Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

New shipment AWB NO - 09804480383.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	7.928156581458441
Filename:	New shipment AWB NO - 09804480383.exe
Filesize:	653824
MD5:	9cc05f64e356b945babe74affd290f68
SHA1:	a68db5877b42bfc24c6772f19e168fd7fb50a2c1
SHA256:	252e7708de6bd7a39023a8a45d04bf5beddde51eeddc5782465b00c115d3a98e
SHA512:	6be8949d64562a86ed6d09e11d7a5ce89786b4d0c375bde549c2e715fdf67eeeeb5fc19c9d38c34883c5f0193bd06de1e61ddeb3a321348e0be90c8677801077
SSDEEP:	12288:XaoRh3o4DPX9ule6XSP8a3NcVuf0Kcs6sZO42ixZEVcD3476jJDQT:XVRh3oCshXS8a3NyusKcYj2ixGVc076m
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...].C..........."...0.................. .....@..... .......................@............@...@......@............... .....

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Machine Learning detection for sample	AV Detection
Modifies the context of a thread in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates processes with suspicious names	Persistence and Installation Behavior
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\New shipment AWB NO - 09804480383.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\New shipment AWB NO - 09804480383.exe.log
Category:	dropped
Dump:	New shipment AWB NO - 09804480383.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe
Type:	CSV text
Entropy:	5.380493107040482
Encrypted:	false
Ssdeep:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
Size:	1510
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe

"C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6976
Target ID:	0
Parent PID:	4004
Name:	New shipment AWB NO - 09804480383.exe
Path:	C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe
Commandline:	"C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"
Size:	653824
MD5:	9CC05F64E356B945BABE74AFFD290F68
Time:	04:36:53
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x800000
Modulesize:	671744
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe

"C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2012
Target ID:	3
Parent PID:	6976
Name:	New shipment AWB NO - 09804480383.exe
Path:	C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe
Commandline:	"C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe"
Size:	653824
MD5:	9CC05F64E356B945BABE74AFFD290F68
Time:	04:36:57
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x160000
Modulesize:	671744
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2012 -s 12

Details

Is windows:	true
Is dropped:	false
PID:	3460
Target ID:	6
Parent PID:	2012
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2012 -s 12
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	04:36:57
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6131a0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://checkip.dyndns.org/q

unknown

Details

Name:	http://checkip.dyndns.org/q
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe
Source:	New shipment AWB NO - 09804480383.exe, 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://tempuri.org/DataSet1.xsd

unknown

https://reallyfreegeoip.org/xml/

unknown

Details

Name:	https://reallyfreegeoip.org/xml/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\New shipment AWB NO - 09804480383.exe
Source:	New shipment AWB NO - 09804480383.exe, 00000000.00000002.2152724106.00000000154B9000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

154B9000

trusted library allocation

page read and write

35F0000

heap

page read and write

1EDAD000

stack

page read and write

7FFD34610000

trusted library allocation

page read and write

7FFD344F6000

trusted library allocation

page read and write

1C743000

heap

page read and write

1F9F000

stack

page read and write

7FFD34464000

trusted library allocation

page read and write

8A2000

unkown

page readonly

3ACC000

trusted library allocation

page read and write

3680000

heap

page execute and read and write

1C740000

heap

page read and write

19DE000

stack

page read and write

7FFD34612000

trusted library allocation

page read and write

1B95000

heap

page read and write

1E988000

heap

page read and write

1E462000

trusted library allocation

page read and write

1C840000

heap

page read and write

9E0000

trusted library allocation

page read and write

153CF000

trusted library allocation

page read and write

1C889000

heap

page read and write

13A91000

trusted library allocation

page read and write

7FFD34453000

trusted library allocation

page read and write

7FFD34600000

trusted library allocation

page read and write

10D0000

trusted library allocation

page read and write

15DE000

stack

page read and write

7FFD344F0000

trusted library allocation

page read and write

930000

heap

page read and write

11C1000

heap

page read and write

1B90000

heap

page read and write

7FFD34444000

trusted library allocation

page read and write

7FFD3446B000

trusted library allocation

page execute and read and write

7FFD345E9000

trusted library allocation

page read and write

7FFD34442000

trusted library allocation

page read and write

1E8B0000

heap

page read and write

7FFD3446D000

trusted library allocation

page execute and read and write

110C000

heap

page read and write

1BAC0000

trusted library allocation

page read and write

3620000

trusted library section

page readonly

970000

heap

page read and write

7FFD34620000

trusted library allocation

page read and write

13A98000

trusted library allocation

page read and write

35D0000

heap

page read and write

11DC000

heap

page read and write

10EC000

heap

page read and write

7FFD345E1000

trusted library allocation

page read and write

114F000

heap

page read and write

1F5AF000

stack

page read and write

1159000

heap

page read and write

3A91000

trusted library allocation

page read and write

1CA30000

heap

page read and write

1F1AE000

stack

page read and write

1125000

heap

page read and write

1C850000

heap

page read and write

7FFD344FC000

trusted library allocation

page execute and read and write

7FFD345F0000

trusted library allocation

page execute and read and write

7FFD34630000

trusted library allocation

page read and write

3AE5000

trusted library allocation

page read and write

7FFD34500000

trusted library allocation

page execute and read and write

3650000

heap

page read and write

1C31C000

stack

page read and write

800000

unkown

page readonly

1CA35000

heap

page read and write

7FFD34450000

trusted library allocation

page read and write

13AA1000

trusted library allocation

page read and write

802000

unkown

page readonly

1DF50000

trusted library allocation

page read and write

114D000

heap

page read and write

1E990000

heap

page read and write

1DF40000

trusted library section

page read and write

990000

heap

page read and write

10E0000

heap

page read and write

7FFD3444D000

trusted library allocation

page execute and read and write

1C860000

heap

page read and write

1CE3C000

stack

page read and write

940000

heap

page read and write

7FFD34440000

trusted library allocation

page read and write

3A8E000

stack

page read and write

7FFD3445D000

trusted library allocation

page execute and read and write

7FFD34560000

trusted library allocation

page execute and read and write

950000

heap

page read and write

1FDAE000

stack

page read and write

1C710000

trusted library section

page read and write

7FFD34526000

trusted library allocation

page execute and read and write

945000

heap

page read and write

1E0E0000

trusted library section

page read and write

7FF4B0A20000

trusted library allocation

page execute and read and write

3E7F000

trusted library allocation

page read and write

7FFD3449C000

trusted library allocation

page execute and read and write

9FC000

stack

page read and write

7FFD34460000

trusted library allocation

page read and write

15381000

trusted library allocation

page read and write

7FFD34443000

trusted library allocation

page execute and read and write

15333000

trusted library allocation

page read and write

3640000

heap

page execute and read and write

1114000

heap

page read and write

FF4000

stack

page read and write

1122000

heap

page read and write

1E150000

heap

page read and write

1F9AE000

stack

page read and write

1DE40000

heap

page read and write

There are 91 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
New shipment AWB NO - 09804480383.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNew shipment AWB NO - 09804480383.exe

Files

Processes

URLs

Memdumps

IOC Report
New shipment AWB NO - 09804480383.exe