Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Iyto7FYCJO.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	7.915405644351424
Filename:	Iyto7FYCJO.exe
Filesize:	6070784
MD5:	e12627a292cf6a7d32adb932adbd2b3b
SHA1:	2f6bf97cd38104937b7f47be38a00f0cea9a6f4a
SHA256:	eeca777e359e475f4bf1d137bd60dc0194e9520c0047a388ef28d383dc04250e
SHA512:	ba53d23d94fa77f9d1c7eaea2eac71a60ad6dd762760de227de9ae9ac4b26c95a1c951302aa586a19c92c9f89a2e0cb54f4bf44d8a9efd6d7fcde09ba3cedd7d
SSDEEP:	98304:mjtH5k4OJUfCTcdP4w8kwy6zVTs4M2ssUTJPDHQWHEpHuKxdeLkT1Myx:mBZfOCfOcN4w8kwlKIssUTJ7HpCuKxw9
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...}T.g.........."....&............$..........@.............................p............`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Detected VMProtect packer	System Summary
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism Process Discovery
Hides threads from debuggers	Anti Debugging	Windows Service
Machine Learning detection for sample	AV Detection
Overwrites code with unconditional jumps - possibly settings hooks in foreign process	Hooking and other Techniques for Hiding and Protection	Credential API Hooking
Sample is not signed and drops a device driver	Persistence and Installation Behavior	Windows Service
Tries to detect debuggers (CloseHandle check)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Security Software Discovery System Information Discovery
Tries to evade analysis by execution special instruction (VM detection)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates driver files	System Summary	Windows Service
Creates files inside the system directory	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	File and Directory Discovery
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Creates files inside the user directory	System Summary
Public key (encryption) found	Cryptography	Archive Collected Data
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys

PE32+ executable (native) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys
Category:	dropped
Dump:	driver[1].sys.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Iyto7FYCJO.exe
Type:	PE32+ executable (native) x86-64, for MS Windows
Entropy:	4.767634671950727
Encrypted:	false
Ssdeep:	96:OnmyUT3zne232FJKQglswx5RFUR0s8j4R4CZzSHWj7gdkX+lqYCg05T1kRRH4:OmyUG2AJKJZx580Fj4y4zYcL+l25e
Size:	10752
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sample is not signed and drops a device driver	Persistence and Installation Behavior
Creates driver files	System Summary	Windows Service
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe
Category:	dropped
Dump:	Vulnerability[1].exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Iyto7FYCJO.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.159203978020291
Encrypted:	false
Ssdeep:	3072:nvJpbB++pE3j0XJwH464mIWeBq/y9Dqp2k:xpbBhpE3jQwY6BP/Kkx
Size:	145408
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading

C:\Windows\Vulnerability.exe

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Windows\Vulnerability.exe
Category:	dropped
Dump:	Vulnerability.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Iyto7FYCJO.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.159203978020291
Encrypted:	false
Ssdeep:	3072:nvJpbB++pE3j0XJwH464mIWeBq/y9Dqp2k:xpbBhpE3jQwY6BP/Kkx
Size:	145408
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Accesses win32k, likely to find offsets for exploits	Exploits	Exploitation for Privilege Escalation
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Machine Learning detection for dropped file	AV Detection
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\driver.sys

PE32+ executable (native) x86-64, for MS Windows

dropped

Details

File:	C:\Windows\driver.sys
Category:	dropped
Dump:	driver.sys.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Iyto7FYCJO.exe
Type:	PE32+ executable (native) x86-64, for MS Windows
Entropy:	4.767634671950727
Encrypted:	false
Ssdeep:	96:OnmyUT3zne232FJKQglswx5RFUR0s8j4R4CZzSHWj7gdkX+lqYCg05T1kRRH4:OmyUG2AJKJZx580Fj4y4zYcL+l25e
Size:	10752
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sample is not signed and drops a device driver	Persistence and Installation Behavior
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\Vulnerability.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.001629167387823
Encrypted:	false
Ssdeep:	3:34FBOBFRekMov:4Kkov
Size:	24
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Iyto7FYCJO.exe

"C:\Users\user\Desktop\Iyto7FYCJO.exe"

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c cd C:\

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys

C:\Windows\Vulnerability.exe

C:\Windows\Vulnerability.exe C:\Windows\driver.sys

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"

C:\Windows\System32\cmd.exe

cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\certutil.exe

certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5

C:\Windows\System32\find.exe

find /i /v "md5"

C:\Windows\System32\find.exe

find /i /v "certutil"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\timeout.exe

timeout /t 5

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1308 -s 1708

There are 5 hidden processes, click here to show them.

