Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.9333901239069
Filename:	SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Filesize:	925696
MD5:	dda215e4c93c5bcd1626d798a9114052
SHA1:	686205c045db9236cb7a76cc48a4759f3a775bed
SHA256:	786c781885708a2dd6f66a997cda19fa13f06542a1c5f35c50619494d45d2cb9
SHA512:	e92305408df77d52e506aa4b4a40f0dcb7c77cd54ba6201d98c210db6ec1df61dc4fd5193f6cbd59c1ce83f6da771c0f97facf976d99b79473148f32424c55ca
SSDEEP:	24576:qEI9/9HoYVM+ptl7ho60OegX7AoCnhIaXnMvQoT:K/9DPdf0ErvCnhI
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}GV...V...V..._...D....W..P....W..t....W..\....W..R.......Y...V...a....T..Q....T..W....T..W...RichV...................PE..d..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior
Machine Learning detection for sample	AV Detection
Sample is not signed and drops a device driver	Persistence and Installation Behavior
Abnormal high CPU Usage	System Summary	System Time Discovery System Information Discovery
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to communicate with device drivers	System Summary
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery Clipboard Data
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates driver files	System Summary
Creates files inside the system directory	System Summary
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh

PE32+ executable (native) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh
Category:	dropped
Dump:	uKPwkwKUWlbmzgNfgIh.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\SoftwareDistribution\Download\bugado.exe
Type:	PE32+ executable (native) x86-64, for MS Windows
Entropy:	6.458050812199268
Encrypted:	false
Ssdeep:	384:gxdNvW7C8naMYCjizSO/YWwhtSgvNR0m1us7pfBMRKr+PLDRfvgXifBMRg6PWNTj:gHNwmJ/7UtSwR317uPPlvgXiu/6Tbf
Size:	34568
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates temporary files	System Summary

C:\Windows\SoftwareDistribution\Download\bugado.exe

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Windows\SoftwareDistribution\Download\bugado.exe
Category:	dropped
Dump:	bugado.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.140567886686446
Encrypted:	false
Ssdeep:	3072:rOUDtpXnRNEvhxNyatnKl9rGmJTQSaMm5/6TYfEBjgQ:rOUDDXnRNEv7wEo9WlTfYjg
Size:	137728
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Machine Learning detection for dropped file	AV Detection
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging	Security Software Discovery
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Contains functionality to load drivers	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Creates or modifies windows services	Boot Survival	Windows Service
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Enables driver privileges	System Summary	LSASS Driver
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Spawns drivers	System Summary	LSASS Driver
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\SoftwareDistribution\Download\bugado.sys

PE32+ executable (native) x86-64, for MS Windows

dropped

Details

File:	C:\Windows\SoftwareDistribution\Download\bugado.sys
Category:	dropped
Dump:	bugado.sys.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Type:	PE32+ executable (native) x86-64, for MS Windows
Entropy:	4.182795808297679
Encrypted:	false
Ssdeep:	96:UqxuHKt7sSeDUWtASg/SHWj7kxDPiNO+R0yV:UmuHKt7ZiUWtAlYcIPoI
Size:	7680
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sample is not signed and drops a device driver	Persistence and Installation Behavior
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates driver files	System Summary	Windows Service
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\SoftwareDistribution\Download\bugado.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.887021118820729
Encrypted:	false
Ssdeep:	3:m4FkwF40XGA7cqQ9FUOdwyjes6v+pfh2DaG/dv4FBOBFRecWgFmWErXTMGGMFU2x:m4Gw4uX7cFXyHCYDaiv4FBK3WgFmDrXn
Size:	162
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2444
Target ID:	0
Parent PID:	4004
Name:	SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe"
Size:	925696
MD5:	DDA215E4C93C5BCD1626D798A9114052
Time:	08:24:54
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7257f0000
Modulesize:	946176
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\SoftwareDistribution\Download\bugado.exe

