Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Dowody potwierdzaj#U0105ce naruszenie praw w#U0142asno#U015bci CDN 21.10.exe

"C:\Users\user\Desktop\Dowody potwierdzaj#U0105ce naruszenie praw w#U0142asno#U015bci CDN 21.10.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7372
Target ID:	0
Parent PID:	2580
Name:	Dowody potwierdzaj#U0105ce naruszenie praw w#U0142asno#U015bci CDN 21.10.exe
Path:	C:\Users\user\Desktop\Dowody potwierdzaj#U0105ce naruszenie praw w#U0142asno#U015bci CDN 21.10.exe
Commandline:	"C:\Users\user\Desktop\Dowody potwierdzaj#U0105ce naruszenie praw w#U0142asno#U015bci CDN 21.10.exe"
Size:	6365288
MD5:	4864A55CFF27F686023456A22371E790
Time:	04:36:40
Date:	21/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	6467584
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file contains a mix of resources often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://www.zeniko.ch/#SumatraPDFSimon

unknown

http://www.drm-x.com/0E

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://blog.kowalczyk.info/software/sumatrapdf/translators.htmlThe

unknown

http://www.drm-x.net/http://cn.drm-x.com/LicPrepare2008.aspxLicPrepare20082013.aspx.drm-x.com/2/%s?c

unknown

http://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5

unknown

http://www.drm-x.com/

unknown

http://itexmac.sourceforge.net/SyncTeX.htmlJ

unknown

http://HDMHDMLoading...%s

unknown

http://www.drm-x.com/pdfversion.htm1.5.7.0..http://www.haihaisoft.com/PDF_Reader_download.aspxopenSo

unknown

http://www.haihaisoft.com/PDF_Reader_download.aspx

unknown

http://www.flashvidz.tk/Zenonprogram

unknown

http://www.drm-x.com/pdfversion.htmHH

unknown

http://p.yusukekamiyamane.com/Yusuke

unknown

http://mailto:EmbeddedFilesTypeFilespecD%s%dR%s%sA%s%sKids.seen.seen.seenNumsSPStD%s.%d:%d:%dInfoPag

unknown

http://www.haihaisoft.com/Contact.aspx

unknown

http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed

unknown

http://www.freetype.org/FreeTypefont

unknown

http://www.haihaisoft.com/PDF_Reader_download.aspxhttp://www.drm-x.com/pdfversion.htmMS

unknown

http://blog.kowalczyk.info/software/sumatrapdf/translations.htmlContribute

unknown

http://www.haihaisoft.com

unknown

http://william.famille-blum.org/William

unknown

http://www.apache.org/licenses/LICENSE-2.0Digitized

unknown

http://mupdf.comMuPDFpdf

unknown

http://www.drm-x.com/C

unknown

http://www.winimage.com/zLibDllbad

unknown

http://www.winimage.com/zLibDll

unknown

http://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopen

unknown

http://www.haihaisoft.com/Contact.aspx%u%?.Install_DirSoftware

unknown

http://cn.haihaisoft.comhttp://www.haihaisoft.comcnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD

unknown

http://www.drm-x.com/pdfversion.htm

163.171.156.15

http://blog.kowalczyk.infoKrzysztof

unknown

http://www.haihaisoft.comSumatraPDF

unknown

There are 23 hidden URLs, click here to show them.

Domains

Name

Malicious

www.drm-x.com.wswebpic.com

163.171.156.15

www.drm-x.com

unknown

Details

Name:	www.drm-x.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

163.171.156.15

www.drm-x.com.wswebpic.com

European Union

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Haihaisoft PDF Reader

UpdateDate

Memdumps

Base Address

Regiontype

Protect

Malicious

5290000

trusted library allocation

page read and write

328E000

stack

page read and write

982000

unkown

page write copy

574F000

stack

page read and write

D2C000

heap

page read and write

6C9000

unkown

page readonly

28DF000

stack

page read and write

2AF0000

heap

page read and write

D49000

heap

page read and write

27D5000

heap

page read and write

D4D000

heap

page read and write

9FC000

unkown

page readonly

D70000

heap

page read and write

AD0000

heap

page read and write

59DE000

stack

page read and write

529C000

trusted library allocation

page read and write

3290000

heap

page read and write

400000

unkown

page readonly

97F000

unkown

page read and write

97F000

unkown

page write copy

589D000

stack

page read and write

579E000

stack

page read and write

560F000

stack

page read and write

27D8000

heap

page read and write

4A90000

trusted library allocation

page read and write

D9D000

heap

page read and write

400000

unkown

page readonly

D58000

heap

page read and write

CC0000

heap

page read and write

5A00000

heap

page read and write

D5A000

heap

page read and write

564E000

stack

page read and write

401000

unkown

page execute read

EE9000

heap

page read and write

D04000

heap

page read and write

D34000

heap

page read and write

D78000

heap

page read and write

2ADF000

stack

page read and write

2750000

heap

page read and write

550E000

stack

page read and write

A40000

heap

page read and write

CCE000

heap

page read and write

D7C000

heap

page read and write

58DE000

stack

page read and write

27BE000

stack

page read and write

2E40000

heap

page read and write

27D0000

heap

page read and write

19A000

stack

page read and write

D5F000

heap

page read and write

D29000

heap

page read and write

53CE000

stack

page read and write

EE6000

heap

page read and write

3320000

heap

page read and write

274E000

stack

page read and write

9F6000

unkown

page read and write

A30000

heap

page read and write

CCA000

heap

page read and write

318C000

stack

page read and write

D2D000

heap

page read and write

93000

stack

page read and write

9E2000

unkown

page read and write

AD6000

heap

page read and write

D1D000

heap

page read and write

D98000

heap

page read and write

9FC000

unkown

page readonly

6C9000

unkown

page readonly

9DD000

unkown

page read and write

54CF000

stack

page read and write

29D0000

heap

page read and write

D2C000

heap

page read and write

401000

unkown

page execute read

D24000

heap

page read and write

9E0000

unkown

page write copy

29D3000

heap

page read and write

EE0000

heap

page read and write

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Dowody potwierdzaj#U0105ce naruszenie praw w#U0142asno#U015bci CDN 21.10.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDowody potwierdzaj#U0105ce naruszenie praw w#U0142asno#U015bci CDN 21.10.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Dowody potwierdzaj#U0105ce naruszenie praw w#U0142asno#U015bci CDN 21.10.exe