Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

RpcSsv.exe

PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy:	6.15395147872826
Filename:	RpcSsv.exe
Filesize:	45272
MD5:	523613a7b9dfa398cbd5ebd2dd0f4f38
SHA1:	3e92f697d642d68bb766cc93e3130b36b2da2bab
SHA256:	3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571
SHA512:	2ca42e21ebc26233c3822851d9fc82f950186820e10d3601c92b648415eb720f0e1a3a6d9d296497a3393a939a9424c47b1e5eaedfd864f96e3ab8986f6b35b5
SSDEEP:	768:gaGHu/aKUAvRCXA/e6PfVVCJrxg/KKjMozd6jSemG0nf2Fcc5C+qLaVp:CuSzAvRCxmNVCgi+IjNmDO15C+qLaVp
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....sN........../......f...,................@.....................................9......... ............................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE / OLE file has a valid certificate	Compliance, System Summary

\Device\ConDrv

ASCII text, with no line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\RpcSsv.exe
Type:	ASCII text, with no line terminators
Entropy:	3.121928094887362
Encrypted:	false
Ssdeep:	3:umFn:D
Size:	10
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\RpcSsv.exe

"C:\Users\user\Desktop\RpcSsv.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7592
Target ID:	0
Parent PID:	2580
Name:	RpcSsv.exe
Path:	C:\Users\user\Desktop\RpcSsv.exe
Commandline:	"C:\Users\user\Desktop\RpcSsv.exe"
Size:	45272
MD5:	523613A7B9DFA398CBD5EBD2DD0F4F38
Time:	14:59:32
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Netcat	Spreading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE / OLE file has a valid certificate	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7600
Target ID:	1
Parent PID:	7592
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:59:32
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://secure.globalsign.net/cacert/PrimObject.crt0

unknown

http://secure.globalsign.net/cacert/ObjectSign.crt09

unknown

http://www.globalsign.net/repository09

unknown

http://eternallybored.org/misc/netcat/

unknown

http://www.globalsign.net/repository/0

unknown

http://www.globalsign.net/repository/03

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

409000

unkown

page readonly

409000

unkown

page readonly

80000

heap

page read and write

1E0000

heap

page read and write

401000

unkown

page execute read

400000

unkown

page readonly

736000

heap

page read and write

40C000

unkown

page read and write

400000

unkown

page readonly

160000

heap

page read and write

180000

heap

page read and write

60D000

stack

page read and write

730000

heap

page read and write

73B000

heap

page read and write

408000

unkown

page write copy

40D000

unkown

page write copy

40C000

unkown

page write copy

408000

unkown

page read and write

401000

unkown

page execute read

There are 9 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
RpcSsv.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportRpcSsv.exe

Files

Processes

URLs

Memdumps

IOC Report
RpcSsv.exe