"C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys

Details

Is windows:	false
Is dropped:	true
PID:	5060
Target ID:	3
Parent PID:	2444
Name:	bugado.exe
Path:	C:\Windows\SoftwareDistribution\Download\bugado.exe
Commandline:	"C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys
Size:	137728
MD5:	34CFBE3FF70461820CCC31A1AFEEC0B3
Time:	08:24:56
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff617580000
Modulesize:	155648
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4548
Target ID:	1
Parent PID:	2444
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:24:54
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5028
Target ID:	4
Parent PID:	5060
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:24:56
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Details

Is windows:	true
Is dropped:	false
PID:	5372
Target ID:	5
Parent PID:	2444
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c cls
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	08:24:56
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff670020000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://ocsp.thawte.com0

unknown

http://ocsp.veH

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uKPwkwKUWlbmzgNfgIh

ImagePath

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uKPwkwKUWlbmzgNfgIh

Type

Memdumps

Base Address

Regiontype

Protect

Malicious

23F9BA77000

heap

page read and write

23F9BA73000

heap

page read and write

7FF7257F0000

unkown

page readonly

23F9BA64000

heap

page read and write

23F9BA0F000

heap

page read and write

23F9BA68000

heap

page read and write

23F9BA54000

heap

page read and write

23F9BA81000

heap

page read and write

7FF617580000

unkown

page readonly

23F9F030000

heap

page read and write

9F459FF000

stack

page read and write

7FF617580000

unkown

page readonly

23F9D370000

heap

page read and write

23F9BA18000

heap

page read and write

23F9D455000

heap

page read and write

13A43E40000

heap

page read and write

7FF725839000

unkown

page readonly

23F9B940000

heap

page read and write

7FF7258AE000

unkown

page write copy

23F9BA82000

heap

page read and write

23F9BA98000

heap

page read and write

23F9D450000

heap

page read and write

13A43D60000

heap

page read and write

23F9BA7F000

heap

page read and write

23F9B9C9000

heap

page read and write

7FF617591000

unkown

page readonly

23F9BA18000

heap

page read and write

7FF617591000

unkown

page readonly

13A441B0000

heap

page read and write

23F9BA62000

heap

page read and write

23F9BA3A000

heap

page read and write

7FF7258A6000

unkown

page readonly

2C3ACFD000

stack

page read and write

7FF7257F1000

unkown

page execute read

23F9BA11000

heap

page read and write

23F9BA39000

heap

page read and write

7FF6175A2000

unkown

page read and write

2C3AEFF000

stack

page read and write

23F9BA54000

heap

page read and write

23F9B9EC000

heap

page read and write

13A43F3C000

heap

page read and write

2C3ADFF000

stack

page read and write

23F9BA72000

heap

page read and write

23F9BA54000

heap

page read and write

13A43F30000

heap

page read and write

23F9B9DF000

heap

page read and write

7FF7258A6000

unkown

page readonly

7FF617581000

unkown

page execute read

7FF617581000

unkown

page execute read

7FF7258D2000

unkown

page readonly

7FF725839000

unkown

page readonly

13A43E60000

heap

page read and write

23F9BA80000

heap

page read and write

9F458F6000

stack

page read and write

7FF7258AD000

unkown

page write copy

23F9B950000

heap

page read and write

23F9BA54000

heap

page read and write

13A43F36000

heap

page read and write

23F9BA63000

heap

page read and write

23F9BA5F000

heap

page read and write

23F9B9FD000

heap

page read and write

23F9B9FB000

heap

page read and write

23F9B9B7000

heap

page read and write

23F9BA9B000

heap

page read and write

7FF7258AD000

unkown

page read and write

7FF7258D2000

unkown

page readonly

7FF7257F1000

unkown

page execute read

23F9BA18000

heap

page read and write

23F9B9EC000

heap

page read and write

23F9B9FB000

heap

page read and write

7FF6175A3000

unkown

page readonly

23F9B9B0000

heap

page read and write

23F9B9DA000

heap

page read and write

23F9BA66000

heap

page read and write

7FF7258D0000

unkown

page read and write

7FF6175A3000

unkown

page readonly

23F9BA97000

heap

page read and write

7FF7257F0000

unkown

page readonly

23F9B980000

heap

page read and write

23F9BA75000

heap

page read and write

7FF6175A2000

unkown

page write copy

There are 71 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe