Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.493835301781505
Filename:	file.exe
Filesize:	2838528
MD5:	473c91c8363cf492cf6192686e4aeae8
SHA1:	4f56b6e25bbf8bb424a3fbb398040d980850a046
SHA256:	265c128a8a9421847dea2121ae5ce79efb601616c4fd060ff9863f4c2c498c2f
SHA512:	09cebc8843d1f3aacc502af0e55736e24d7675ded01c7e402820cefda513d4826a7e91167cc548a1b356bf58defeaf3a456f08e24bc42d6b560382e351d73c12
SSDEEP:	49152:hB7Lsq3Y5sVCMfyPfrUF8gHZrOCOox7SkPFA:hB3sGYkCOyPfru5rEoxW4FA
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ........................,......h+...`................................

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Disable Windows Defender notifications (registry)	Lowering of HIPS / PFW / Operating System Security Settings
Disables Windows Defender Tamper protection	Lowering of HIPS / PFW / Operating System Security Settings
Hides threads from debuggers	Anti Debugging
Machine Learning detection for sample	AV Detection
Modifies windows update settings	Lowering of HIPS / PFW / Operating System Security Settings
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to detect virtual machines (SIDT)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	CSV text
Entropy:	5.360398796477698
Encrypted:	false
Ssdeep:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
Size:	226
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7272
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2838528
MD5:	473C91C8363CF492CF6192686E4AEAE8
Time:	00:01:57
Date:	29/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd60000
Modulesize:	2883584
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableIOAVProtection

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Value name:	DisableIOAVProtection
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

DisableRealtimeMonitoring

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Value name:	DisableRealtimeMonitoring
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications

DisableNotifications

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
Value name:	DisableNotifications
Value data:	1

Signature Hits	Behavior Group	Mitre Attack
Disable Windows Defender notifications (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control
Disable Windows Defender real time protection (registry)	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools Bypass User Account Control

