Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ugslmd.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	7.964289450405882
Filename:	ugslmd.exe
Filesize:	643072
MD5:	551ed08a9076a98b16ce6dd72c993209
SHA1:	7f6e01bbbfe0caa479cb9feee9cec092fd4fde9d
SHA256:	b3507a576c4b7861f343a95f00e177c0aaeb44fac3400dd054fe8c0aeeeddccd
SHA512:	58570764200da8757b56060d3ab7881107c791dfde23463c8f431f7b5b76e0c3e1f68b15ef09d38286071201dc478a85d003c11ba1a6346f5c1ea37aa3e2e755
SSDEEP:	12288:+XK4BUw/KnGv8UMmkVmhaPHuukCfb0gLfY+SdZyJxAfjdtOpR8YUa7G:+5lKnghMmkVmhavuuk4TLfKZmedORvPK
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p26y4SX4SX4SX.\.:SX..&?SX4SY&RX..#7SX..66SX..%6SX.D..SX4SX.SX..5;RX.. 5SXRich4SX................PE..L..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Software Packing Obfuscated Files or Information
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses new MSVCR Dlls	Compliance, System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ugslmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.860800455330473
Encrypted:	false
Ssdeep:	3:JQ4F0nxuWCLQYUnIZJjHZbhF02WRhF8iHuhTySWYMovn:W40gLQ5n2TRhChF81zpv
Size:	158
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ugslmd.exe

"C:\Users\user\Desktop\ugslmd.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7136
Target ID:	0
Parent PID:	2580
Name:	ugslmd.exe
Path:	C:\Users\user\Desktop\ugslmd.exe
Commandline:	"C:\Users\user\Desktop\ugslmd.exe"
Size:	643072
MD5:	551ED08A9076A98B16CE6DD72C993209
Time:	15:34:07
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2646016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6516
Target ID:	1
Parent PID:	7136
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:34:07
Date:	26/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

580000

unkown

page read and write

5DF000

unkown

page readonly

680000

unkown

page execute and read and write

2720000

heap

page read and write

55F000

unkown

page readonly

19B000

stack

page read and write

681000

unkown

page execute and write copy

5E0000

unkown

page execute read

569000

unkown

page read and write

9C000

stack

page read and write

6A0000

heap

page read and write

880000

heap

page read and write

685000

unkown

page execute and write copy

C70000

heap

page read and write

401000

unkown

page execute read

88A000

heap

page read and write

196000

stack

page read and write

D95000

heap

page read and write

830000

heap

page read and write

400000

unkown

page readonly

D90000

heap

page read and write

B7F000

stack

page read and write

755000

heap

page read and write

750000

heap

page read and write

684000

unkown

page execute and read and write

57B000

unkown

page read and write

590000

unkown

page read and write

690000

heap

page read and write

5EB000

unkown

page execute and write copy

6EE000

stack

page read and write

635000

unkown

page execute and read and write

8AB000

heap

page read and write

400000

unkown

page readonly

72E000

stack

page read and write

5DF000

unkown

page readonly

636000

unkown

page execute and write copy

5EB000

unkown

page execute and write copy

A7F000

stack

page read and write

88E000

heap

page read and write

There are 29 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ugslmd.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportugslmd.exe

Files

Processes

Memdumps

IOC Report
ugslmd.exe