Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MysticThumbs4.2.0 Patch.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.967263678844268
Filename:	MysticThumbs4.2.0 Patch.exe
Filesize:	2422974
MD5:	204728b183383e9e064ccb65fba64408
SHA1:	d8b1b2bd56de42db44013e23d84e3aacdee202db
SHA256:	4639a785aa9db39e1823df53c9c25195d41bcbcc05245d068058b64512f1bcff
SHA512:	f18ba0b8a2f0785b0e5ab0090cbe7918f4db5619c5ee9c2ce6ad1b4828b1696934e1a05835c2f8346e6589b9858fb2a7caef734be5427d2f1f905960e6772e49
SSDEEP:	49152:MO9igDAIUUmigufifR3BcKLx/yQFLmCC4GiFvGfPhtMsj:9UgDgigufeR3BcKNKQFLS6MJSW
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............a...a...a...}...a...}...a...~...a...a...a...~...a...~...a..Rich.a..................PE..L........................P...p.....

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging	Security Software Discovery
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	File and Directory Discovery
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Abnormal high CPU Usage	System Summary
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
PE file contains sections with non-standard names	Data Obfuscation
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Native API Software Packing
Contains functionality to check free disk space	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\E_N60005\eAPI.fne

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\E_N60005\eAPI.fne
Category:	modified
Dump:	eAPI.fne.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\MysticThumbs4.2.0 Patch.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.3266193682979415
Encrypted:	false
Ssdeep:	6144:yE+ULyjYsLavN8JFhOyccPT8oV2wQfRayWjG:yoWRVXUyhIoIwQ4VG
Size:	315392
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\E_N60005\krnln.fnr

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\E_N60005\krnln.fnr
Category:	dropped
Dump:	krnln.fnr.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\MysticThumbs4.2.0 Patch.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.506000162022637
Encrypted:	false
Ssdeep:	24576:zSgLnl5lfDNttzmkh03mQYDiglaadmzrWHwM12S:mUZDpp037ScuHwM12S
Size:	1290240
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\E_N60005\dp1.fne

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\E_N60005\dp1.fne
Category:	dropped
Dump:	dp1.fne.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\MysticThumbs4.2.0 Patch.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.964541965095613
Encrypted:	false
Ssdeep:	1536:tiDSn+hfeTpCwAncpZ6Z8HTiQjl1sYiKG3oe/:UDTReTgwAcp9lqKG3o
Size:	131072
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\MysticThumbs4.2.0 Patch.exe

"C:\Users\user\Desktop\MysticThumbs4.2.0 Patch.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7372
Target ID:	0
Parent PID:	4056
Name:	MysticThumbs4.2.0 Patch.exe
Path:	C:\Users\user\Desktop\MysticThumbs4.2.0 Patch.exe
Commandline:	"C:\Users\user\Desktop\MysticThumbs4.2.0 Patch.exe"
Size:	2422974
MD5:	204728B183383E9E064CCB65FBA64408
Time:	10:56:35
Date:	29/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	4190208
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://www.eyuyan.com