URLs

Name

Malicious

http://185.101.104.122/driver.sysl

unknown

http://185.101.104.122/Vulnerability.exe

185.101.104.122

https://keyauth.win/api/1.2/http://185.101.104.122/Vulnerability.exeC:

unknown

http://185.101.104.122/Vulnerability.exev

unknown

https://www.behance.net/madetypeFree

unknown

http://185.101.104.122/driver.sysW

unknown

http://185.101.104.122/driver.sysC:

unknown

http://185.101.104.122/Vulnerability.exeC:

unknown

https://keyauth.win/api/1.2/2(f

unknown

http://185.101.104.122/driver.syse

unknown

http://185.101.104.122/driver.sys

185.101.104.122

https://curl.haxx.se/docs/http-cookies.html

unknown

https://keyauth.win/api/1.2/

unknown

http://185.101.104.122/Vulnerability.exeC9?

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

keyauth.win

172.67.72.57

Details

Name:	keyauth.win
IP:	172.67.72.57
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

172.67.72.57

keyauth.win

United States

Details

IP:	172.67.72.57
TargetID:	0
Current Path:	C:\Users\user\Desktop\Iyto7FYCJO.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	keyauth.win

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

185.101.104.122

unknown

Romania

Details

IP:	185.101.104.122
TargetID:	0
Current Path:	C:\Users\user\Desktop\Iyto7FYCJO.exe
Country:	Romania
Countrycode:	ROU
ASN number:	57673
ASN name:	HOSTCLEAN-SRLRO
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

