direct allocation

page execute and read and write

5902000

trusted library allocation

page read and write

199B000

trusted library allocation

page execute and read and write

37AD000

trusted library allocation

page read and write

5880000

trusted library allocation

page read and write

5870000

trusted library allocation

page read and write

3891000

trusted library allocation

page read and write

17D2000

heap

page read and write

70456000

unkown

page readonly

33BE000

stack

page read and write

5E60000

heap

page read and write

178E000

direct allocation

page execute and read and write

1A00000

heap

page read and write

39B8000

trusted library allocation

page read and write

1751000

heap

page read and write

7B8E000

stack

page read and write

36DF000

trusted library allocation

page read and write

3708000

trusted library allocation

page read and write

33C0000

trusted library allocation

page read and write

4429000

trusted library allocation

page read and write

7EFE000

stack

page read and write

178D000

heap

page read and write

5BA0000

heap

page execute and read and write

16F0000

heap

page read and write

10C0000

heap

page read and write

5FBE000

stack

page read and write

15F0000

direct allocation

page execute and read and write

198A000

trusted library allocation

page execute and read and write

33D0000

trusted library allocation

page read and write

7B90000

heap

page read and write

1B00000

trusted library allocation

page execute and read and write

7F10000

trusted library allocation

page read and write

5D30000

trusted library allocation

page read and write

3784000

trusted library allocation

page read and write

5D40000

heap

page read and write

194E000

stack

page read and write

15E5000

heap

page read and write

37C2000

trusted library allocation

page read and write

70440000

unkown

page readonly

7D70000

trusted library allocation

page read and write

5E4D000

stack

page read and write

1090000

heap

page read and write

7F5E000

stack

page read and write

1719000

direct allocation

page execute and read and write

148F000

stack

page read and write

3731000

trusted library allocation

page read and write

158F000

stack

page read and write

3852000

trusted library allocation

page read and write

5A20000

heap

page read and write

70441000

unkown

page execute read

1190000

heap

page read and write

376F000

trusted library allocation

page read and write

7F9E000

stack

page read and write

551C000

stack

page read and write

3410000

heap

page read and write

196D000

trusted library allocation

page execute and read and write

10C8000

heap

page read and write

1990000

trusted library allocation

page read and write

11DE000

stack

page read and write

172F000

heap

page read and write

371D000

trusted library allocation

page read and write

5860000

trusted library allocation

page read and write

1964000

trusted library allocation

page read and write

7CE0000

trusted library section

page read and write

5C70000

heap

page read and write

7F12000

trusted library allocation

page read and write

A9AF000

stack

page read and write

7BA4000

heap

page read and write

1982000

trusted library allocation

page read and write

5900000

trusted library allocation

page read and write

A7AE000

stack

page read and write

10A0000

heap

page read and write

5885000

trusted library allocation

page read and write

7CA0000

trusted library allocation

page read and write

3421000

trusted library allocation

page read and write

1963000

trusted library allocation

page execute and read and write

4421000

trusted library allocation

page read and write

33DB000

trusted library allocation

page read and write

3922000

trusted library allocation

page read and write

1950000

trusted library allocation

page read and write

1938000

direct allocation

page execute and read and write

3960000

trusted library allocation

page read and write

104E000

stack

page read and write

1748000

heap

page read and write

3975000

trusted library allocation

page read and write

39D7000

trusted library allocation

page read and write

180B000

heap

page read and write

3798000

trusted library allocation

page read and write

FE2000

unkown

page readonly

1986000

trusted library allocation

page execute and read and write

7590000

heap

page read and write

1B10000

heap

page read and write

38BA000

trusted library allocation

page read and write

C9D000

stack

page read and write

58F0000

heap

page read and write

1AF0000

heap

page execute and read and write

1970000

trusted library allocation

page read and write

FE0000

unkown

page readonly

1744000

heap

page read and write

37D6000

trusted library allocation

page read and write

39D1000

trusted library allocation

page read and write

5FC0000

trusted library section

page read and write

15E0000

heap

page read and write

33F1000

trusted library allocation

page read and write

16EF000

stack

page read and write

36B7000

trusted library allocation

page read and write

390D000

trusted library allocation

page read and write

383E000

trusted library allocation

page read and write

5BEB000

stack

page read and write

59C0000

trusted library allocation

page read and write

7FDE000

stack

page read and write

76B2000

trusted library allocation

page read and write

1180000

heap

page read and write

14F7000

stack

page read and write

39A4000

trusted library allocation

page read and write

36F3000

trusted library allocation

page read and write

1753000

heap

page read and write

5910000

trusted library allocation

page execute and read and write

33F6000

trusted library allocation

page read and write

5CB5000

heap

page read and write

3746000

trusted library allocation

page read and write

5CB0000

heap

page read and write

464D000

trusted library allocation

page read and write

1119000

stack

page read and write

1A18000

trusted library allocation

page read and write

197D000

trusted library allocation

page execute and read and write

5E50000

heap

page read and write

3829000

trusted library allocation

page read and write

7DB0000

trusted library allocation

page execute and read and write

5A23000

heap

page read and write

A6AE000

stack

page read and write

33D4000

trusted library allocation

page read and write

33EE000

trusted library allocation

page read and write

7045F000

unkown

page readonly

3989000

trusted library allocation

page read and write

58B0000

trusted library allocation

page read and write

3936000

trusted library allocation

page read and write

5A00000

trusted library allocation

page execute and read and write

There are 181 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ungziped_file.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportungziped_file.exe

Files

Processes

Memdumps

IOC Report
ungziped_file.exe