Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

TcQOmn7lnP.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.593454396400531
Filename:	TcQOmn7lnP.exe
Filesize:	34304
MD5:	edd87a78e02a4c11c82bb8ccce9815d6
SHA1:	a5c6753e71e4d4ad83325c60ec88780471297272
SHA256:	da98f8de94a1f21adebde64bd45a11921fedeaec036035c46b80621b619f017b
SHA512:	3bbdafa95291ac1df2fb4545f9f3818c1a5b817a4d6f3dde182a3996e71d2fd118df1447ddaf855c4432b8bdda454ae0aa26a31c4333785f87b744f34492a4cd
SSDEEP:	768:S1M4swsuaI9VSLVHJOVW5NmLU6eKch1W9FW9Y5qRLOjh2bW:SykZaI9VSOVW5YMKchOFW9Y58LOj0C
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@g.................\|............... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Sample uses string decryption to hide its real strings	AV Detection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\FileExplorer.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\FileExplorer.exe
Category:	dropped
Dump:	FileExplorer.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\TcQOmn7lnP.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.593454396400531
Encrypted:	false
Ssdeep:	768:S1M4swsuaI9VSLVHJOVW5NmLU6eKch1W9FW9Y5qRLOjh2bW:SykZaI9VSOVW5YMKchOFW9Y58LOj0C
Size:	34304
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Launches a second explorer.exe instance	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileExplorer.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileExplorer.exe.log
Category:	dropped
Dump:	FileExplorer.exe.log.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\AppData\Roaming\FileExplorer.exe
Type:	CSV text
Entropy:	5.380476433908377
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
Size:	654
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\TcQOmn7lnP.exe

"C:\Users\user\Desktop\TcQOmn7lnP.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1020
Target ID:	0
Parent PID:	4004
Name:	TcQOmn7lnP.exe
Path:	C:\Users\user\Desktop\TcQOmn7lnP.exe
Commandline:	"C:\Users\user\Desktop\TcQOmn7lnP.exe"
Size:	34304
MD5:	EDD87A78E02A4C11C82BB8CCCE9815D6
Time:	15:12:56
Date:	23/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc10000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\FileExplorer.exe

"C:\Users\user\AppData\Roaming\FileExplorer.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7132
Target ID:	2
Parent PID:	4004
Name:	FileExplorer.exe
Path:	C:\Users\user\AppData\Roaming\FileExplorer.exe
Commandline:	"C:\Users\user\AppData\Roaming\FileExplorer.exe"
Size:	34304
MD5:	EDD87A78E02A4C11C82BB8CCCE9815D6
Time:	15:13:09
Date:	23/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x6b0000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Sample uses string decryption to hide its real strings	AV Detection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates files inside the user directory	System Summary	Masquerading
Launches a second explorer.exe instance	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\FileExplorer.exe

"C:\Users\user\AppData\Roaming\FileExplorer.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3544
Target ID:	6
Parent PID:	4004
Name:	FileExplorer.exe
Path:	C:\Users\user\AppData\Roaming\FileExplorer.exe
Commandline:	"C:\Users\user\AppData\Roaming\FileExplorer.exe"
Size:	34304
MD5:	EDD87A78E02A4C11C82BB8CCCE9815D6
Time:	15:13:18
Date:	23/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x950000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Sample uses string decryption to hide its real strings	AV Detection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates files inside the user directory	System Summary	Masquerading
Launches a second explorer.exe instance	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

192.168.68.139

Details

Name:	192.168.68.139
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\TcQOmn7lnP.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection

tell-outcome.gl.at.ply.gg

Details

Name:	tell-outcome.gl.at.ply.gg
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\TcQOmn7lnP.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\TcQOmn7lnP.exe
Source:	TcQOmn7lnP.exe, 00000000.00000002.4547347546.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

tell-outcome.gl.at.ply.gg

147.185.221.24

Details

Name:	tell-outcome.gl.at.ply.gg
IP:	147.185.221.24
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

192.168.68.139

unknown

Details

IP:	192.168.68.139
TargetID:	0
Current Path:	C:\Users\user\Desktop\TcQOmn7lnP.exe
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection

