Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.210763540523614
Filename:	file.exe
Filesize:	395776
MD5:	03ca3823af479cb440c0283066b794b1
SHA1:	fa607b381f390512effe17926dfe1783a48e1364
SHA256:	a3e66240301c3b9a402704082ce72ed1055a5c3248406d3a0a1f1ac075798408
SHA512:	de4b9ab2caad3e704b6224073d6b80ac46b3ae5d077dce549f3d2de1a64754819c8ca51a4ff0eee8e55e1750eac1bdd18919e3f5e33780f6326bc390dbae04bd
SSDEEP:	12288:3Z4Iq30/HzJ+QM//6i3G1OPfbHNjEtmNekTgC1PIYYXeOK1kvkkDFztRVX74w5ye:3Zq4
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Machine Learning detection for sample	AV Detection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F8008506.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Entropy:	7.996617769952133
Encrypted:	true
Ssdeep:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
Size:	71954
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F80085060.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	data
Entropy:	3.247897867253901
Encrypted:	false
Ssdeep:	6:kK6L9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:PDImsLNkPlE99SNxAhUe/3
Size:	328
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2508
Target ID:	0
Parent PID:	4084
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	395776
MD5:	03CA3823AF479CB440C0283066B794B1
Time:	23:12:02
Date:	23/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe60000
Modulesize:	417792
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected JasonRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Machine Learning detection for sample	AV Detection
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3880025576.000000000338F000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.210.172

IPs

Domain

Country

Malicious

62.60.153.28

unknown

Iran (ISLAMIC Republic Of)

Details

IP:	62.60.153.28
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Iran (ISLAMIC Republic Of)
Countrycode:	IRN
ASN number:	15611
ASN name:	IROST-ASIR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

