Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Bzw4UJiXNj.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.694905962044059
Filename:	Bzw4UJiXNj.exe
Filesize:	536027
MD5:	4b61a3d79a892267bf6e76a54e188cc0
SHA1:	e1dc7ad66e65bf5ca6701eb224d11761c56b1288
SHA256:	6bff92bd6fb84f1a453ead8ef017b6ae42a78b7fbbbd6414ec8a9cd669bf3b05
SHA512:	4970d37d95accc39709886f45125a3059e58c4dc91dee46591737ad0279efb8f395625fff67a0daa30a6f8b29f79af13aeadf71c2b9f18844a2883e004b06884
SSDEEP:	12288:wyveQB/fTHIGaPkKEYzURNAwbAg6c0tY0BfYM:wuDXTIGaPhEYzUzA0L0thBfV
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
File is packed with WinRar	Data Obfuscation	Software Packing Security Software Discovery
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe
Category:	dropped
Dump:	Icon-https.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Bzw4UJiXNj.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.32292825214426
Encrypted:	false
Ssdeep:	1536:IPoaiZ2dMsk7otVGNvoBGZ063+GsWOVMb+KR0Nc8QsJq39:W1c2dZtM68063fee0Nc8QsC9
Size:	73802
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Metasploit Payload	Remote Access Functionality
Yara detected Metasploit Payload	Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.ico

MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.ico
Category:	dropped
Dump:	microsoft_office_word_logo_icon_145724.ico.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Bzw4UJiXNj.exe
Type:	MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel
Entropy:	4.599798862733515
Encrypted:	false
Ssdeep:	384:J55555555555555555555555555555555555555555555555555555555555555V:/vmmmmmuRb+PtPdOvJ
Size:	67646
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.png

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.png
Category:	dropped
Dump:	microsoft_office_word_logo_icon_145724.png.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Bzw4UJiXNj.exe
Type:	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
Entropy:	7.50179523733628
Encrypted:	false
Ssdeep:	192:YzQMA0Eh3B9aSl7Kq+ZmpImcQORPMJ6aUbbRMQMzwySd5mIOumCU4B:YcN9j7KqNljJ5Ujmib
Size:	10713
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Bzw4UJiXNj.exe

"C:\Users\user\Desktop\Bzw4UJiXNj.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3632
Target ID:	0
Parent PID:	4004
Name:	Bzw4UJiXNj.exe
Path:	C:\Users\user\Desktop\Bzw4UJiXNj.exe
Commandline:	"C:\Users\user\Desktop\Bzw4UJiXNj.exe"
Size:	536027
MD5:	4B61A3D79A892267BF6E76A54E188CC0
Time:	23:08:55
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff646d80000
Modulesize:	552960
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