147.185.221.24

tell-outcome.gl.at.ply.gg

United States

Details

IP:	147.185.221.24
TargetID:	0
Current Path:	C:\Users\user\Desktop\TcQOmn7lnP.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	tell-outcome.gl.at.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

FileExplorer

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	FileExplorer
Value data:	C:\Users\user\AppData\Roaming\FileExplorer.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

C12000

unkown

page readonly

7FFD34452000

trusted library allocation

page read and write

1645000

heap

page read and write

7FFD344AC000

trusted library allocation

page execute and read and write

7FFD34460000

trusted library allocation

page read and write

1B35D000

stack

page read and write

7FFD344D0000

trusted library allocation

page read and write

1B750000

heap

page read and write

1C0FC000

stack

page read and write

1BD10000

heap

page read and write

1C4FC000

stack

page read and write

10F1000

heap

page read and write

7FFD34453000

trusted library allocation

page execute and read and write

B20000

heap

page read and write

7FFD3443D000

trusted library allocation

page execute and read and write

CD5000

heap

page read and write

7FFD345F0000

trusted library allocation

page read and write

11A1000

heap

page read and write

B63000

heap

page read and write

F80000

trusted library allocation

page read and write

AC5000

heap

page read and write

7FFD34460000

trusted library allocation

page read and write

DD0000

heap

page read and write

2B81000

trusted library allocation

page read and write

FB0000

heap

page execute and read and write

F60000

trusted library allocation

page read and write

1131000

heap

page read and write

F40000

heap

page read and write

FF0000

heap

page read and write

26A0000

heap

page execute and read and write

1083000

trusted library allocation

page read and write

D38000

heap

page read and write

1B0FD000

stack

page read and write

1ADED000

stack

page read and write

1B4AE000

stack

page read and write

11FF000

stack

page read and write

7FFD345C0000

trusted library allocation

page read and write

7FFD344E0000

trusted library allocation

page execute and read and write

10FE000

stack

page read and write

DC5000

heap

page read and write

7FFD34536000

trusted library allocation

page execute and read and write

10F4000

heap

page read and write

7F4000

stack

page read and write

7FFD34432000

trusted library allocation

page read and write

A70000

heap

page read and write

1BD60000

heap

page read and write

CD0000

heap

page read and write

1B72E000

stack

page read and write

1179000

heap

page read and write

DC0000

heap

page read and write

7FFD34470000

trusted library allocation

page read and write

7FFD3445D000

trusted library allocation

page execute and read and write

AAF000

heap

page read and write

139E000

stack

page read and write

DF8000

heap

page read and write

C10000

unkown

page readonly

1B22E000

stack

page read and write

7FFD34440000

trusted library allocation

page read and write

A40000

heap

page read and write

1000000

heap

page read and write

ACE000

heap

page read and write

7FFD3449C000

trusted library allocation

page execute and read and write

7FFD3447C000

trusted library allocation

page execute and read and write

AD5000

heap

page read and write

EF0000

heap

page read and write

1B620000

heap

page read and write

2851000

trusted library allocation

page read and write

F20000

heap

page read and write

2D90000

heap

page read and write

7FFD34462000

trusted library allocation

page read and write

7FFD3445D000

trusted library allocation

page execute and read and write

7FFD34443000

trusted library allocation

page execute and read and write

285C000

trusted library allocation

page read and write

1105000

heap

page read and write

7FFD34500000

trusted library allocation

page execute and read and write

7FF4D62E0000

trusted library allocation

page execute and read and write

7FFD34570000

trusted library allocation

page execute and read and write

CF4000

stack

page read and write

7FFD34500000

trusted library allocation

page read and write

6B0000

unkown

page readonly

B54000

heap

page read and write

9E0000

heap

page read and write

12B78000

trusted library allocation

page read and write

12B71000

trusted library allocation

page read and write

7FFD345E0000

trusted library allocation

page read and write

12DD8000

trusted library allocation

page read and write

1B3AE000

stack

page read and write

7FFD34526000

trusted library allocation

page execute and read and write

A96000

heap

page read and write

7FFD3442D000

trusted library allocation

page execute and read and write

A90000

heap

page read and write

