Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.741488181478588
Filename:	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
Filesize:	1112208
MD5:	af1e56057951887a763d4e97670a1036
SHA1:	bc0b8c98c0fdbb805b8e8415a860be0966de30be
SHA256:	5eb65feae4e36b791ced20aa9fb912311ab3f920613857819a51df2ccba9a485
SHA512:	4a778b1c6ee14ad3f790ab00b421b351d06f05b688a6c80525133a158363602f417a10adfeb09724a2f20e39736df628bbcffe03f44e145550a1cd48d7900269
SSDEEP:	24576:/ZepAVvX2Z3XFt81lUu28MMxO17zJZVtL0n31QIChuUO/vDBTo:BeyWf9HHhVOnl
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Queries disk information (often used to detect virtual machines)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Uses 32bit PE files	Compliance, System Summary
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
Configures the Internet Explorer emulation mode (likely to run Javascript)	Bitcoin Miner	Scripting
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Modifies the internet feature controls of the internet explorer	Lowering of HIPS / PFW / Operating System Security Settings	Modify Registry
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Writes ini files	System Summary	File and Directory Discovery
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\desktop.ini

Unicode text, UTF-16, little-endian text, with CRLF line terminators

modified

Details

File:	C:\Users\user\Desktop\desktop.ini
Category:	modified
Dump:	desktop.ini.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.514693737970008
Encrypted:	false
Ssdeep:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
Size:	282
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Reads ini files	System Summary	File and Directory Discovery
Writes ini files	System Summary	File and Directory Discovery

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3044
Target ID:	0
Parent PID:	4056
Name:	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe"
Size:	1112208
MD5:	AF1E56057951887A763D4E97670A1036
Time:	12:28:58
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1146880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
Configures the Internet Explorer emulation mode (likely to run Javascript)	Bitcoin Miner	Scripting
Detected Delphi use of System.ParamCount	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://ssp.7654.com/ct/m?mixData=

unknown

http://report.thorzip.muxin.fun/eH

unknown

http://hotnews.dftoutiao.com/

unknown

http://report.thorzip.muxin.fun/lszip/bubble_info?code=jWLGHnD6CYifDIjqc6sGs/Bbp6bCfV8bglNO

unknown

http://news.7654.com/mini_new3/jsb/

unknown

http://pv.sohu.com/cityjson?ie=utf-8

unknown

http://www.symauth.com/rpa00

unknown

http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=kuaiyatitle&platform=pc&newstype=now

unknown

http://api.map.baidu.com/telematics/v3/weather?location=%s&output=json&ak=spmMww7Eoqcmf3FXbnLyDUwLU

unknown

http://files.news.baidu.com/mini_new3/jjj/MiniLogo.PNG

unknown

http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=%s&platform=pc&newstype=%s

unknown

http://report.thorzip.muxin.fun/tart

unknown

http://weather.shzhanmeng.com/api/weather/%sU

unknown

http://api.map.baidu.com/telematics/v3/weather?location=%s&output=json&ak=spmMww7Eoqcmf3FXbnLyDUwL

unknown

http://www.symauth.com/cps0(

unknown

http://report.thorzip.muxin.fun/

unknown

http://ssp.7654.com/ct?mixData=

unknown

http://ssp.7654.com/ct?mixData=les

unknown

http://news.baidu.com/mini_new3/jjj/

unknown

http://report.thorzip.muxin.fun/crosoft

unknown

http://iplocation.7654.com/v1

unknown

http://weather.shzhanmeng.com/api/weather/%s

unknown

http://bsalsa.com/

unknown

http://report.thorzip.muxin.fun/lszip/bubble_info?code=jwlghnd6cyifdijqc6sgs/bbp6bcfv8bglno

unknown

There are 14 hidden URLs, click here to show them.

