Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

antispam.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.463866558170516
Filename:	antispam.exe
Filesize:	50688
MD5:	e5ad838952e63778a5708d2efc4cda86
SHA1:	1a3f14465460a61e012d11cccf301424f2c0f11d
SHA256:	e3f10c90a0614e13074f69193a9bd3310332392d17c52fbe6596fd6596327811
SHA512:	767ff630d87accf56e4fdb0d7960965df24dd1dd58d69ba49ec46a210e9ee92e30fd983cea3b74bd843a6ce16a66357b0c64996a066f17059c0b7f81e15217a5
SSDEEP:	384:AGzr3q+r7bHNgQMIVVheHRzfl/FG5G9Nt3X9IMha/zA3unQE5NAQlWa8tWyEeSy3:fHSFX9VvQlotWSlcpzJLtOfR3
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........O].l!..l!..l!......l!..."..l!...%..l!...$..l!...%..l!... ..l!... ..l!..l ..l!...(..l!......l!..l...l!...#..l!.Rich.l!........

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Found GUI installer (many successful clicks)	System Summary

C:\Users\user\AppData\Local\Temp\qwertyuio.txt

data

modified

Details

File:	C:\Users\user\AppData\Local\Temp\qwertyuio.txt
Category:	modified
Dump:	qwertyuio.txt.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\antispam.exe
Type:	data
Entropy:	3.312724115767823
Encrypted:	false
Ssdeep:	96:7Uq/xI/fLgKK8w6hyBi31/Q4o4h4l4LN4eb2ETdSqkhtn3G0Bca5tau6NEB/fLtU:lxqfLGyVihiv
Size:	11408
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\antispam.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.450638024403666
Encrypted:	false
Ssdeep:	24:XtwtIviRcd9lyXR7FGx9ApO77v09+ONoPmvx8P7WV4+MBSf4q+erUsDyN7Y/Y99/:hryBkF3U4FCdjUl2vAhikwO
Size:	3663
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

cmd.exe /c systeminfo

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\systeminfo.exe

systeminfo

C:\Windows\System32\cmd.exe

cmd.exe /c route print

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

cmd.exe /c ipconfig /all

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\ipconfig.exe

ipconfig /all

C:\Users\user\Desktop\antispam.exe

"C:\Users\user\Desktop\antispam.exe"

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\ROUTE.EXE

route print

There are 2 hidden processes, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\24\417C44EB

@%SystemRoot%\system32\mlang.dll,-4387

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\24\417C44EB

@%SystemRoot%\system32\mlang.dll,-4407

Memdumps

Base Address

Regiontype

Protect

Malicious

202CB9C0000

heap

page read and write

1F553A58000

heap

page read and write

202CB83B000

heap

page read and write

3DD3FAD000

stack

page read and write

202CB810000

heap

page read and write

7FF6A1F71000

unkown

page execute read

9E196FE000

stack

page read and write

202CB86D000

heap

page read and write

202CB85E000

heap

page read and write

202CB85C000

heap

page read and write

22AFC160000

heap

page read and write

1F553A6A000

heap

page read and write

202CB859000

heap

page read and write

7FF6A1F78000

unkown

page write copy

202CB859000

heap

page read and write

1F553A5E000

heap

page read and write

202CB836000

heap

page read and write

1F5558D0000

heap

page read and write

22AFC060000

heap

page read and write

1F5553A5000

heap

page read and write

202CB859000

heap

page read and write

7FF6A1F75000

unkown

page readonly

3DD427F000

stack

page read and write

1F5539C0000

heap

page read and write

202CB863000

heap

page read and write

7FF6A1F79000

unkown

page readonly

202CB835000

heap

page read and write

202CB859000

heap

page read and write

7FF6A1F75000

unkown

page readonly

202CB845000

heap

page read and write

22AFC069000

heap

page read and write

202CB835000

heap

page read and write

22AFC180000

heap

page read and write

202CB843000

heap

page read and write

1F553950000

heap

page read and write

682807E000

stack

page read and write

22AFC2F5000

heap

page read and write

22AFC07C000

heap

page read and write

202CB867000

heap

page read and write

1F5553AA000

heap

page read and write

6827D1E000

stack

page read and write

202CB845000

heap

page read and write

22AFBF70000

heap

page read and write

6827D9E000

stack

page read and write

202CB859000

heap

page read and write

1F5553A0000

heap

page read and write

7FF6A1F70000

unkown

page readonly

1F553A39000

heap

page read and write

9E195FE000

stack

page read and write

7FF6A1F79000

unkown

page readonly

9E192F8000

stack

page read and write

1F557030000

trusted library allocation

page read and write

1F553A1B000

heap

page read and write

1F5539F3000

heap

page read and write

3DD42FF000

stack

page read and write

202CB9C5000

heap

page read and write

1F553A10000

heap

page read and write

6827C9B000

stack

page read and write

7FF6A1F71000

unkown

page execute read

202CB83B000

heap

page read and write

7FF6A1F70000

unkown

page readonly

202CB817000

heap

page read and write

1F553A5B000

heap

page read and write

202CB6F0000

heap

page read and write

1F555580000

heap

page read and write

202CB859000

heap

page read and write

1F5539F0000

heap

page read and write

202CB7F0000

heap

page read and write

22AFC2F0000

heap

page read and write

1F553870000

heap

page read and write

7FF6A1F78000

unkown

page read and write

68280FF000

stack

page read and write

202CB7D0000

heap

page read and write

1F553980000

heap

page read and write

682817E000

stack

page read and write

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
antispam.exe

Files

Processes

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportantispam.exe

Files

Processes

Registry

Memdumps

IOC Report
antispam.exe