Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

450707124374000811.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.7511646883690775
Filename:	450707124374000811.exe
Filesize:	1001467
MD5:	22aeab62009aaa9073b3159d7da1195e
SHA1:	602dd47b6910a522be90fc47d10d5c26a836a01a
SHA256:	1fc195e3937e7c7d9ca78f9c39f8997d5ed98fe1c608ad5c7b4a01dc24ddd967
SHA512:	057f99c072baf1b2c4aadbf5851ac90288af03d991a2b2732d2d9e3c6856a62cbb3c44416e6fb6f67e193a6e50c79d0afb8f5d61f5d9a39e903f9179850b8286
SSDEEP:	24576:8HANkRMLHpVBNAVC+qTC0otgAhHYGDL4kJiMv:8HANkRMLHf3OC+qTfPGD0aJ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...~..Y.................f.........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
Opens the same file many times (likely Sandbox evasion)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Access Token Manipulation
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation Security Software Discovery
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll
Category:	dropped
Dump:	System.dll.0.dr
ID:	dr_7
Target ID:	0
Process:	C:\Users\user\Desktop\450707124374000811.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.659026618805001
Encrypted:	false
Ssdeep:	192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
Size:	11776
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Canton.Chr

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Canton.Chr
Category:	dropped
Dump:	Canton.Chr.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\450707124374000811.exe
Type:	data
Entropy:	7.702006100164842
Encrypted:	false
Ssdeep:	6144:vhdVvrRbGmvDU6wCxZkgdpQWENGHJCLJqjFaX6ql6ytdwD:vtvrRbGmvrwcZkg8zcHJCLkmt2D
Size:	283894
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Grundfladernes.Qua

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Grundfladernes.Qua
Category:	dropped
Dump:	Grundfladernes.Qua.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\450707124374000811.exe
Type:	data
Entropy:	4.614849518351854
Encrypted:	false
Ssdeep:	1536:HD0Zl31ONi8ZXxYo6qRyCkWuE78I23R0HEpJQ3Tv:HD0ObxxhcCkxg4QDv
Size:	82981
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\pechay\transskribere\jon\img-1.jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 999x605, components 3

dropped

Details

File:	C:\Users\user\AppData\Roaming\pechay\transskribere\jon\img-1.jpg
Category:	dropped
Dump:	img-1.jpg.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\450707124374000811.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 999x605, components 3
Entropy:	7.749904770387752
Encrypted:	false
Ssdeep:	3072:icF5a5FZl5xa0SYazQR5dRfp3oVadIALnwP5kipQlMXG6g9:5r2x1SYkQR53fpoVABLnwRk0QKXRg9
Size:	167813
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nannie.tek

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nannie.tek
Category:	dropped
Dump:	nannie.tek.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\450707124374000811.exe
Type:	data
Entropy:	4.933260234424776
Encrypted:	false
Ssdeep:	6144:sXxDu/qV1rYX0GEETHfS1YHoQccZ6eJ7Myv5CTV:shy/qSu6qJcZFJPBi
Size:	329924
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nonpendency.age

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nonpendency.age
Category:	dropped
Dump:	nonpendency.age.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\450707124374000811.exe
Type:	data
Entropy:	4.914629993393861
Encrypted:	false
Ssdeep:	768:D/rnROkWNBnJ+9RlvYC45nQikaSOn/i7/nY1kakXzsDwft2EwNWBbTvMIQwBT:zrx8BnJ+lyzknku2kakXYDwcEcWbwoBT
Size:	48084
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\pechay\transskribere\jon\rimsmeds.txt

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\pechay\transskribere\jon\rimsmeds.txt
Category:	dropped
Dump:	rimsmeds.txt.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Users\user\Desktop\450707124374000811.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.284126845947256
Encrypted:	false
Ssdeep:	12:7Dvz9cWhFxJiWtT/ksqSYLbLGLW+/tbV90QhtdtmCq/oK6:vpJrilbgW+hHfmCq/ol
Size:	501
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Roaming\pechay\transskribere\jon\skreddene.spo

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\pechay\transskribere\jon\skreddene.spo
Category:	dropped
Dump:	skreddene.spo.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Users\user\Desktop\450707124374000811.exe
Type:	data
Entropy:	4.944297757860882
Encrypted:	false
Ssdeep:	1536:BYkiahV7T7eAwz8ruqJUjhEXVM54+suwGXs:BFiahJTCAi8dQ6M54rWs
Size:	54488
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\450707124374000811.exe

