Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	5.321778000695748
Filename:	SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
Filesize:	14848
MD5:	6f23976152226e51911822cec434d823
SHA1:	4ad1937a39bd1ca37f8956fdd4b08ca28d679c91
SHA256:	75b1e14c1d1eb5d692d67a59ee0676b768351f4f0da6451d157b1cc3399009e8
SHA512:	6957e385c560fdb63f3a60c3467932ccf0f99126e74cd64d217816f3d4dc0c9a043702d947e6b7d5ac54014621b139180e8ff9231d43dcf4ef46717329c6a9d9
SSDEEP:	384:0bubLBWKupIDaGUIYzHjoaulzun7xN/fBz:3kpIDadIYzT7xN
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........[xd.[xd.[xd.R...Wxd...a.Hxd...`.Wxd...g.Zxd...e._xd...e.^xd.[xe..xd...m.Zxd.....Zxd.[x..Zxd...f.Zxd.Rich[xd.........PE..L..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
Found GUI installer (many successful clicks)	System Summary	Security Software Discovery

\Device\ConDrv

ISO-8859 text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
Type:	ISO-8859 text, with CRLF line terminators
Entropy:	4.929120899342838
Encrypted:	false
Ssdeep:	3:tl+ztIQBV53l0uGVEXmq2i6yBWEv:n+zttBV5V0uGVimq2iLHv
Size:	94
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7264
Target ID:	0
Parent PID:	2580
Name:	SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe"
Size:	14848
MD5:	6F23976152226E51911822CEC434D823
Time:	07:33:00
Date:	17/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2b0000
Modulesize:	32768
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7272
Target ID:	1
Parent PID:	7264
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:33:00
Date:	17/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c color F2

Details

Is windows:	true
Is dropped:	false
PID:	7320
Target ID:	2
Parent PID:	7264
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c color F2
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	07:33:00
Date:	17/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Gift2.exe

Details

Is windows:	true
Is dropped:	false
PID:	7384
Target ID:	3
Parent PID:	7264
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c taskkill /f /im Gift2.exe
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	07:33:04
Date:	17/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Gift2.exe

Details

Is windows:	true
Is dropped:	false
PID:	7400
Target ID:	4
Parent PID:	7384
Name:	taskkill.exe
Path:	C:\Windows\SysWOW64\taskkill.exe
Commandline:	taskkill /f /im Gift2.exe
Size:	74240
MD5:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Time:	07:33:04
Date:	17/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x900000
Modulesize:	86016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

2C5F000

stack

page read and write

10AB000

heap

page read and write

2EDF000

stack

page read and write

2F1E000

stack

page read and write

2B3000

unkown

page readonly

43F4000

heap

page read and write

FF0000

heap

page read and write

2B6000

unkown

page readonly

10AF000

heap

page read and write

10B0000

heap

page read and write

EB0000

heap

page read and write

939000

stack

page read and write

10BB000

heap

page read and write

10AC000

heap

page read and write

10AC000

heap

page read and write

10AB000

heap

page read and write

2B0000

unkown

page readonly

9B0000

heap

page read and write

FF9000

heap

page read and write

2B3000

unkown

page readonly

2C9E000

stack

page read and write

1080000

heap

page read and write

301F000

stack

page read and write

2B6000

unkown

page readonly

43F0000

heap

page read and write

CFC000

stack

page read and write

108A000

heap

page read and write

FC0000

heap

page read and write

2B1000

unkown

page execute read

9A0000

heap

page read and write

2D9F000

stack

page read and write

2B0000

unkown

page readonly

2DDE000

stack

page read and write

2B5E000

stack

page read and write

2B1000

unkown

page execute read

4740000

trusted library allocation

page read and write

FF5000

heap

page read and write

108E000

heap

page read and write

10A3000

heap

page read and write

EA0000

heap

page read and write

10A8000

heap

page read and write

There are 31 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe

Files

Processes

Memdumps

IOC Report
SecuriteInfo.com.Win32.TrojanX-gen.21226.23526.exe