Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	5.474775847499785
Filename:	SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe
Filesize:	11264
MD5:	80c97cfbc49ce4c6f39493ab42edb7aa
SHA1:	8974e0027f4002b916d771c7a440a207e7c9c102
SHA256:	232be72fe20e9d89ac11dddc9ff262fe283044e37ad9abd2a076b784a8e8fa4c
SHA512:	fefbb1a9f3364b9cd0d8d0cd81bb6b60925cac2904a049dae66eee0e2706693a4b468616d9f9edd457676b850357b1431dd68309399f4755f31af6cb2354cf26
SSDEEP:	192:s9G4Jor9ckjb6BmdOsIJqQmhZ6R5V8mfLmRWWbnC3LgzgF1X:p5r9ckjOSOsIgv6R/oFYgzgz
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...mj.d.........."...0.d................ ....@...... .......................`............`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe.log
Category:	dropped
Dump:	SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.377564997193075
Encrypted:	false
Ssdeep:	48:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/ellHitHTHhAHKKkb:iq+wmj0qCYqGSI6o9Zp/ellCtzHeqKkb
Size:	1595
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3060
Target ID:	0
Parent PID:	1028
Name:	SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe"
Size:	11264
MD5:	80C97CFBC49CE4C6F39493AB42EDB7AA
Time:	01:38:55
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1e221500000
Modulesize:	24576
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Customer Loader	Data Obfuscation
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://kyliansuperm92139124.shop/customer/809

unknown

https://kyliansuperm92139124.shop

unknown

Details

Name:	https://kyliansuperm92139124.shop
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe
Source:	SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000002.2077669632.000001E2232EA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000002.2077669632.000001E223251000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe
Source:	SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe, 00000000.00000002.2077669632.000001E223251000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://go.mic

unknown

Domains

Name

Malicious

kyliansuperm92139124.shop

unknown

Details

Name:	kyliansuperm92139124.shop
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1E22197C000

heap

page read and write

1E2216A5000

heap

page read and write

1E23BB2F000

heap

page read and write

7FF848DF3000

trusted library allocation

page execute and read and write

7FF848EAC000

trusted library allocation

page execute and read and write

7FF848E08000

trusted library allocation

page read and write

D767CFE000

stack

page read and write

7FF848FAB000

trusted library allocation

page read and write

7FF848EA0000

trusted library allocation

page read and write

D7685FE000

stack

page read and write

1E233261000

trusted library allocation

page read and write

D767BFE000

stack

page read and write

7FF848E10000

trusted library allocation

page read and write

D767FFE000

stack

page read and write

D767EFC000

stack

page read and write

7FF849018000

trusted library allocation

page read and write

1E23BB47000

heap

page read and write

1E223240000

heap

page execute and read and write

1E2231A0000

heap

page read and write

1E2217D0000

heap

page read and write

7FF848DFD000

trusted library allocation

page execute and read and write

1E23BB2B000

heap

page read and write

1E2216DD000

heap

page read and write

7FF849020000

trusted library allocation

page read and write

7FF848FE0000

trusted library allocation

page read and write

1E221500000

unkown

page readonly

D767AF3000

stack

page read and write

D7684FE000

stack

page read and write

1E221590000

heap

page read and write

7FF848E02000

trusted library allocation

page read and write

1E233258000

trusted library allocation

page read and write

1E23BB33000

heap

page read and write

1E22171D000

heap

page read and write

1E2232F6000

trusted library allocation

page read and write

1E2216F1000

heap

page read and write

1E2217B0000

heap

page read and write

1E221975000

heap

page read and write

7FF849030000

trusted library allocation

page read and write

1E23BB10000

heap

page read and write

1E233251000

trusted library allocation

page read and write

1E2232EA000

trusted library allocation

page read and write

1E2216B0000

heap

page read and write

1E2216DB000

heap

page read and write

7FF848DF4000

trusted library allocation

page read and write

D7682FD000

stack

page read and write

1E23BE00000

heap

page read and write

7FF47CA10000

trusted library allocation

page execute and read and write

1E223251000

trusted library allocation

page read and write

1E2216E1000

heap

page read and write

7FF849040000

trusted library allocation

page read and write

7FF848FFF000

trusted library allocation

page read and write

1E221830000

trusted library allocation

page read and write

1E2217A3000

heap

page read and write

1E221810000

trusted library allocation

page read and write

1E22171F000

heap

page read and write

7FF848F90000

trusted library allocation

page read and write

7FF848E1D000

trusted library allocation

page execute and read and write

7FF849008000

trusted library allocation

page read and write

1E223203000

heap

page read and write

1E2216E5000

heap

page read and write

1E221970000

heap

page read and write

7FF848E0D000

trusted library allocation

page execute and read and write

1E221723000

heap

page read and write

1E223200000

heap

page read and write

1E2216F4000

heap

page read and write

7FF848E4C000

trusted library allocation

page execute and read and write

1E221502000

unkown

page readonly

1E221840000

heap

page read and write

D767DFF000

stack

page read and write

D7683FE000

stack

page read and write

7FF848EA6000

trusted library allocation

page read and write

1E23BB00000

heap

page execute and read and write

7FF848ED6000

trusted library allocation

page execute and read and write

7FF848E14000

trusted library allocation

page read and write

7FF848F10000

trusted library allocation

page execute and read and write

7FF848E00000

trusted library allocation

page read and write

7FF848DF2000

trusted library allocation

page read and write

1E23BB6C000

heap

page read and write

1E2216A0000

heap

page read and write

1E221670000

heap

page read and write

D7681FE000

stack

page read and write

7FF848FB4000

trusted library allocation

page read and write

7FF849010000

trusted library allocation

page read and write

7FF848EB0000

trusted library allocation

page execute and read and write

1E23DCD0000

trusted library allocation

page read and write

D7680FE000

stack

page read and write

There are 76 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
SecuriteInfo.com.Win64.PWSX-gen.24833.2705.exe