unknown

http://dywt.com.cn/RSATool2v14.rar

unknown

http://www.baidu.com

unknown

http://www.baidu.comtest

unknown

http://www.eyuyan.comDVarFileInfo$

unknown

http://www.52pojie.cn/

unknown

http://www.eyuyan.comservice

unknown

http://dywt.com.cn

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

41D000

unkown

page write copy

9A0000

heap

page read and write

2C4F000

stack

page read and write

268F000

stack

page read and write

4191000

heap

page read and write

9C4000

heap

page read and write

404F000

stack

page read and write

9B0000

direct allocation

page read and write

19C000

stack

page read and write

9C4000

heap

page read and write

304E000

stack

page read and write

4B06000

heap

page read and write

7FE000

unkown

page execute and read and write

9C4000

heap

page read and write

93E000

stack

page read and write

BE6000

heap

page read and write

9C4000

heap

page read and write

1012A000

unkown

page readonly

9B0000

direct allocation

page read and write

9C4000

heap

page read and write

2B4E000

stack

page read and write

9B0000

direct allocation

page read and write

2ECF000

stack

page read and write

255E000

stack

page read and write

10117000

unkown

page read and write

41B000

unkown

page read and write

9B0000

direct allocation

page read and write

2C8E000

stack

page read and write

8E0000

heap

page read and write

684000

unkown

page execute and read and write

418F000

stack

page read and write

9C4000

heap

page read and write

100E7000

unkown

page readonly

4750000

direct allocation

page execute and read and write

9C4000

heap

page read and write

9C4000

heap

page read and write

354E000

stack

page read and write

ACF000

stack

page read and write

28CE000

stack

page read and write

4D60000

direct allocation

page read and write

2580000

heap

page read and write

2B0F000

stack

page read and write

4191000

heap

page read and write

3B4F000

stack

page read and write

4AE6000

heap

page read and write

9C4000

heap

page read and write

1010D000

unkown

page write copy

9C4000

heap

page read and write

BD2000

heap

page read and write

9C4000

heap

page read and write

BDC000

heap

page read and write

B9D000

heap

page read and write

4770000

direct allocation

page execute and read and write

AE0000

direct allocation

page read and write

350F000

stack

page read and write

340E000

stack

page read and write

400000

unkown

page readonly

AF7000

heap

page read and write

368E000

stack

page read and write

33CF000

stack

page read and write

9B0000

direct allocation

page read and write

10000000

unkown

page readonly

408E000

stack

page read and write

9B0000

direct allocation

page read and write

3DCF000

stack

page read and write

BEC000

heap

page read and write

9C4000

heap

page read and write

684000

unkown

page execute and write copy

BE2000

heap

page read and write

9B0000

direct allocation

page read and write

9C4000

heap

page read and write

29CF000

stack

page read and write

AE0000

direct allocation

page read and write

2A0E000

stack

page read and write

9B0000

direct allocation

page read and write

3E0E000

stack

page read and write

B7E000

stack

page read and write

3C8F000

stack

page read and write

47B0000

direct allocation

page read and write

AE0000

direct allocation

page read and write

3B8E000

stack

page read and write

4780000

direct allocation

page execute and read and write

10106000

unkown

page write copy

38CF000

stack

page read and write

328F000

stack

page read and write

99E000

stack

page read and write

3F0F000

stack

page read and write

3A0F000

stack

page read and write

4E84000

heap

page read and write

37CE000

stack

page read and write

3CCE000

stack

page read and write

4191000

heap

page read and write

3F4E000

stack

page read and write

B3C000

stack

page read and write

401000

unkown

page execute and write copy

4190000

heap

page read and write

364F000

stack

page read and write

B8B000

heap

page read and write

BCE000

heap

page read and write

10001000

unkown

page execute read

4770000

direct allocation

page execute and read and write

41E000

unkown

page execute and read and write

4760000

direct allocation

page execute and read and write

48C7000

heap

page read and write

300F000

stack

page read and write

9C4000

heap

page read and write

9B0000

direct allocation

page read and write

4290000

trusted library allocation

page read and write

3A4E000

stack

page read and write

48C0000

heap

page read and write

378F000

stack

page read and write

9C4000

heap

page read and write

10125000

unkown

page read and write

9B0000

direct allocation

page read and write

474F000

stack

page read and write

4E80000

heap

page read and write

2D8F000

stack

page read and write

685000

unkown

page execute and write copy

97000

stack

page read and write

2DCE000

stack

page read and write

9C4000

heap

page read and write

318E000

stack

page read and write

9C4000

heap

page read and write

1010B000

unkown

page read and write

9C4000

heap

page read and write

4B60000

heap

page read and write

2570000

direct allocation

page execute and read and write

9B0000

direct allocation

page read and write

9C4000

heap

page read and write

2F0E000

stack

page read and write

48C4000

heap

page read and write

400000

unkown

page readonly

251F000

stack

page read and write

9C4000

heap

page read and write

47A0000

direct allocation

page execute and read and write

401000

unkown

page execute and read and write

2584000

heap

page read and write

4790000

direct allocation

page execute and read and write

9C0000

heap

page read and write

58D000

unkown

page execute and read and write

B80000

heap

page read and write

390E000

stack

page read and write

4B01000

heap

page read and write

9C4000

heap

page read and write

9B0000

direct allocation

page read and write

9B0000

direct allocation

page read and write

9C4000

heap

page read and write

32CE000

stack

page read and write

4760000

heap

page read and write

9C4000

heap

page read and write

49AB000

heap

page read and write

AF0000

heap

page read and write

48D6000

heap

page read and write

BDD000

heap

page read and write

9C4000

heap

page read and write

9C4000

heap

page read and write

9B0000

direct allocation

page read and write

288F000

stack

page read and write

464C000

stack

page read and write

314F000

stack

page read and write

278F000

stack

page read and write

800000

heap

page read and write

41B000

unkown

page write copy

2560000

direct allocation

page read and write

There are 154 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MysticThumbs4.2.0 Patch.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMysticThumbs4.2.0 Patch.exe

Files

Processes

URLs

Memdumps

IOC Report
MysticThumbs4.2.0 Patch.exe