Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

VALUESearchUpdater.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.668855895299851
Filename:	VALUESearchUpdater.exe
Filesize:	3151872
MD5:	4ab61ee925a3c1d719ebce6214ecdb45
SHA1:	42856c8176a27060ddc20d284187cd86183fdfb2
SHA256:	9ad2b8535a844e9da74ab6d99bdc9b6f264ccb7e2fb1fcb143f7de46f2334156
SHA512:	e31349abb5a8b295870b7aab42b0477f927215e8129004381239265be37f16f68fec43f7757611b14cbbd1783db3a7edbd9fa55afde4fda1c8cd8f0cc536973f
SSDEEP:	49152:DovHkRO80l+J4diSroc8N7tXfJacep7MK5:DoPks80CpNxfJa9l
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\valuesearchn.zip

HTML document, ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\Desktop\valuesearchn.zip
Category:	dropped
Dump:	valuesearchn.zip.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\VALUESearchUpdater.exe
Type:	HTML document, ASCII text, with no line terminators
Entropy:	4.430198929422622
Encrypted:	false
Ssdeep:	3:qV4QU1kSDKe9oIJb:q2/7Ke9jb
Size:	45
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\VALUESearchUpdater.exe

"C:\Users\user\Desktop\VALUESearchUpdater.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7432
Target ID:	0
Parent PID:	4056
Name:	VALUESearchUpdater.exe
Path:	C:\Users\user\Desktop\VALUESearchUpdater.exe
Commandline:	"C:\Users\user\Desktop\VALUESearchUpdater.exe"
Size:	3151872
MD5:	4AB61EE925A3C1D719EBCE6214ECDB45
Time:	14:45:58
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x300000
Modulesize:	3203072
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://valuesearch.co.kr/

unknown

Details

Name:	https://valuesearch.co.kr/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\VALUESearchUpdater.exe
Source:	VALUESearchUpdater.exe, 00000000.00000002.1299278175.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000003.1298175516.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000003.1298175516.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000002.1299278175.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://valuesearch.co.kr/files/publish/valuesearchn.zip

3.36.251.235

Details

Name:	https://valuesearch.co.kr/files/publish/valuesearchn.zip
IP:	3.36.251.235
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\VALUESearchUpdater.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://valuesearch.co.kr/70

unknown

Details

Name:	https://valuesearch.co.kr/70
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\VALUESearchUpdater.exe
Source:	VALUESearchUpdater.exe, 00000000.00000003.1298175516.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000002.1299278175.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://valuesearch.co.kr/files/publish/valuesearchn.zipGN

unknown

https://valuesearch.co.kr/files/publish/xlllibver.txtC

unknown

https://valuesearch.co.kr/files/publish/xlllibver.txttia

unknown

https://valuesearch.co.kr/files/publish/xlllibver.txt

3.36.251.235

Details

Name:	https://valuesearch.co.kr/files/publish/xlllibver.txt
IP:	3.36.251.235
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\VALUESearchUpdater.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://valuesearch.co.kr/files/publish/

unknown

Domains

Name

Malicious

valuesearch.co.kr

3.36.251.235

Details

Name:	valuesearch.co.kr
IP:	3.36.251.235
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

3.36.251.235

valuesearch.co.kr

United States

Details

IP:	3.36.251.235
TargetID:	0
Current Path:	C:\Users\user\Desktop\VALUESearchUpdater.exe
Country:	United States
Countrycode:	USA
ASN number:	8987
ASN name:	AMAZONEXPANSIONGB
Private:	false
Domain:	valuesearch.co.kr

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7C7000

stack

page read and write

C6C000

heap

page read and write

B40000

heap

page read and write

302C000

stack

page read and write

10F0000

remote allocation

page read and write

C81000

heap

page read and write

109D000

stack

page read and write

C76000

heap

page read and write

292B000

direct allocation

page read and write

C86000

heap

page read and write

2944000

direct allocation

page read and write

29CD000

direct allocation

page read and write

297D000

direct allocation

page read and write

CA0000

heap

page read and write

2984000

direct allocation

page read and write

CDC000

heap

page read and write

29BF000

direct allocation

page read and write

29E3000

direct allocation

page read and write

596000

unkown

page read and write

594000

unkown

page write copy

AFB000

stack

page read and write

C7A000

heap

page read and write

D7E000

stack

page read and write

C6D000

heap

page read and write

CBC000

heap

page read and write

29A9000

direct allocation

page read and write

C7D000

heap

page read and write

2994000

direct allocation

page read and write

FBF000

stack

page read and write

5AB000

unkown

page readonly

E7F000

stack

page read and write

29F8000

direct allocation

page read and write

1116000

heap

page read and write

29DC000

direct allocation

page read and write

10F0000

remote allocation

page read and write

CD0000

heap

page read and write

29C6000

direct allocation

page read and write

29B8000

direct allocation

page read and write

CA8000

heap

page read and write

CAE000

heap

page read and write

C40000

heap

page read and write

CBF000

heap

page read and write

C8E000

heap

page read and write

3290000

trusted library allocation

page read and write

B30000

heap

page read and write

CB3000

heap

page read and write

1053000

heap

page read and write

1110000

heap

page read and write

C95000

heap

page read and write

CDB000

heap

page read and write

293C000

direct allocation

page read and write

594000

unkown

page read and write

C8D000

heap

page read and write

29EA000

direct allocation

page read and write

291B000

direct allocation

page read and write

29A2000

direct allocation

page read and write

CB6000

heap

page read and write

1010000

direct allocation

page execute and read and write

29B0000

direct allocation

page read and write

317F000

stack

page read and write

1000000

heap

page read and write

CC3000

heap

page read and write

5A4000

unkown

page read and write

29D4000

direct allocation

page read and write

CB8000

heap

page read and write

C62000

heap

page read and write

C7E000

heap

page read and write

2960000

direct allocation

page read and write

10DD000

stack

page read and write

298B000

direct allocation

page read and write

300000

unkown

page readonly

5AD000

unkown

page readonly

10F0000

remote allocation

page read and write

2F2D000

stack

page read and write

3210000

trusted library allocation

page read and write

C9E000

heap

page read and write

1050000

heap

page read and write

C48000

heap

page read and write

C20000

heap

page read and write

2925000

direct allocation

page read and write

5A6000

unkown

page write copy

301000

unkown

page execute read

C9B000

heap

page read and write

EBE000

stack

page read and write

296E000

direct allocation

page read and write

59D000

unkown

page read and write

29F1000

direct allocation

page read and write

299B000

direct allocation

page read and write

307E000

stack

page read and write

2959000

direct allocation

page read and write

There are 80 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
VALUESearchUpdater.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportVALUESearchUpdater.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
VALUESearchUpdater.exe