Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.648679507704008
Filename:	SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Filesize:	476672
MD5:	b59e497bc48faee481fe3a7fe2fcd9be
SHA1:	7828ea379213ee691b879ffcb170b8077a50be34
SHA256:	8c2a4618805be59f901786631cb761c1be63389efc6eb1fab198a5dc6c8edb4a
SHA512:	e30b8fe081b71f96e4e77757faaf608bf67d608dc5239e6ec52bebe923ef8a6d5c2d83196d5c2a9ab4302c4a2c4ed80e7d466cc2d97799ac87b85b18d06dcd57
SSDEEP:	3072:aEcNoc+0/7cHVL0GxH4tOYg62G55onkHrL0GxH4tOYg62G55onkHUF0/xHXtOYg7:aE6ozIIHVLoHjLLoHj0F0Hj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..\..............0..............5... ...@....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to call native functions	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Searches for the Microsoft Outlook file path	System Summary	Email Collection
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\Desktop\CreamSodaActivityLog.txt

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\Desktop\CreamSodaActivityLog.txt
Category:	dropped
Dump:	CreamSodaActivityLog.txt.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.210936522925975
Encrypted:	false
Ssdeep:	12:qaivTE7KjAR7Qh80QEFLWe8iE6l9FMKiECmN7TuaxLF:qRTE7K0R7Qh80QExWe8oxLIa7nNF
Size:	519
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe

"C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6936
Target ID:	0
Parent PID:	2580
Name:	SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe"
Size:	476672
MD5:	B59E497BC48FAEE481FE3A7FE2FCD9BE
Time:	17:26:52
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://thunderspy.com

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://thunderspy.com/manifest.xmlL.)lX

unknown

http://www.fontbureau.com/designers?

unknown

http://thunderspy.com/manifest.xml

172.67.213.82

http://www.tiro.com

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://www.sakkal.com

unknown

There are 18 hidden URLs, click here to show them.

Domains

Name

Malicious

thunderspy.com

172.67.213.82

Details

Name:	thunderspy.com
IP:	172.67.213.82
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

