Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

iuhmzvlH.cmd

DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators

initial sample

Details

Filetype:	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
Entropy:	4.705712327109906
Filename:	iuhmzvlH.cmd
Filesize:	62357
MD5:	b87f096cbc25570329e2bb59fee57580
SHA1:	d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256:	d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
SHA512:	72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7
SSDEEP:	768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
Preview:	@echo off..@echo off..@%.....................%e%......%c%.........%h%............ .........%o%......................% %...%o%...............%f%.........%f% ....................%..s%...%e%............ %t%r...o..................% %............%"%...........

C:\Users\Public\alpha.pif

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Users\Public\alpha.pif
Category:	dropped
Dump:	alpha.pif.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\System32\esentutl.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.135598950357573
Encrypted:	false
Ssdeep:	6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
Size:	289792
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files with a suspicious file extension	Persistence and Installation Behavior	Masquerading
Drops or copies cmd.exe with a different name (likely to bypass HIPS)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Execution from Suspicious Folder	System Summary
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Access Token Manipulation
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Deletes files inside the Windows folder	System Summary	File Deletion
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Execution of Suspicious File Type Extension	System Summary
Contains functionality for error logging	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Users\Public\xpha.pif

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Users\Public\xpha.pif
Category:	dropped
Dump:	xpha.pif.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\System32\esentutl.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	5.358141004461096
Encrypted:	false
Ssdeep:	384:Js9qZDngKcZhS6JLFULEg9PhayhN9dsv/45rJLQhW79WBlW:JsgZbgZZGa49snUrJLQ5
Size:	22528
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files with a suspicious file extension	Persistence and Installation Behavior	Masquerading
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

\Device\Null

ASCII text, with CRLF, CR line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\System32\esentutl.exe
Type:	ASCII text, with CRLF, CR line terminators
Entropy:	4.54397131958299
Encrypted:	false
Ssdeep:	12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5G4aYA1S4TB8NGNX:/p4xT5cp7u0wQakG4aTS4t8Nq
Size:	560
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\iuhmzvlH.cmd" "

C:\Windows\System32\esentutl.exe

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o

C:\Windows\System32\esentutl.exe

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10

C:\Users\Public\xpha.pif

C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 1 hidden processes, click here to show them.

IPs

Domain

Country

Malicious

127.0.0.1

unknown

Details

IP:	127.0.0.1
TargetID:	8
Current Path:	C:\Users\Public\xpha.pif
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