URLs

Name

Malicious

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.apache.org/

unknown

http://www.zeustech.net/

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\1e\417C44EB

@%SystemRoot%\System32\ndfapi.dll,-40001

Memdumps

Base Address

Regiontype

Protect

Malicious

2794DB70000

heap

page read and write

2794DB64000

heap

page read and write

2794B936000

heap

page read and write

27949985000

heap

page read and write

27949B6E000

heap

page read and write

2794B933000

heap

page read and write

2794DB6B000

heap

page read and write

7FF646D80000

unkown

page readonly

2794DCA5000

heap

page read and write

2794994D000

heap

page read and write

2794DB91000

heap

page read and write

2794DB25000

heap

page read and write

2794994D000

heap

page read and write

2794DCA5000

heap

page read and write

2794B830000

heap

page read and write

2794DAE3000

heap

page read and write

2794B6A0000

heap

page read and write

2794DCA5000

heap

page read and write

2794DB61000

heap

page read and write

2794992D000

heap

page read and write

2794999C000

heap

page read and write

27949B65000

heap

page read and write

2794DBA0000

heap

page read and write

7FF646D80000

unkown

page readonly

2794DCA5000

heap

page read and write

BDD95FB000

stack

page read and write

2794997C000

heap

page read and write

2794DB99000

heap

page read and write

BDD8EFD000

stack

page read and write

2794DB24000

heap

page read and write

27949964000

heap

page read and write

27949969000

heap

page read and write

2794DB24000

heap

page read and write

279499C2000

heap

page read and write

27949992000

heap

page read and write

7FF646DEA000

unkown

page readonly

2794DA67000

heap

page read and write

2794DB7F000

heap

page read and write

27949942000

heap

page read and write

2794DB78000

heap

page read and write

2794992E000

heap

page read and write

2794D090000

trusted library allocation

page read and write

7FF646DEA000

unkown

page readonly

7FF646DC8000

unkown

page readonly

279498D0000

heap

page readonly

27949937000

heap

page read and write

2794DB60000

heap

page read and write

27949907000

heap

page read and write

2794997C000

heap

page read and write

27949AE0000

heap

page read and write

2794D890000

heap

page read and write

2794994D000

heap

page read and write

2794DB79000

heap

page read and write

2794DB78000

heap

page read and write

2794999D000

heap

page read and write

2794B6E0000

heap

page read and write

27949967000

heap

page read and write

2794DB85000

heap

page read and write

2794DB6F000

heap

page read and write

279499E4000

heap

page read and write

279499E2000

heap

page read and write

2794994D000

heap

page read and write

7FF646DE4000

unkown

page read and write

7FF646DEF000

unkown

page readonly

2794D09E000

heap

page read and write

2794DB71000

heap

page read and write

2794DB71000

heap

page read and write

7FF646DDB000

unkown

page write copy

2794DB83000

heap

page read and write

27949926000

heap

page read and write

BDD8BA5000

stack

page read and write

27949992000

heap

page read and write

27949985000

heap

page read and write

27949994000

heap

page read and write

27949996000

heap

page read and write

2794B651000

trusted library allocation

page read and write

2794DB71000

heap

page read and write

2794DB76000

heap

page read and write

279499E2000

heap

page read and write

2794DB8A000

heap

page read and write

2794DB70000

heap

page read and write

279498F0000

heap

page read and write

279499A2000

heap

page read and write

2794DAA2000

heap

page read and write

2794DCA8000

heap

page read and write

BDD93FB000

stack

page read and write

BDD96FC000

stack

page read and write

2794DB25000

heap

page read and write

7FF646DDB000

unkown

page read and write

2794993A000

heap

page read and write

BDD91FE000

stack

page read and write

27949900000

heap

page read and write

279499E2000

heap

page read and write

7FF646D81000

unkown

page execute read

2794DA61000

heap

page read and write

2794993A000

heap

page read and write

2794DB96000

heap

page read and write

2794DB88000

heap

page read and write

2794DB25000

heap

page read and write

2794DB73000

heap

page read and write

27949992000

heap

page read and write

2794DB99000

heap

page read and write

2794999D000

heap

page read and write

2794DB76000

heap

page read and write

7FF646DEE000

unkown

page write copy

2794B6E4000

heap

page read and write

2794DB24000

heap

page read and write

27949B60000

heap

page read and write

2794DB7D000

heap

page read and write

27949987000

heap

page read and write

2794993A000

heap

page read and write

2794997C000

heap

page read and write

2794994D000

heap

page read and write

27949969000

heap

page read and write

BDD8B9F000

stack

page read and write

2794998F000

heap

page read and write

7FF646DEE000

unkown

page readonly

2794DAE2000

heap

page read and write

2794999E000

heap

page read and write

2794997C000

heap

page read and write

27949925000

heap

page read and write

279499E2000

heap

page read and write

27949942000

heap

page read and write

BDD8FFE000

stack

page read and write

279498C0000

heap

page read and write

7FF646D81000

unkown

page execute read

27949942000

heap

page read and write

7FF646DC8000

unkown

page readonly

2794DB7B000

heap

page read and write

2794DB88000

heap

page read and write

BDD92FE000

stack

page read and write

27949922000

heap

page read and write

2794DB65000

heap

page read and write

2794D097000

heap

page read and write

2794DB23000

heap

page read and write

2794997C000

heap

page read and write

27949983000

heap

page read and write

27949AC0000

heap

page read and write

2794B930000

trusted library allocation

page read and write

27949944000

heap

page read and write

2794DB62000

heap

page read and write

BDD94FF000

stack

page read and write

2794DB99000

heap

page read and write

27949941000

heap

page read and write

279499E2000

heap

page read and write

2794B930000

heap

page read and write

27949987000

heap

page read and write

2794993B000

heap

page read and write

2794DCA5000

heap

page read and write

2794DB85000

heap

page read and write

2794B66A000

trusted library allocation

page read and write

2794DA60000

heap

page read and write

2794998F000

heap

page read and write

2794993A000

heap

page read and write

2794DAA1000

heap

page read and write

There are 145 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Bzw4UJiXNj.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportBzw4UJiXNj.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
Bzw4UJiXNj.exe