172.67.213.82

thunderspy.com

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\CreamSoda\Settings

Manifests

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\24\417C44EB

@C:\Windows\system32\windows.storage.dll,-50691

HKEY_CURRENT_USER\SOFTWARE\CreamSoda\Settings

CoHPath

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS

FileDirectory

There are 8 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

C04C000

stack

page read and write

2B3C000

trusted library allocation

page read and write

929000

heap

page read and write

832000

trusted library allocation

page execute and read and write

C00E000

stack

page read and write

82A000

trusted library allocation

page execute and read and write

DD0000

trusted library allocation

page read and write

A4A000

trusted library allocation

page execute and read and write

2AFF000

trusted library allocation

page read and write

630000

heap

page read and write

676E000

unkown

page read and write

4AE0000

trusted library section

page readonly

8625000

heap

page read and write

C53F000

stack

page read and write

64B0000

heap

page read and write

65A8000

trusted library allocation

page read and write

6550000

trusted library allocation

page read and write

8ECB000

stack

page read and write

7E0E000

stack

page read and write

4DD4000

heap

page read and write

CCDC000

stack

page read and write

A40000

trusted library allocation

page read and write

2B51000

trusted library allocation

page read and write

B17000

heap

page read and write

84FB000

stack

page read and write

90B000

heap

page read and write

A5C000

trusted library allocation

page execute and read and write

38E1000

trusted library allocation

page read and write

840000

heap

page read and write

4BD0000

heap

page read and write

C7F0000

trusted library allocation

page execute and read and write

6386000

heap

page read and write

C1BD000

stack

page read and write

DBCA000

stack

page read and write

AAE000

stack

page read and write

8631000

heap

page read and write

8600000

heap

page read and write

CBDE000

stack

page read and write

4CDD000

stack

page read and write

4A00000

trusted library allocation

page execute and read and write

3BC000

stack

page read and write

2B2B000

trusted library allocation

page read and write

6568000

trusted library allocation

page read and write

905B000

stack

page read and write

5E72000

trusted library allocation

page read and write

659A000

trusted library allocation

page read and write

B49E000

stack

page read and write

8FCB000

stack

page read and write

8621000

heap

page read and write

67BB000

stack

page read and write

655E000

trusted library allocation

page read and write

655A000

trusted library allocation

page read and write

7E4E000

stack

page read and write

808F000

stack

page read and write

7F4F000

stack

page read and write

4D60000

heap

page read and write

7E0000

heap

page read and write

8D3C000

stack

page read and write

A65000

trusted library allocation

page execute and read and write

86D9000

heap

page read and write

796000

heap

page read and write

8B5000

heap

page read and write

B10000

heap

page read and write

653C000

trusted library allocation

page read and write

638F000

heap

page read and write

D1E000

stack

page read and write

2999000

trusted library allocation

page read and write

4DB5000

heap

page read and write

6580000

trusted library allocation

page read and write

6590000

trusted library allocation

page read and write

B0E000

stack

page read and write

65A0000

trusted library allocation

page read and write

BF0B000

stack

page read and write

CA9E000

stack

page read and write

8698000

heap

page read and write

C85D000

stack

page read and write

4B90000

heap

page read and write

2AC0000

trusted library allocation

page read and write

84A000

heap

page read and write

C800000

unclassified section

page read and write

945D000

stack

page read and write

6574000

trusted library allocation

page read and write

8E3A000

stack

page read and write

653E000

trusted library allocation

page read and write

4D8E000

heap

page read and write

8D4000

heap

page read and write

CD07000

heap

page read and write

4DA3000

heap

page read and write

7D0E000

stack

page read and write

6250000

heap

page read and write

CD61000

heap

page read and write

6598000

trusted library allocation

page read and write

28E1000

trusted library allocation

page read and write

8680000

heap

page read and write

6560000

trusted library allocation

page read and write

4BA0000

heap

page read and write

CCF0000

heap

page read and write

655C000

trusted library allocation

page read and write

CD0C000

heap

page read and write

4DBA000

heap

page read and write

4D40000

heap

page read and write

85FE000

stack

page read and write

49F0000

trusted library allocation

page read and write

92AB000

stack

page read and write

6370000

heap

page read and write

86F8000

heap

page read and write

684B000

stack

page read and write

6520000

heap

page read and write

83C000

trusted library allocation

page execute and read and write

86A2000

heap

page read and write

4BD3000

heap

page read and write

7F8E000

stack

page read and write

2B22000

trusted library allocation

page read and write

D20000

heap

page read and write

8AD000

heap

page read and write

6373000

heap

page read and write

2A00000

trusted library allocation

page read and write

6380000

heap

page read and write

5E50000

trusted library allocation

page read and write

862B000

heap

page read and write

A42000

trusted library allocation

page read and write

2C5000

stack

page read and write

D27000

heap

page read and write

4B00000

trusted library allocation

page read and write

6570000

trusted library allocation

page read and write

392A000

trusted library allocation

page read and write

CC1E000

stack

page read and write

49DF000

stack

page read and write

8636000

heap

page read and write

A62000

trusted library allocation

page read and write

DF7000

heap

page read and write

87F000

heap

page read and write

2B47000

trusted library allocation

page read and write

822000

trusted library allocation

page execute and read and write

6578000

trusted library allocation

page read and write

2B1A000

trusted library allocation

page read and write

C99E000

stack

page read and write

CD1B000

heap

page read and write

4D20000

trusted library allocation

page read and write

1C0000

unkown

page readonly

2B10000

trusted library allocation

page read and write

C43E000

stack

page read and write

A50000

trusted library allocation

page read and write

4D78000

heap

page read and write

C95E000

stack

page read and write

680F000

stack

page read and write

DF0000

heap

page read and write

A5A000

trusted library allocation

page execute and read and write

6558000

trusted library allocation

page read and write

CFEE000

stack

page read and write

7EF40000

trusted library allocation

page execute read

CD15000

heap

page read and write

86F3000

heap

page read and write

2B04000

trusted library allocation

page read and write

A6B000

trusted library allocation

page execute and read and write

4BB0000

trusted library allocation

page execute and read and write

CFF0000

trusted library allocation

page read and write

810000

trusted library allocation

page read and write

C160000

heap

page read and write

B59E000

stack

page read and write

92EC000

stack

page read and write

8E4000

heap

page read and write

790000

heap

page read and write

A52000

trusted library allocation

page execute and read and write

CADD000

stack

page read and write

84E000

heap

page read and write

863B000

heap

page read and write

2B5C000

trusted library allocation

page read and write

C170000

heap

page read and write

915D000

stack

page read and write

C2BF000

stack

page read and write

2AF3000

trusted library allocation

page read and write

8D7000

heap

page read and write

AB7000

heap

page execute and read and write

6556000

trusted library allocation

page read and write

6572000

trusted library allocation

page read and write

6548000

trusted library allocation

page read and write

91AB000

stack

page read and write

AB0000

heap

page execute and read and write

C14E000

stack

page read and write

2AFA000

trusted library allocation

page read and write

4D50000

heap

page read and write

8E1000

heap

page read and write

4DC3000

heap

page read and write

65A2000

trusted library allocation

page read and write

868A000

heap

page read and write

A67000

trusted library allocation

page execute and read and write

64C0000

heap

page execute and read and write

86B9000

heap

page read and write

710000

heap

page read and write

6384000

heap

page read and write

1C2000

unkown

page readonly

4D45000

heap

page read and write

830000

trusted library allocation

page read and write

CD59000

heap

page read and write

4ADB000

stack

page read and write

6554000

trusted library allocation

page read and write

654A000

trusted library allocation

page read and write

2ADB000

trusted library allocation

page read and write

8666000

heap

page read and write

A46000

trusted library allocation

page execute and read and write

8677000

heap

page read and write

8760000

heap

page read and write

6552000

trusted library allocation

page read and write

There are 194 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe