Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\Downloads\Unconfirmed 293673.crdownload

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\Downloads\Unconfirmed 293673.crdownload
Category:	dropped
Dump:	Unconfirmed 293673.crdownload.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.953974633078778
Encrypted:	false
Ssdeep:	98304:nBxngwXWkaH1OLryPg1yXfRUZtSZ8AIT/2xtlR6sy4dKWE2QnU:nBNgczMEryocZUI8AIDQl8sy4d1E2
Size:	6168192
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\Downloads\hp-hpia-5.2.1.exe (copy)

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\Downloads\hp-hpia-5.2.1.exe (copy)
Category:	dropped
Dump:	Unconfirmed 293673.crdownload.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.953974633078778
Encrypted:	false
Ssdeep:	98304:nBxngwXWkaH1OLryPg1yXfRUZtSZ8AIT/2xtlR6sy4dKWE2QnU:nBNgczMEryocZUI8AIDQl8sy4d1E2
Size:	6168192
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Reads software policies	System Summary	System Information Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Executable creates window controls seldom found in malware	System Summary
Uses Rich Edit Controls	System Summary

Chrome Cache Entry: 43

PE32+ executable (GUI) x86-64, for MS Windows

downloaded

Details

File:	Chrome Cache Entry: 43
Category:	downloaded
Dump:	chromecache_43.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.953974633078778
Encrypted:	false
Ssdeep:	98304:nBxngwXWkaH1OLryPg1yXfRUZtSZ8AIT/2xtlR6sy4dKWE2QnU:nBNgczMEryocZUI8AIDQl8sy4d1E2
Size:	6168192
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"

Details

Is windows:	true
Is dropped:	false
PID:	792
Target ID:	0
Parent PID:	404
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	09:20:42
Date:	17/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=2520,i,9680638350717332926,39774128382146307,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	864
Target ID:	2
Parent PID:	792
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=2520,i,9680638350717332926,39774128382146307,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	09:20:45
Date:	17/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://hpia.hpcloud.hp.com/downloads/hpia/hp-hpia-5.2.1.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6444
Target ID:	3
Parent PID:	404
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://hpia.hpcloud.hp.com/downloads/hpia/hp-hpia-5.2.1.exe"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	09:20:47
Date:	17/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 --field-trial-handle=2520,i,9680638350717332926,39774128382146307,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	6580
Target ID:	4
Parent PID:	792
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 --field-trial-handle=2520,i,9680638350717332926,39774128382146307,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	09:20:48
Date:	17/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Users\user\Downloads\hp-hpia-5.2.1.exe

"C:\Users\user\Downloads\hp-hpia-5.2.1.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6916
Target ID:	9
Parent PID:	2580
Name:	hp-hpia-5.2.1.exe
Path:	C:\Users\user\Downloads\hp-hpia-5.2.1.exe
Commandline:	"C:\Users\user\Downloads\hp-hpia-5.2.1.exe"
Size:	6168192
MD5:	E578C90FBBCC40B0B98A1C5877BF093E
Time:	09:22:05
Date:	17/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff649dd0000
Modulesize:	647168
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://hpia.hpcloud.hp.com/downloads/hpia/hp-hpia-5.2.1.exe

Details

Filetype:	URL
Filename:	https://hpia.hpcloud.hp.com/downloads/hpia/hp-hpia-5.2.1.exe

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Access Token Manipulation Masquerading
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Classification label	System Summary	Access Token Manipulation
Connects to IPs without corresponding DNS lookups	Networking
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary
Downloads files from webservers via HTTP	Networking	Ingress Tool Transfer Non-Application Layer Protocol Application Layer Protocol
Performs DNS lookups	Networking
Reads software policies	System Summary	Access Token Manipulation
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses HTTPS	Networking	Access Token Manipulation Encrypted Channel
Binary contains paths to debug symbols	Compliance, System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking	Access Token Manipulation
Found graphical window changes (likely an installer)	System Summary	Access Token Manipulation
Executable creates window controls seldom found in malware	System Summary	Access Token Manipulation
Uses Rich Edit Controls	System Summary	Access Token Manipulation

https://hpia.hpcloud.hp.com/downloads/hpia/hp-hpia-5.2.1.exe

18.160.60.98

Details

Name:	https://hpia.hpcloud.hp.com/downloads/hpia/hp-hpia-5.2.1.exe
IP:	18.160.60.98
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

hpia.hpcloud.hp.com

18.160.60.98

Details

Name:	hpia.hpcloud.hp.com
IP:	18.160.60.98
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

www.google.com

64.233.177.99

IPs

Domain

Country

Malicious

239.255.255.250

unknown

Reserved

18.160.60.98

hpia.hpcloud.hp.com

United States

192.168.2.4

unknown

64.233.177.99

www.google.com

United States

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF649E5A000

unkown

page readonly

A88F8EE000

stack

page read and write

22EC72F0000

trusted library section

page read and write

22EC5AA1000

heap

page read and write

7FF649E55000

unkown

page read and write

7FF649DD1000

unkown

page execute read

22EC5ABA000

heap

page read and write

7FF649DD1000

unkown

page execute read

7FF649DD0000

unkown

page readonly

22EC5A5C000

heap

page read and write

22EC5AA2000

heap

page read and write

22EC7E09000

heap

page read and write

22EC74D0000

heap

page read and write

22EC5A9E000

heap

page read and write

7FF649E31000

unkown

page readonly

22EC5A50000

heap

page read and write

22EC7310000

trusted library section

page read and write

22EC74C0000

heap

page read and write

22EC58D0000

heap

page read and write

22EC7673000

heap

page read and write

22EC7672000

heap

page read and write

7FF649E53000

unkown

page read and write

22EC7393000

heap

page read and write

22EC5AB9000

heap

page read and write

7FF649E53000

unkown

page write copy

22EC7350000

heap

page read and write

7FF649E54000

unkown

page write copy

22EC7E00000

heap

page read and write

22EC7340000

heap

page read and write

A88F8F7000

stack

page read and write

22EC5A8E000

heap

page read and write

22EC74D4000

heap

page read and write

22EC7670000

heap

page read and write

22EC7390000

heap

page read and write

22EC5A59000

heap

page read and write

7FF649DD0000

unkown

page readonly

22EC5A8E000

heap

page read and write

7FF649E31000

unkown

page readonly

22EC59B0000

heap

page read and write

A88FAFE000

stack

page read and write

A88F9FE000

stack

page read and write

22EC74C5000

heap

page read and write

22EC5A92000

heap

page read and write

22EC5AD7000

heap

page read and write

22EC5A8E000

heap

page read and write

22EC7671000

heap

page read and write

7FF649E5A000

unkown

page readonly

22EC9160000

trusted library allocation

page read and write

22EC59E0000

heap

page read and write

A88FBFE000

stack

page read and write

22EC5A82000

heap

page read and write

22EC7300000

trusted library section

page read and write

There are 42 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://hpia.hpcloud.hp.com/downloads/hpia/hp-hpia-5.2.1.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://hpia.hpcloud.hp.com/downloads/hpia/hp-hpia-5.2.1.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
https://hpia.hpcloud.hp.com/downloads/hpia/hp-hpia-5.2.1.exe