"C:\Users\user\Desktop\450707124374000811.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6640
Target ID:	0
Parent PID:	2580
Name:	450707124374000811.exe
Path:	C:\Users\user\Desktop\450707124374000811.exe
Commandline:	"C:\Users\user\Desktop\450707124374000811.exe"
Size:	1001467
MD5:	22AEAB62009AAA9073B3159D7DA1195E
Time:	13:08:01
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	651264
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\Desktop\450707124374000811.exe

"C:\Users\user\Desktop\450707124374000811.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1060
Target ID:	4
Parent PID:	6640
Name:	450707124374000811.exe
Path:	C:\Users\user\Desktop\450707124374000811.exe
Commandline:	"C:\Users\user\Desktop\450707124374000811.exe"
Size:	1001467
MD5:	22AEAB62009AAA9073B3159D7DA1195E
Time:	13:09:18
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	19214336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

https://alfacen.com/GZgWeuQ77.bin

193.107.36.30

http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd

unknown

http://www.ftp.ftp://ftp.gopher.

unknown

https://alfacen.com/GZgWeuQ77.binf

unknown

http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd

unknown

https://alfacen.com/GZgWeuQ77.bine

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

https://alfacen.com/

unknown

https://alfacen.com/GZgWeuQ77.bine/Q

unknown

https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

unknown

Domains

Name

Malicious

alfacen.com

193.107.36.30

Details

Name:	alfacen.com
IP:	193.107.36.30
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

193.107.36.30

alfacen.com

Bulgaria

Details

IP:	193.107.36.30
TargetID:	4
Current Path:	C:\Users\user\Desktop\450707124374000811.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	201200
ASN name:	SUPERHOSTING_ASBG
Private:	false
Domain:	alfacen.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CLI\Start