Domains

Name

Malicious

report.thorzip.muxin.fun

unknown

hotnews.dftoutiao.com

unknown

files.news.baidu.com

unknown

Details

Name:	files.news.baidu.com
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Value name:	SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe
Value data:	11000

Signature Hits	Behavior Group	Mitre Attack
Configures the Internet Explorer emulation mode (likely to run Javascript)	Bitcoin Miner	Scripting
Modifies the internet feature controls of the internet explorer	Lowering of HIPS / PFW / Operating System Security Settings	Modify Registry

HKEY_CURRENT_USER\SOFTWARE\MiniNewsInfo

CLS_ID

HKEY_CURRENT_USER\SOFTWARE\LiveUpdate360

632

Memdumps

Base Address

Regiontype

Protect

Malicious

305C000

direct allocation

page read and write

2A4B000

stack

page read and write

23C3000

direct allocation

page read and write

4BB000

unkown

page write copy

604000

heap

page read and write

2190000

heap

page read and write

605000

heap

page read and write

604000

heap

page read and write

74E000

stack

page read and write

672000

heap

page read and write

2CCF000

stack

page read and write

604000

heap

page read and write

7FD40000

direct allocation

page read and write

65B000

heap

page read and write

604000

heap

page read and write

604000

heap

page read and write

2367000

direct allocation

page read and write

22E8000

direct allocation

page read and write

4CC000

unkown

page readonly

604000

heap

page read and write

23B4000

direct allocation

page read and write

237B000

direct allocation

page read and write

610000

heap

page read and write

604000

heap

page read and write

4C6000

unkown

page read and write

19B000

stack

page read and write

604000

heap

page read and write

604000

heap

page read and write

22BB000

direct allocation

page read and write

2304000

direct allocation

page read and write

520000

heap

page read and write

2375000

direct allocation

page read and write

604000

heap

page read and write

98F000

stack

page read and write

990000

heap

page read and write

604000

heap

page read and write

22FA000

direct allocation

page read and write

686000

heap

page read and write

21A0000

direct allocation

page execute and read and write

604000

heap

page read and write

294E000

stack

page read and write

2BCE000

stack

page read and write

3065000

direct allocation

page read and write

604000

heap

page read and write

604000

heap

page read and write

22D9000

direct allocation

page read and write

604000

heap

page read and write

604000

heap

page read and write

2290000

heap

page read and write

4C0000

unkown

page read and write

22CB000

direct allocation

page read and write

22A0000

direct allocation

page read and write

232A000

direct allocation

page read and write

2398000

direct allocation

page read and write

604000

heap

page read and write

307C000

direct allocation

page read and write

618000

heap

page read and write

604000

heap

page read and write

225C000

stack

page read and write

22B4000

direct allocation

page read and write

2382000

direct allocation

page read and write

68C000

heap

page read and write

604000

heap

page read and write

290D000

stack

page read and write

604000

heap

page read and write

23AD000

direct allocation

page read and write

239F000

direct allocation

page read and write

604000

heap

page read and write

2E0F000

stack

page read and write

604000

heap

page read and write

604000

heap

page read and write

604000

heap

page read and write

600000

heap

page read and write

23A6000

direct allocation

page read and write

4C4000

unkown

page read and write

22F2000

direct allocation

page read and write

604000

heap

page read and write

2E41000

heap

page read and write

2D0E000

stack

page read and write

230B000

direct allocation

page read and write

604000

heap

page read and write

2213000

heap

page read and write

30C0000

trusted library allocation

page read and write

604000

heap

page read and write

401000

unkown

page execute read

88E000

stack

page read and write

604000

heap

page read and write

2A8E000

stack

page read and write

2E40000

heap

page read and write

604000

heap

page read and write

2390000

direct allocation

page read and write

231B000

direct allocation

page read and write

658000

heap

page read and write

2210000

heap

page read and write

2389000

direct allocation

page read and write

400000

unkown

page readonly

604000

heap

page read and write

604000

heap

page read and write

84F000

stack

page read and write

23D1000

direct allocation

page read and write

236E000

direct allocation

page read and write

4C6000

unkown

page write copy

23D8000

direct allocation

page read and write

30E0000

heap

page read and write

23CA000

direct allocation

page read and write

23BC000

direct allocation

page read and write

604000

heap

page read and write

4BB000

unkown

page read and write

604000

heap

page read and write

9B000

stack

page read and write

2B8F000

stack

page read and write

604000

heap

page read and write

604000

heap

page read and write

2322000

direct allocation

page read and write

There are 104 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.Adware-gen.13861.28606.exe

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
SecuriteInfo.com.Win32.Adware-gen.13861.28606.exe