Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.35392197970401
Filename:	SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe
Filesize:	480136
MD5:	0712a91d8604bdd111ea4f9e783b3083
SHA1:	3d70cf48c5a9d38bfac0f2f744bf00ffcede9e9d
SHA256:	c38982211b0b80699e6379501fe48ca594727fffdd580eb1dc5c05aa06bd6d04
SHA512:	4172c3899ca8137003cd02555db49bc1d0fc79a121c20ce70e1e36f44ce9e34e52edf1525cea2cd2503215ecf0ea622d011dcc45f63a25e4b217e3000adaf2a9
SSDEEP:	6144:xmnG+egsZWSeVqI/bA/7eCBl/F05lveyohDrwNx9cJ1crg/WkucbXsZZIxQADzm:IGR5UVz/bqaeldYhotwNM7cryouXQR
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Y...Y...Y...X...Y...X...Y...X...Y...X...Y...X...Y...X...Y...Y...Y...X...Yi..X...Yi..X...Yi..Y...Y...Y...Yi..X...YRich...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to delete services	System Summary	Access Token Manipulation System Time Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to create services	System Summary	Access Token Manipulation System Information Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to modify services (start/stop/modify)	System Summary	Service Execution Windows Service Access Token Manipulation System Time Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains functionality to start windows services	Boot Survival	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample might require command line arguments	System Summary	Command and Scripting Interpreter Access Token Manipulation Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Found installer window with terms and condition text	Compliance, System Summary	Security Software Discovery
Executable creates window controls seldom found in malware	System Summary	Access Token Manipulation
Uses Rich Edit Controls	System Summary	Access Token Manipulation

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.593386417479181
Encrypted:	false
Ssdeep:	12:vQ71yvCbGpywpw+EX2bhIy/IEEvPIws5qu8bHqSpa:ZvVHvh/fuQDsuj
Size:	559
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3040
Target ID:	0
Parent PID:	1028
Name:	SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe"
Size:	480136
MD5:	0712A91D8604BDD111EA4F9E783B3083
Time:	08:24:55
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d9560000
Modulesize:	499712
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2020
Target ID:	1
Parent PID:	3040
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:24:55
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.sysinternals.com0

unknown

http://www.microsoft.co

unknown

Details

Name:	http://www.microsoft.co
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe
Source:	SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking
Found installer window with terms and condition text	Compliance, System Summary

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Sysinternals\????????.

EulaAccepted

Memdumps

Base Address

Regiontype

Protect

Malicious

288AAC45000

heap

page read and write

288AAA84000

heap

page read and write

9595CFE000

stack

page read and write

288AAB60000

heap

page read and write

288AAA69000

heap

page read and write

7FF7D95A6000

unkown

page readonly

288AC820000

trusted library allocation

page read and write

288AE120000

trusted library allocation

page read and write

288AAA70000

heap

page read and write

7FF7D95A6000

unkown

page readonly

7FF7D958A000

unkown

page readonly

288AAA73000

heap

page read and write

7FF7D95A3000

unkown

page read and write

288AABB0000

heap

page read and write

288AAA6C000

heap

page read and write

288AAA4C000

heap

page read and write

288AABE0000

heap

page read and write

95959FE000

stack

page read and write

288AAC20000

heap

page read and write

288AAA8C000

heap

page read and write

288AAC40000

heap

page read and write

95958FA000

stack

page read and write

7FF7D95A9000

unkown

page readonly

7FF7D9560000

unkown

page readonly

288AAA87000

heap

page read and write

7FF7D958A000

unkown

page readonly

9595BFE000

stack

page read and write

7FF7D95A3000

unkown

page write copy

7FF7D9561000

unkown

page execute read

288AC820000

heap

page read and write

288AAAA4000

heap

page read and write

7FF7D9560000

unkown

page readonly

288AAA6C000

heap

page read and write

288AA960000

heap

page read and write

288AABB4000

heap

page read and write

288AAA8C000

heap

page read and write

288AAA9B000

heap

page read and write

288AAA82000

heap

page read and write

9595AFE000

stack

page read and write

288AAA68000

heap

page read and write

288AAA40000

heap

page read and write

288AAB40000

heap

page read and write

7FF7D95A9000

unkown

page readonly

288AAA95000

heap

page read and write

288AAA70000

heap

page read and write

7FF7D9561000

unkown

page execute read

288AAC4B000

heap

page read and write

288AAA74000

heap

page read and write

288AAA9B000

heap

page read and write

There are 39 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
SecuriteInfo.com.Trojan.GenericKD.71965879.10556.925.exe