2FB3EFE000

stack

page read and write

9CDB6FC000

stack

page read and write

7FF718D41000

unkown

page execute read

7FF718D85000

unkown

page read and write

2562FC46000

heap

page read and write

7FF718D41000

unkown

page execute read

133B742F000

heap

page read and write

7FF718D99000

unkown

page readonly

7FF6F7634000

unkown

page readonly

133B7416000

heap

page read and write

7FF718D40000

unkown

page readonly

2562FC28000

heap

page read and write

7FF718D8F000

unkown

page read and write

D640D8D000

stack

page read and write

2562FC5D000

heap

page read and write

7FF718D72000

unkown

page readonly

56BA0FD000

stack

page read and write

ED979FE000

stack

page read and write

7FF718D40000

unkown

page readonly

133B742F000

heap

page read and write

7FF718D41000

unkown

page execute read

133B7416000

heap

page read and write

ED9787C000

stack

page read and write

1D6B9CB0000

heap

page read and write

1D6B9DB4000

heap

page read and write

7FF6F7630000

unkown

page readonly

2562FC5D000

heap

page read and write

7FF718D41000

unkown

page execute read

7FF718D41000

unkown

page execute read

248C28E0000

heap

page read and write

133B73F9000

heap

page read and write

7FF718D41000

unkown

page execute read

7FF718D7D000

unkown

page read and write

133B7990000

direct allocation

page read and write

7FF718D40000

unkown

page readonly

7FF718D40000

unkown

page readonly

1F3A5759000

heap

page read and write

2562FC5F000

heap

page read and write

718D3BF000

stack

page read and write

7FF718D72000

unkown

page readonly

248C27A0000

heap

page read and write

7FF718D81000

unkown

page read and write

1ED29CF0000

heap

page read and write

1ED29CF5000

heap

page read and write

28ABF970000

heap

page read and write

1F9CAEE0000

heap

page read and write

7FF718D41000

unkown

page execute read

25630580000

trusted library allocation

page read and write

7FF6F7638000

unkown

page readonly

7FF718D9C000

unkown

page write copy

2562FC5D000

heap

page read and write

133B7428000

heap

page read and write

7FF718D72000

unkown

page readonly

1ED29D00000

heap

page read and write

D6411FF000

stack

page read and write

7FF718D72000

unkown

page readonly

9CDB8FF000

stack

page read and write

7FF718D41000

unkown

page execute read

7FF718D9D000

unkown

page readonly

133B7786000

heap

page read and write

1D6B9BB7000

heap

page read and write

7FF718D9D000

unkown

page readonly

133B742D000

heap

page read and write

7FF718D41000

unkown

page execute read

133B7416000

heap

page read and write

2562FDC4000

heap

page read and write

7FF718D8F000

unkown

page read and write

7FF718D9D000

unkown

page readonly

1F9CAB60000

heap

page read and write

28ABF870000

heap

page read and write

21357BEE000

heap

page read and write

133B7340000

heap

page read and write

1F3A5768000

heap

page read and write

2FB3CFD000

stack

page read and write

1F3A5A84000

heap

page read and write

28ABFBC0000

heap

page read and write

7FF718D7D000

unkown

page write copy

2562FC58000

heap

page read and write

7FF718D99000

unkown

page readonly

1D6B9BB0000

heap

page read and write

133B7416000

heap

page read and write

28ABF950000

heap

page read and write

7FF718D99000

unkown

page readonly

256300D0000

direct allocation

page read and write

56BA1FF000

stack

page read and write

7FF718D7D000

unkown

page write copy

1D6B9B70000

heap

page read and write

ED9797F000

stack

page read and write

1ED29D7B000

heap

page read and write

133B742D000

heap

page read and write

7FF718D7D000

unkown

page read and write

1F9CAC60000

heap

page read and write

7FF718D8F000

unkown

page read and write

7FF718D40000

unkown

page readonly

2562FC5F000

heap

page read and write

7FF718D99000

unkown

page readonly

1ED29D70000

heap

page read and write

7FF718D40000

unkown

page readonly

7FF718D41000

unkown

page execute read

7FF6F7631000

unkown

page execute read

1F3A5930000

heap

page read and write

7FF6F7634000

unkown

page readonly

1D6B9A70000

heap

page read and write

7FF718D7D000

unkown

page read and write

133B7780000

heap

page read and write

41737FF000

stack

page read and write

133B742F000

heap

page read and write

248C2580000

heap

page read and write

22EA6FD000

stack

page read and write

133B7E40000

trusted library allocation

page read and write

2562FC3B000

heap

page read and write

2562FC5F000

heap

page read and write

7FF718D99000

unkown

page readonly

133B7370000

heap

page read and write

2562FBF0000

heap

page read and write

1F9CACA0000

heap

page read and write

1D6B9DB0000

heap

page read and write

248C25BB000

heap

page read and write