1B85A000

stack

page read and write

1050000

trusted library allocation

page read and write

1B73E000

stack

page read and write

7FFD344F6000

trusted library allocation

page read and write

7FFD3444D000

trusted library allocation

page execute and read and write

7FFD34450000

trusted library allocation

page read and write

1B156000

heap

page read and write

B01000

heap

page read and write

DA0000

heap

page read and write

1135000

heap

page read and write

7FFD34464000

trusted library allocation

page read and write

D6C000

heap

page read and write

FF5000

heap

page read and write

7FFD344FC000

trusted library allocation

page execute and read and write

7FFD34424000

trusted library allocation

page read and write

2840000

heap

page read and write

7FFD34506000

trusted library allocation

page execute and read and write

1B92E000

stack

page read and write

7FFD34454000

trusted library allocation

page read and write

2D5E000

stack

page read and write

7FFD34423000

trusted library allocation

page execute and read and write

1B753000

heap

page read and write

11A4000

heap

page read and write

2B60000

heap

page execute and read and write

F15000

heap

page read and write

7FFD344F0000

trusted library allocation

page read and write

EE0000

trusted library allocation

page read and write

7FFD34444000

trusted library allocation

page read and write

D5A000

heap

page read and write

2DD1000

trusted library allocation

page read and write

7FFD3446D000

trusted library allocation

page execute and read and write

1B740000

heap

page read and write

10EB000

heap

page read and write

1C2FA000

stack

page read and write

7FFD345F0000

trusted library allocation

page execute and read and write

EDF000

stack

page read and write

7FFD34434000

trusted library allocation

page read and write

7FFD34440000

trusted library allocation

page read and write

12DD1000

trusted library allocation

page read and write

2B3E000

stack

page read and write

AD0000

heap

page read and write

7FFD34560000

trusted library allocation

page execute and read and write

AD2000

heap

page read and write

7FFD34464000

trusted library allocation

page read and write

DF6000

heap

page read and write

1102000

heap

page read and write

12858000

trusted library allocation

page read and write

12B73000

trusted library allocation

page read and write

1080000

trusted library allocation

page read and write

DDF000

stack

page read and write

D00000

heap

page read and write

1BD0E000

stack

page read and write

1B270000

heap

page execute and read and write

10CC000

heap

page read and write

1B5AF000

stack

page read and write

A50000

heap

page read and write

1B2A0000

heap

page read and write

2B71000

trusted library allocation

page read and write

CB0000

trusted library allocation

page read and write

EF5000

heap

page read and write

12851000

trusted library allocation

page read and write

2DC0000

heap

page read and write

2B7F000

trusted library allocation

page read and write

F10000

heap

page read and write

12853000

trusted library allocation

page read and write

1AE00000

trusted library allocation

page read and write

7FFD34540000

trusted library allocation

page execute and read and write

1BD7E000

heap

page read and write

1C3FC000

stack

page read and write

1C1FF000

stack

page read and write

2A30000

heap

page read and write

1181000

heap

page read and write

D30000

heap

page read and write

A9C000

heap

page read and write

7FFD3446D000

trusted library allocation

page execute and read and write

1B53E000

stack

page read and write

10C0000

heap

page read and write

1640000

heap

page read and write

C60000

heap

page read and write

AFB000

heap

page read and write

D4C000

heap

page read and write

27AE000

stack

page read and write

2D80000

heap

page execute and read and write

D54000

stack

page read and write

1BB0E000

stack

page read and write

D62000

heap

page read and write

1BC0E000

stack

page read and write

1BA04000

stack

page read and write

1070000

trusted library allocation

page read and write

D6E000

heap

page read and write

1020000

heap

page read and write

D99000

heap

page read and write

1B900000

heap

page execute and read and write

7FFD34510000

trusted library allocation

page execute and read and write

1B6FE000

stack

page read and write

ABB000

heap

page read and write

2B7C000

trusted library allocation

page read and write

1B82F000

stack

page read and write

7FFD34430000

trusted library allocation

page read and write

There are 180 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
TcQOmn7lnP.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportTcQOmn7lnP.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
TcQOmn7lnP.exe