CLI start

HKEY_CURRENT_USER\Ailurophilia\Pectinidae

Lacqueying

HKEY_CURRENT_USER\Eksportforbuddets\Uninstall\telltruth\suede

frihandlens

HKEY_CURRENT_USER\SOFTWARE\Service

System_Check

HKEY_CURRENT_USER\SOFTWARE\Service

System_Check

Memdumps

Base Address

Regiontype

Protect

Malicious

2BF8000

direct allocation

page execute and read and write

35BC1000

direct allocation

page execute and read and write

5678000

heap

page read and write

56BE000

heap

page read and write

436000

unkown

page read and write

5D4000

heap

page read and write

2350000

heap

page read and write

5653000

heap

page read and write

351CE000

stack

page read and write

10001000

unkown

page execute read

34CC0000

direct allocation

page read and write

34CF0000

direct allocation

page read and write

49D8000

remote allocation

page execute and read and write

356C1000

heap

page read and write

170000

direct allocation

page read and write

570000

heap

page read and write

3559E000

heap

page read and write

49F8000

direct allocation

page execute and read and write

5638000

heap

page read and write

353C0000

remote allocation

page read and write

21D8000

remote allocation

page execute and read and write

1E0000

heap

page read and write

35873000

heap

page read and write

70000

heap

page read and write

4E0000

direct allocation

page read and write

34D10000

direct allocation

page read and write

34CE0000

direct allocation

page read and write

500000

direct allocation

page read and write

71000

heap

page read and write

5684000

heap

page read and write

170000

direct allocation

page read and write

626000

unkown

page execute read

408000

unkown

page readonly

5EA000

unkown

page execute read

55D0000

heap

page read and write

5AD000

heap

page read and write

5618000

heap

page read and write

170000

direct allocation

page read and write

46A000

unkown

page readonly

35A19000

direct allocation

page execute and read and write

34D20000

direct allocation

page read and write

10000000

unkown

page readonly

35BBD000

direct allocation

page execute and read and write

5E4000

unkown

page execute read

4C0000

direct allocation

page read and write

2120000

heap

page read and write

67F8000

direct allocation

page execute and read and write

96000

stack

page read and write

34CD0000

direct allocation

page read and write

3FF8000

direct allocation

page execute and read and write

2125000

heap

page read and write

46A000

unkown

page readonly

2A80000

direct allocation

page execute and read and write

2340000

heap

page read and write

53D8000

remote allocation

page execute and read and write

5900000

direct allocation

page read and write

2998000

heap

page read and write

3586F000

heap

page read and write

408000

unkown

page readonly

22F0000

heap

page read and write

1E4000

heap

page read and write

740000

direct allocation

page read and write

71000

heap

page read and write

5E8000

unkown

page execute read

58F0000

direct allocation

page read and write

5684000

heap

page read and write

35D8000

remote allocation

page execute and read and write

46A000

unkown

page readonly

770000

direct allocation

page read and write

5638000

heap

page read and write

2980000

heap

page read and write

5E6000

unkown

page execute read

53F8000

direct allocation

page execute and read and write

468000

unkown

page read and write

5667000

heap

page read and write

5910000

heap

page read and write

23C0000

heap

page read and write

40A000

unkown

page read and write

3558D000

stack

page read and write

3535F000

stack

page read and write

216E000

stack

page read and write

5CB000

heap

page read and write

540000

heap

page read and write

5682000

heap

page read and write

56C2000

heap

page read and write

170000

direct allocation

page read and write

40A000

unkown

page write copy

581E000

stack

page read and write

589E000

stack

page read and write

530000

direct allocation

page read and write

353C0000

remote allocation

page read and write

400000

unkown

page readonly

4F0000

direct allocation

page read and write

350CE000

stack

page read and write

5653000

heap

page read and write

5C1000

heap

page read and write

5600000

direct allocation

page read and write

400000

unkown

page readonly

3510F000

stack

page read and write

353FE000

stack

page read and write

55E0000

heap

page read and write

170000

direct allocation

page read and write

40A000

unkown

page write copy

431000

unkown

page read and write

1F6000

heap

page read and write

3514D000

stack

page read and write

35A1D000

direct allocation

page execute and read and write

5665000

heap

page read and write

353C0000

remote allocation

page read and write

1660000

remote allocation

page execute and read and write

566C000

heap

page read and write

3FD8000

remote allocation

page execute and read and write

520000

direct allocation

page read and write

4B0000

heap

page read and write

5678000

heap

page read and write

10005000

unkown

page readonly

1F0000

heap

page read and write

22EF000

stack

page read and write

578000

heap

page read and write

5653000

heap

page read and write

34D00000

direct allocation

page read and write

401000

unkown

page execute read

585E000

stack

page read and write

35C32000

direct allocation

page execute and read and write

5678000

heap

page read and write

10003000

unkown

page readonly

58E0000

direct allocation

page read and write

19A000

stack

page read and write

408000

unkown

page readonly

401000

unkown

page execute read

565B000

heap

page read and write

56C2000

heap

page read and write

3520E000

stack

page read and write

750000

direct allocation

page read and write

35590000

direct allocation

page read and write

400000

unkown

page readonly

649000

unkown

page execute read

1E4000

heap

page read and write

58DF000

stack

page read and write

3518D000

stack

page read and write

352CF000

stack

page read and write

43F000

unkown

page read and write

565C000

heap

page read and write

5683000

heap

page read and write

358E4000

heap

page read and write

5A0000

heap

page read and write

21E0000

heap

page read and write

401000

unkown

page execute read

17D8000

remote allocation

page execute and read and write

5684000

heap

page read and write

1E4000

heap

page read and write

5F2000

unkown

page execute read

5F0000

unkown

page execute read

358F0000

direct allocation

page execute and read and write

23C4000

heap

page read and write

5DF8000

direct allocation

page execute and read and write

5EC000

unkown

page execute read

5EE000

unkown

page execute read

35746000

heap

page read and write

5610000

heap

page read and write

2BD8000

remote allocation

page execute and read and write

760000

direct allocation

page read and write

510000

direct allocation

page read and write

5665000

heap

page read and write

3528E000

stack

page read and write

3548E000

stack

page read and write

401000

unkown

page execute read

566C000

heap

page read and write

567F000

heap

page read and write

34D30000

direct allocation

page read and write

4D0000

direct allocation

page read and write

5684000

heap

page read and write

170000

direct allocation

page read and write

35F8000

direct allocation

page execute and read and write

566C000

heap

page read and write

35A8E000

direct allocation

page execute and read and write

5639000

heap

page read and write

565B000

heap

page read and write

562B000

heap

page read and write

3531E000

stack

page read and write

170000

direct allocation

page read and write

5682000

heap

page read and write

3543F000

stack

page read and write

There are 173 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
450707124374000811.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report450707124374000811.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
450707124374000811.exe