7FF6F7636000

unkown

page read and write

21357E74000

heap

page read and write

7FF718D72000

unkown

page readonly

2FB3DFE000

stack

page read and write

7FF718D40000

unkown

page readonly

1F3A5A80000

heap

page read and write

7FF718D40000

unkown

page readonly

7FF718D72000

unkown

page readonly

7FF718D9D000

unkown

page readonly

7FF718D7D000

unkown

page write copy

1F9CAC40000

heap

page read and write

28ABF9C7000

heap

page read and write

9CDB7FE000

stack

page read and write

7FF718D81000

unkown

page read and write

133B742D000

heap

page read and write

17905A8000

stack

page read and write

ED978FE000

stack

page read and write

1ED29CF4000

heap

page read and write

7FF6F7636000

unkown

page write copy

7FF718D99000

unkown

page readonly

22EA7FF000

stack

page read and write

179087E000

stack

page read and write

7FF718D72000

unkown

page readonly

7FF718D99000

unkown

page readonly

7FF6F7631000

unkown

page execute read

133B73F0000

heap

page read and write

7FF718D9C000

unkown

page write copy

718D338000

stack

page read and write

7FF718D72000

unkown

page readonly

2562FC46000

heap

page read and write

41736FF000

stack

page read and write

2562FC20000

heap

page read and write

21357BB0000

heap

page read and write

133B740B000

heap

page read and write

133B7350000

heap

page read and write

28ABF9C0000

heap

page read and write

7FF718D99000

unkown

page readonly

2562FC58000

heap

page read and write

7FF718D40000

unkown

page readonly

7FF718D7D000

unkown

page write copy

2562FC46000

heap

page read and write

7FF718D99000

unkown

page readonly

7FF718D9D000

unkown

page readonly

7FF718D99000

unkown

page readonly

1ED29CE0000

heap

page read and write

17908FE000

stack

page read and write

7FF6F7630000

unkown

page readonly

1D6B9B50000

heap

page read and write

22EA8FF000

stack

page read and write

7FF718D7D000

unkown

page write copy

21357E80000

heap

page read and write

248C28E4000

heap

page read and write

7FF718D81000

unkown

page read and write

248C25B0000

heap

page read and write

7FF718D72000

unkown

page readonly

133B7428000

heap

page read and write

2562FC3B000

heap

page read and write

718D6FF000

stack

page read and write

7FF718D41000

unkown

page execute read

D6410FE000

stack

page read and write

7FF718D9C000

unkown

page write copy

7FF718D9D000

unkown

page readonly

1F3A5950000

heap

page read and write

21357BE0000

heap

page read and write

7FF718D41000

unkown

page execute read

7FF718D8F000

unkown

page read and write

1F9CAEE4000

heap

page read and write

7FF718D40000

unkown

page readonly

7FF718D99000

unkown

page readonly

7FF718D9C000

unkown

page write copy

21357DB0000

heap

page read and write

133B7416000

heap

page read and write

1F3A5850000

heap

page read and write

2562FAF0000

heap

page read and write

248C2780000

heap

page read and write

7FF718D81000

unkown

page read and write

1F3A576E000

heap

page read and write

2562FBD0000

heap

page read and write

7FF718D40000

unkown

page readonly

1F9CADA0000

heap

page read and write

2562FDC6000

heap

page read and write

1ED29D20000

heap

page read and write

2562FC46000

heap

page read and write

7FF718D7D000

unkown

page write copy

21357E75000

heap

page read and write

1ED29F40000

heap

page read and write

133B7784000

heap

page read and write

7FF6F7638000

unkown

page readonly

7FF718D72000

unkown

page readonly

21357E70000

heap

page read and write

7FF718D8F000

unkown

page read and write

133B740B000

heap

page read and write

7FF718D7D000

unkown

page read and write

2562FDC0000

heap

page read and write

7FF718D7D000

unkown

page read and write

7FF718D72000

unkown

page readonly

7FF718D7D000

unkown

page read and write

7FF718D9C000

unkown

page write copy

7FF718D99000

unkown

page readonly

2562FC46000

heap

page read and write

28ABF9E3000

heap

page read and write

417335D000

stack

page read and write

7FF718D9C000

unkown

page write copy

ED97A7E000

stack

page read and write

7FF718D40000

unkown

page readonly

1F3A5750000

heap

page read and write

7FF718D8F000

unkown

page read and write

28ABFBB4000

heap

page read and write

28ABFBB5000

heap

page read and write

1F9CACAB000

heap

page read and write

21357BC0000

heap

page read and write

248C2590000

heap

page read and write

7FF718D72000

unkown

page readonly

21357BE7000

heap

page read and write

28ABFBB0000

heap

page read and write

There are 223 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
iuhmzvlH.cmd

Files

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportiuhmzvlH.cmd

Files

Processes

IPs

Memdumps

IOC Report
iuhmzvlH.cmd