127.0.0.1

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7

Name

Memdumps

Base Address

Regiontype

Protect

Malicious

1F89D415000

heap

page read and write

E9DB11E000

stack

page read and write

7FF7738E0000

unkown

page readonly

D8D0CFF000

stack

page read and write

2B69CF50000

heap

page read and write

22AC022F000

heap

page read and write

22AC023F000

heap

page read and write

7FF7738E0000

unkown

page readonly

1C4AEBE0000

heap

page read and write

22AC01FF000

heap

page read and write

2B69EEE0000

remote allocation

page read and write

9F3D87C000

stack

page read and write

1E185250000

heap

page read and write

9F3D97E000

stack

page read and write

2B0064E0000

heap

page read and write

2B69E836000

heap

page read and write

D8D04FE000

stack

page read and write

22AC0180000

trusted library allocation

page read and write

743C9FF000

stack

page read and write

1E1850B0000

heap

page read and write

2B69CF10000

heap

page read and write

22AC1C00000

remote allocation

page read and write

1C4AEC30000

heap

page read and write

7FF7A2710000

unkown

page readonly

2B69E7F0000

heap

page read and write

1C4AEB90000

heap

page read and write

743C1FE000

stack

page read and write

2B69EEE0000

remote allocation

page read and write

339CA7F000

stack

page read and write

22AC1C00000

remote allocation

page read and write

7FF7A27CB000

unkown

page readonly

1E185040000

heap

page read and write

22AC1C00000

remote allocation

page read and write

7FF7A27F2000

unkown

page read and write

2B69EEF0000

trusted library allocation

page read and write

D8D06FE000

stack

page read and write

22AC023A000

heap

page read and write

22AC0205000

heap

page read and write

22AC023D000

heap

page read and write

743C5FB000

stack

page read and write

1F89BA40000

heap

page read and write

22AC1CC4000

heap

page read and write

7FF773904000

unkown

page readonly

22AC0233000

heap

page read and write

7FF7A2810000

unkown

page readonly

7FF7738E1000

unkown

page execute read

7FF7A2825000

unkown

page execute read

7FF7738E1000

unkown

page execute read

22AC019C000

heap

page read and write

BD4BA7C000

stack

page read and write

7FF7A3165000

unkown

page readonly

7FF7738F6000

unkown

page readonly

743C0FF000

stack

page read and write

2B69E945000

heap

page read and write

22AC021C000

heap

page read and write

2B006440000

heap

page read and write

2B69D030000

heap

page read and write

22AC0110000

heap

page read and write

1C4AEBE5000

heap

page read and write

2B69CF00000

heap

page read and write

7FF773904000

unkown

page readonly

2B0081C0000

heap

page read and write

2B69E7F4000

heap

page read and write

2B69E8F0000

heap

page read and write

2B69CDF0000

heap

page read and write

E9DB19D000

stack

page read and write

2B006509000

heap

page read and write

7FF7A281B000

unkown

page execute read

1E1850B8000

heap

page read and write

E9DB09C000

stack

page read and write

D8D0BFE000

stack

page read and write

7FF7A2711000

unkown

page execute read

743C8FD000

stack

page read and write

339C78F000

stack

page read and write

7FF7A2B9B000

unkown

page execute read

22AC1B90000

heap

page read and write

7FF7A2830000

unkown

page execute read

22AC020A000

heap

page read and write

2B69D00D000

heap

page read and write

339C70C000

stack

page read and write

2B006330000

heap

page read and write

D8D08FE000

stack

page read and write

2B69CED0000

heap

page read and write

2B006410000

heap

page read and write

1C4AEB60000

heap

page read and write

2B69CF05000

heap

page read and write

D8D05FE000

stack

page read and write

743C4FF000

stack

page read and write

1F89BA78000

heap

page read and write

2B69E867000

heap

page read and write

743BFFE000

stack

page read and write

D8D09FF000

stack

page read and write

7FF7A3165000

unkown

page readonly

1F89D410000

heap

page read and write

7FF7A282C000

unkown

page execute read

1C4AEC3A000

heap

page read and write

BD4BAFF000

stack

page read and write

7FF7738F6000

unkown

page readonly

1F89BA70000

heap

page read and write

22AC021C000

heap

page read and write

D8D07FE000

stack

page read and write

2B006500000

heap

page read and write

22AC1B20000

trusted library allocation

page read and write

743BEF6000

stack

page read and write

22AC0170000

heap

page read and write

2B69E83F000

heap

page read and write

E9DB47E000

stack

page read and write

22AC01BC000

heap

page read and write

22AC1B00000

heap

page read and write

D8D0AFB000

stack

page read and write

7FF7A2819000

unkown

page execute read

22AC0150000

heap

page read and write

1E184F40000

heap

page read and write

2B0064E5000

heap

page read and write

22AC1C00000

remote allocation

page read and write

7FF7A2821000

unkown

page execute read

22AC0175000

heap

page read and write

1E1850BB000

heap

page read and write

2B69EF30000

heap

page read and write

2B69E957000

heap

page read and write

1F89BA50000

heap

page read and write

1E185020000

heap

page read and write

1C4AEB70000

heap

page read and write

22AC1CC0000

heap

page read and write

22AC0190000

heap

page read and write

743C7FD000

stack

page read and write

22AC0224000

heap

page read and write

1E185255000

heap

page read and write

7FF7A2849000

unkown

page read and write

743C3FE000

stack

page read and write

9F3D8FF000

stack

page read and write

7FF773903000

unkown

page write copy

22AC0224000

heap

page read and write

2B69CF5C000

heap

page read and write

7FF773903000

unkown

page read and write

2B008350000

heap

page read and write

1F89D420000

heap

page read and write

7FF7A284F000

unkown

page execute read

7FF7A2710000

unkown

page readonly

743C2FE000

stack

page read and write

1C4AEC38000

heap

page read and write

D8D0176000

stack

page read and write

22AC0120000

heap

page read and write

2B69CFC9000

heap

page read and write

743C6FE000

stack

page read and write

2B69EEE0000

remote allocation

page read and write

2B69EEF0000

trusted library allocation

page read and write

BD4BB7F000

stack

page read and write

There are 138 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Iyto7FYCJO.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportIyto7FYCJO.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Iyto7FYCJO.exe