Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.855361281636871
Filename:	SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Filesize:	856576
MD5:	abbfe93d01183831f51e40aba4bad37f
SHA1:	17a1f4110b3e711965681bbeb48f6339f8c86078
SHA256:	7d4d612275a6f4c3d1b0d23c3ae19cf39fcdd729f3f899f3df44b619bea7e17b
SHA512:	409c90d186f2ba150c2fdf07b05e89bd9018c345a744d9e7d74558907bcfbeac1e55785c5aec9d60fcc3454e6691091e99928f25e2dfbdf0ab902c225b6b80a0
SSDEEP:	12288:GbSQ9B+7gR0bsImCCayCayZeP2MQRM+8RK+7I/ZNr/T0mE+eom+:t8r0bsIUYUPbKEk7r/TLE+ea
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.d.........."...0.................. ...@....@.. ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary	System Information Discovery
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe.log

CSV text

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe.log
Category:	modified
Dump:	SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Type:	CSV text
Entropy:	5.355760272568367
Encrypted:	false
Ssdeep:	6:Q3La/xw5DLIP12MUAvvR+uTL2FDkwIyp1v:Q3La/KDLI4MWuPXcp1v
Size:	226
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

\Device\ConDrv

ASCII text, with CRLF, LF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Type:	ASCII text, with CRLF, LF line terminators
Entropy:	4.5145667984138695
Encrypted:	false
Ssdeep:	48:aQjqhVfMZCvSCw8ziM2E3u+z78AZHV7LyNWaN/U:5qv5+UzXZJyNWaN/U
Size:	2609
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7340
Target ID:	0
Parent PID:	2580
Name:	SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe"
Size:	856576
MD5:	ABBFE93D01183831F51E40ABA4BAD37F
Time:	09:24:55
Date:	20/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x17ae4530000
Modulesize:	884736
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7348
Target ID:	1
Parent PID:	7340
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:24:55
Date:	20/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

17AE4894000

heap

page read and write

17AE6361000

trusted library allocation

page read and write

17AE4790000

heap

page read and write

17AE4A60000

heap

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

17AE486C000

heap

page read and write

17AE48D4000

heap

page read and write

7FFD9B856000

trusted library allocation

page execute and read and write

17AE48A0000

heap

page read and write

7FFD9B790000

trusted library allocation

page read and write

7FFD9B774000

trusted library allocation

page read and write

17AE4866000

heap

page read and write

17AF6363000

trusted library allocation

page read and write

17AE4690000

heap

page read and write

17AE487F000

heap

page read and write

17AE4860000

heap

page read and write

17AF6365000

trusted library allocation

page read and write

17AE4883000

heap

page read and write

17AE4820000

trusted library allocation

page read and write

7FFD9B830000

trusted library allocation

page execute and read and write

7FFD9B910000

trusted library allocation

page read and write

17AE4530000

unkown

page readonly

2634FE000

stack

page read and write

2637FC000

stack

page read and write

17AE4BB0000

heap

page read and write

17AE47B0000

heap

page read and write

17AE4532000

unkown

page readonly

17AE488A000

heap

page read and write

7FFD9B915000

trusted library allocation

page read and write

17AF6361000

trusted library allocation

page read and write

7FFD9B920000

trusted library allocation

page read and write

7FFD9B820000

trusted library allocation

page read and write

17AE48CE000

heap

page read and write

7FF4D4710000

trusted library allocation

page execute and read and write

17AE4A30000

heap

page read and write

7FFD9B79B000

trusted library allocation

page execute and read and write

2632F6000

stack

page read and write

17AE4530000

unkown

page readonly

2633FF000

stack

page read and write

17AE4800000

trusted library allocation

page read and write

7FFD9B890000

trusted library allocation

page execute and read and write

17AE4B70000

heap

page execute and read and write

7FFD9B784000

trusted library allocation

page read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

17AE4770000

heap

page read and write

17AE48A2000

heap

page read and write

7FFD9B91D000

trusted library allocation

page read and write

17AE4604000

unkown

page readonly

7FFD9B7CC000

trusted library allocation

page execute and read and write

2636FE000

stack

page read and write

2635FF000

stack

page read and write

There are 41 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe

Files

Processes

Memdumps

IOC Report
SecuriteInfo.com.Win32.MalwareX-gen.740.29920.exe