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

AUOptions

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

AutoInstallMinorUpdates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

NoAutoRebootWithLoggedOnUsers

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

UseWUServer

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

DoNotConnectToWindowsUpdateInternetLocations

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features

TamperProtection

Memdumps

Base Address

Regiontype

Protect

Malicious

5AF5000

trusted library allocation

page read and write

45A0000

direct allocation

page read and write

FAD000

unkown

page execute and write copy

F55000

unkown

page execute and read and write

270E000

stack

page read and write

5D4000

heap

page read and write

3FCF000

stack

page read and write

700F000

stack

page read and write

35CF000

stack

page read and write

49B0000

heap

page execute and read and write

F38000

unkown

page execute and write copy

73F000

stack

page read and write

384F000

stack

page read and write

48B0000

trusted library allocation

page read and write

EFD000

unkown

page execute and write copy

F0A000

unkown

page execute and read and write

1002000

unkown

page execute and write copy

3D4F000

stack

page read and write

F78000

unkown

page execute and write copy

45A0000

direct allocation

page read and write

EFF000

unkown

page execute and write copy

3ACF000

stack

page read and write

F8A000

unkown

page execute and write copy

46B0000

trusted library allocation

page read and write

FA5000

unkown

page execute and read and write

4ACE000

stack

page read and write

280F000

stack

page read and write

3B0E000

stack

page read and write

45A0000

direct allocation

page read and write

4864000

trusted library allocation

page read and write

4890000

direct allocation

page execute and read and write

D6A000

unkown

page execute and write copy

5D4000

heap

page read and write

D66000

unkown

page write copy

489B000

trusted library allocation

page execute and read and write

7A6000

heap

page read and write

30CF000

stack

page read and write

D60000

unkown

page read and write

2FCE000

stack

page read and write

75E000

heap

page read and write

EF3000

unkown

page execute and read and write

5D0000

heap

page read and write

3ECE000

stack

page read and write

4860000

trusted library allocation

page read and write

3C4E000

stack

page read and write

ED9000

unkown

page execute and read and write

5D4000

heap

page read and write

FBC000

unkown

page execute and write copy

246E000

stack

page read and write

6C80000

heap

page execute and read and write

6ECF000

stack

page read and write

310E000

stack

page read and write

100C000

unkown

page execute and write copy

483F000

stack

page read and write

45B1000

heap

page read and write

49A0000

trusted library allocation

page execute and read and write

48FE000

stack

page read and write

5D4000

heap

page read and write

F43000

unkown

page execute and read and write

298E000

stack

page read and write

D6A000

unkown

page execute and read and write

5D4000

heap

page read and write

45A0000

direct allocation

page read and write

4853000

trusted library allocation

page execute and read and write

2C0E000

stack

page read and write

360E000

stack

page read and write

5D4000

heap

page read and write

25B0000

direct allocation

page read and write

5D4000

heap

page read and write

4700000

direct allocation

page read and write

3E8F000

stack

page read and write

101C000

unkown

page execute and write copy

F5F000

unkown

page execute and read and write

46B0000

heap

page read and write

7E2000

heap

page read and write

D60000

unkown

page readonly

45A0000

direct allocation

page read and write

45A0000

direct allocation

page read and write

F5E000

unkown

page execute and write copy

374E000

stack

page read and write

5D4000

heap

page read and write

5D4000

heap

page read and write

794000

heap

page read and write

45B1000

heap

page read and write

4854000

trusted library allocation

page read and write

348F000

stack

page read and write

370F000

stack

page read and write

487A000

trusted library allocation

page execute and read and write

45A0000

direct allocation

page read and write

1003000

unkown

page execute and read and write

45C0000

heap

page read and write

796000

heap

page read and write

F77000

unkown

page execute and read and write

F53000

unkown

page execute and write copy

FAF000

unkown

page execute and read and write

7B3000

heap

page read and write

98F000

stack

page read and write

294F000

stack

page read and write

2E4F000

stack

page read and write

5D4000

heap

page read and write

4700000

direct allocation

page read and write

45A0000

direct allocation

page read and write

6C20000

trusted library allocation

page read and write

256F000

stack

page read and write

F69000

unkown

page execute and write copy

F9B000

unkown

page execute and write copy

473B000

stack

page read and write

1004000

unkown

page execute and write copy

4880000

heap

page read and write

334F000

stack

page read and write

101A000

unkown

page execute and write copy

6B0C000

stack

page read and write

25C0000

heap

page read and write

4AD1000

trusted library allocation

page read and write

25C7000

heap

page read and write

2D0F000

stack

page read and write

45A0000

direct allocation

page read and write

D30000

heap

page read and write

5D4000

heap

page read and write

F1B000

unkown

page execute and read and write

F1A000

unkown

page execute and write copy

4850000

direct allocation

page execute and read and write

88E000

stack

page read and write

6C10000

trusted library allocation

page read and write

D75000

unkown

page execute and read and write

D62000

unkown

page execute and write copy

5D4000

heap

page read and write

5D4000

heap

page read and write

45B1000

heap

page read and write

100C000

unkown

page execute and write copy

75A000

heap

page read and write

D74000

unkown

page execute and write copy

49C0000

heap

page read and write

6C5E000

stack

page read and write

4890000

trusted library allocation

page read and write

7A3000

heap

page read and write

17C000

stack

page read and write

5AD1000

trusted library allocation

page read and write

EFD000

unkown

page execute and read and write

46F0000

trusted library allocation

page read and write

6C0D000

stack

page read and write

3C0F000

stack

page read and write

4870000

trusted library allocation

page read and write

F51000

unkown

page execute and write copy

F90000

unkown

page execute and read and write

D62000

unkown

page execute and read and write

26CF000

stack

page read and write

1E0000

heap

page read and write

45B1000

heap

page read and write

2E8E000

stack

page read and write

FBE000

unkown

page execute and read and write

485D000

trusted library allocation

page execute and read and write

2BCF000

stack

page read and write

338E000

stack

page read and write

5D4000

heap

page read and write

6F0E000

stack

page read and write

F74000

unkown

page execute and write copy

FA0000

unkown

page execute and write copy

410F000

stack

page read and write

324E000

stack

page read and write

320F000

stack

page read and write

63E000

stack

page read and write

4F9000

stack

page read and write

5D4000

heap

page read and write

45B0000

heap

page read and write

5D4000

heap

page read and write

2A8F000

stack

page read and write

284E000

stack

page read and write

45B1000

heap

page read and write

5D4000

heap

page read and write

388D000

stack

page read and write

424F000

stack

page read and write

4700000

direct allocation

page read and write

F6C000

unkown

page execute and read and write

45A0000

direct allocation

page read and write

398F000

stack

page read and write

6D8E000

stack

page read and write

45A0000

direct allocation

page read and write

45A0000

direct allocation

page read and write

101A000

unkown

page execute and read and write

F7D000

unkown

page execute and read and write

45A0000

direct allocation

page read and write

2ACE000

stack

page read and write

1F0000

heap

page read and write

4897000

trusted library allocation

page execute and read and write

2D4E000

stack

page read and write

F09000

unkown

page execute and write copy

400E000

stack

page read and write

25AC000

stack

page read and write

F9E000

unkown

page execute and read and write

101C000

unkown

page execute and write copy

79E000

heap

page read and write

2F8F000

stack

page read and write

5AD4000

trusted library allocation

page read and write

3D8E000

stack

page read and write

F00000

unkown

page execute and read and write

D76000

unkown

page execute and write copy

39CE000

stack

page read and write

5D4000

heap

page read and write

D66000

unkown

page write copy

34CE000

stack

page read and write

F52000

unkown

page execute and read and write

EDC000

unkown

page execute and write copy

45A0000

direct allocation

page read and write

414E000

stack

page read and write

750000

heap

page read and write

6DCE000

stack

page read and write

There are 197 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

Registry

Memdumps

IOC Report
file.exe