Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe

"C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5812
Target ID:	0
Parent PID:	4004
Name:	nHOMA2CalculatorWindowsSetup.exe
Path:	C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe
Commandline:	"C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"
Size:	2338251
MD5:	F89876113397EAB218FB197D549903AC
Time:	15:02:01
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	450560
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

"C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp" /SL5="$203BC,1934643,407552,C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1548
Target ID:	2
Parent PID:	5812
Name:	nHOMA2CalculatorWindowsSetup.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp
Commandline:	"C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp" /SL5="$203BC,1934643,407552,C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"
Size:	1458688
MD5:	2703D25D95D502EC71ADE55C81145A03
Time:	15:02:01
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1511424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\HOMACore.dll"

Details

Is windows:	true
Is dropped:	false
PID:	1616
Target ID:	4
Parent PID:	1548
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\regsvr32.exe
Commandline:	"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\HOMACore.dll"
Size:	20992
MD5:	878E47C8656E53AE8A8A21E927C6F7E0
Time:	15:02:21
Date:	20/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x970000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Registers a DLL	Data Obfuscation	Regsvr32
Spawns processes	System Summary	Process Injection

C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

"C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3472
Target ID:	5
Parent PID:	1548
Name:	HOMA2 Calculator.exe
Path:	C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe
Commandline:	"C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe"
Size:	2451091
MD5:	E017A16D1C8F66C4383C585C3FD8C629
Time:	15:02:23
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfc0000
Modulesize:	352256
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://www.innosetup.com/

unknown

http://www.dtu.ox.ac.uk/homa#

unknown

http://www.dtu.ox.ac.uk/HOMACalculatorLhttp://www.dtu.ox.ac.uk/HOMACalculatorLhttp://www.dtu.ox.ac.u

unknown

http://www.dtu.ox.ac.uk/homa

unknown

http://www.dtu.ox.ac.uk/homa#email:

unknown

http://www.remobjects.com/ps

unknown

http://www.dtu.ox.ac.uk/HOMACalculator

unknown

http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU

unknown

http://www.dtu.ox.ac.uk/HOMACalculatorA

unknown

http://www.dtu.ox.ac.uk/homaTextAlign

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls

C:\Windows\system32\HOMACore.dll