8.8.8.8

unknown

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit

Version

Memdumps

Base Address

Regiontype

Protect

Malicious

3201000

trusted library allocation

page read and write

3180000

heap

page execute and read and write

E76000

unkown

page execute and read and write

1403000

trusted library allocation

page read and write

3379000

trusted library allocation

page read and write

32F5000

trusted library allocation

page read and write

337B000

trusted library allocation

page read and write

3329000

trusted library allocation

page read and write

7FFB4B260000

trusted library allocation

page read and write

12F4000

stack

page read and write

3327000

trusted library allocation

page read and write

1C02E000

heap

page read and write

13209000

trusted library allocation

page read and write

14CC000

heap

page read and write

32BF000

trusted library allocation

page read and write

1BBF0000

heap

page execute and read and write

7FFB4B014000

trusted library allocation

page read and write

1D13C000

stack

page read and write

3273000

trusted library allocation

page read and write

1C7AE000

stack

page read and write

32B5000

trusted library allocation

page read and write

32C1000

trusted library allocation

page read and write

3338000

trusted library allocation

page read and write

7FFB4B023000

trusted library allocation

page read and write

EC1000

unkown

page execute and read and write

7FFB4B02D000

trusted library allocation

page execute and read and write

32D9000

trusted library allocation

page read and write

7FFB4B03D000

trusted library allocation

page execute and read and write

1C0CB000

heap

page read and write

3268000

trusted library allocation

page read and write

7FFB4B0CC000

trusted library allocation

page execute and read and write

3350000

trusted library allocation

page read and write

1539000

heap

page read and write

15B6000

heap

page read and write

7FFB4B0D0000

trusted library allocation

page execute and read and write

F80000

heap

page read and write

FA0000

heap

page read and write

7FFB4B034000

trusted library allocation

page read and write

1C089000

heap

page read and write

1C5FE000

stack

page read and write

328D000

trusted library allocation

page read and write

14C6000

heap

page read and write

333C000

trusted library allocation

page read and write

1BDFE000

stack

page read and write

1400000

trusted library allocation

page read and write

32E9000

trusted library allocation

page read and write

32F3000

trusted library allocation

page read and write

327F000

trusted library allocation

page read and write

1B200000

trusted library allocation

page read and write

7FFB4B25A000

trusted library allocation

page read and write

152D000

heap

page read and write

1B78D000

stack

page read and write

1C032000

heap

page read and write

3364000

trusted library allocation

page read and write

1C495000

heap

page read and write

7FFB4B03B000

trusted library allocation

page execute and read and write

7FFB4B010000

trusted library allocation

page read and write

3354000

trusted library allocation

page read and write

3341000

trusted library allocation

page read and write

1C09F000

heap

page read and write

7FFB4B1D0000

trusted library allocation

page read and write

1BFFB000

stack

page read and write

1C6FF000

stack

page read and write

7FFB4B012000

trusted library allocation

page read and write

3262000

trusted library allocation

page read and write

1C000000

heap

page read and write

3333000

trusted library allocation

page read and write

7FFB4B0C6000

trusted library allocation

page read and write

FC5000

heap

page read and write

32CB000

trusted library allocation

page read and write

1C3DE000

heap

page read and write

7FFB4B030000

trusted library allocation

page read and write

14C0000

heap

page read and write

7FFB4B200000

trusted library allocation

page execute and read and write

7FFB4B1DA000

trusted library allocation

page read and write

1C900000

heap

page read and write

334D000

trusted library allocation

page read and write

1C03D000

heap

page read and write

7FFB4B220000

trusted library allocation

page read and write

1C0B7000

heap

page read and write

338F000

trusted library allocation

page read and write

13201000

trusted library allocation

page read and write

32FF000

trusted library allocation

page read and write

32CD000

trusted library allocation

page read and write

1C085000

heap

page read and write

1C7EE000

stack

page read and write

E62000

unkown

page readonly

7FF428190000

trusted library allocation

page execute and read and write

7FFB4B0C0000

trusted library allocation

page read and write

E60000

unkown

page readonly

7FFB4B1C0000

trusted library allocation

page read and write

F50000

heap

page read and write

1C05B000

heap

page read and write

1505000

heap

page read and write

7FFB4B1BF000

trusted library allocation

page read and write

1C01D000

heap

page read and write

1D03A000

stack

page read and write

32DB000

trusted library allocation

page read and write

1B580000

heap

page read and write

F60000

heap

page read and write

13F0000

trusted library allocation

page read and write

7FFB4B130000

trusted library allocation

page execute and read and write

1B230000

trusted library allocation

page read and write

329B000

trusted library allocation

page read and write

331B000

trusted library allocation

page read and write

3319000

trusted library allocation

page read and write

330D000

trusted library allocation

page read and write

E62000

unkown

page execute and read and write

14B0000

heap

page read and write

336F000

trusted library allocation

page read and write

7FFB4B06C000

trusted library allocation

page execute and read and write

1420000

trusted library section

page read and write

1C0BF000

heap

page read and write

1C0D2000

heap

page read and write

152F000

heap

page read and write

32E7000

trusted library allocation

page read and write

330F000

trusted library allocation

page read and write

32A7000

trusted library allocation

page read and write

1D339000

stack

page read and write

335F000

trusted library allocation

page read and write

7FFB4B210000

trusted library allocation

page read and write

31F0000

heap

page read and write

1BBCA000

stack

page read and write

E60000

unkown

page execute and read and write

7FFB4B1F0000

trusted library allocation

page read and write

336C000

trusted library allocation

page read and write

17BC000

stack

page read and write

3264000

trusted library allocation

page read and write

FC0000

heap

page read and write

1C300000

heap

page read and write

7FFB4B240000

trusted library allocation

page read and write

16BE000

stack

page read and write

3335000

trusted library allocation

page read and write

7FFB4B230000

trusted library allocation

page read and write

7FFB4B013000

trusted library allocation

page execute and read and write

3367000

trusted library allocation

page read and write

7FFB4B0F6000

trusted library allocation

page execute and read and write

315E000

stack

page read and write

3301000

trusted library allocation

page read and write

7FFB4B1D7000

trusted library allocation

page read and write

13A0F000

trusted library allocation

page read and write

1502000

heap

page read and write

338A000

trusted library allocation

page read and write

7FFB4B1E0000

trusted library allocation

page read and write

3385000

trusted library allocation

page read and write

1562000

heap

page read and write

1C3A3000

heap

page read and write

1CF3A000

stack

page read and write

3387000

trusted library allocation

page read and write

13D0000

trusted library allocation

page read and write

3170000

trusted library allocation

page read and write

1C071000

heap

page read and write

1C0D7000

heap

page read and write

7FFB4B01D000

trusted library allocation

page execute and read and write

14B5000

heap

page read and write

1BCFA000

stack

page read and write

3266000

trusted library allocation

page read and write

7FFB4B1B0000

trusted library allocation

page read and write

1C0CE000

heap

page read and write

335D000

trusted library allocation

page read and write

There are 150 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe