Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	4.194430059234133
Filename:	SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe
Filesize:	5632
MD5:	a6edc88e45cdddefc02dcaaa6c0ffc2f
SHA1:	37ccc25cc0e31a3d26047b13886b2c2072081cc5
SHA256:	0833c4e8e1125dbc4ec18d3803be63778cf3cb2d1a77c8398f3b380c1c7e25cb
SHA512:	6a890cb1c1a1e2a2ab87604a64ed4d3e2e922fd5753dea55155e0daf3d469388d9631ba5f8cc5f2cae44f178735029952374bdea480481f14988484f274c05e6
SSDEEP:	48:6pTlYrITctYG+vLHmCyYfJyMmw9jAUzEVnQBG/RACalGUbw2CS7DD:mBLYtOvLGazZ6wAnQWRRUbw2CqD
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eW...9...9...9..\|....9...8...9.......9.......9.Rich..9.........PE..L...>.qS............................ ........ ....@........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to download additional files from the internet	Networking
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary

C:\Users\user\AppData\Local\Temp\denis.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\denis.exe
Category:	dropped
Dump:	denis.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	4.196169606705238
Encrypted:	false
Ssdeep:	48:6pTlYrITctYG+vLHmCyYfJyMmw9jAUzEVnQBG/RACalGUbw2CS7DD6pH1E1:mBLYtOvLGazZ6wAnQWRRUbw2CqDB
Size:	5792
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Machine Learning detection for dropped file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\1305UKdw[1].htm

HTML document, ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\1305UKdw[1].htm
Category:	dropped
Dump:	1305UKdw[1].htm.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\denis.exe
Type:	HTML document, ASCII text
Entropy:	5.201792764052907
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwol6hEr6VX16hu9nPia5DMGfU+KqD:J0+ox0RJWWPxgG3T
Size:	278
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\1305UKdw[1].htm

HTML document, ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\1305UKdw[1].htm
Category:	dropped
Dump:	1305UKdw[1].htm0.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\denis.exe
Type:	HTML document, ASCII text
Entropy:	5.201792764052907
Encrypted:	false
Ssdeep:	6:pn0+Dy9xwol6hEr6VX16hu9nPia5DMGfU+KqD:J0+ox0RJWWPxgG3T
Size:	278
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6900
Target ID:	0
Parent PID:	2580
Name:	SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe"
Size:	5632
MD5:	A6EDC88E45CDDDEFC02DCAAA6C0FFC2F
Time:	19:34:39
Date:	22/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	24576
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains an invalid checksum	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\denis.exe

"C:\Users\user\AppData\Local\Temp\denis.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7020
Target ID:	1
Parent PID:	6900
Name:	denis.exe
Path:	C:\Users\user\AppData\Local\Temp\denis.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\denis.exe"
Size:	5792
MD5:	193D2CA7921D04C3811D9A827D49D79E
Time:	19:34:39
Date:	22/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	24576
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://download.luxesydiseno.com/images/powerslide/Concha/1305UKdw.zipS

unknown

http://www.paulaggg.com/drawings/index.php?page=fast

unknown

http://paulagail.etsy.com/

unknown

http://www.w3c.org/TR/html4/strict.dtd

unknown

http://paulaggg.com/css/1305UKdw.zip9c77b0923665da6f1LMEM

unknown

http://www.cafepress.com/paulagail

unknown

http://download.luxesydiseno.com/images/powerslide/Concha/1305UKdw.zipvY

unknown

http://paulaggg.com/css/1305UKdw.zipEd

unknown

http://luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip

192.254.232.193

http://paulaggg.com/css/1305UKdw.zippp

unknown

http://luxesydiseno.com/images/powerslide/Concha/1305UKdw.zipmp

unknown

http://luxesydiseno.com/images/powerslide/Concha/1305UKdw.zipshqos.dll.muiBc

unknown

http://paulaggg.com/css/1305UKdw.zipp2

unknown

http://paulaggg.com/css/1305UKdw.zippw

unknown

http://download.luxesydiseno.com/images/powerslide/Concha/1305UKdw.zipG

unknown

http://www.paulaggg.com/paulagail2009/

unknown

http://paulaggg.com/css/1305UKdw.zipes/powerslide/Concha/1305UKdw.zip

unknown

http://paulaggg.com/css/1305UKdw.zip$

unknown

http://paulaggg.com/css/1305UKdw.zipw.zip

unknown

http://download.luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip=

unknown

http://download.luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip3

unknown

http://luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip9

unknown

http://paulaggg.com/css/1305UKdw.zip

198.54.115.45

http://paulaggg.com/css/1305UKdw.zipp

unknown

http://download.luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip

192.254.232.193

http://paulaggg.com/css/1305UKdw.zipt

unknown

http://paulaggg.com/css/1305UKdw.zipxdy

unknown

http://www.stencilletta.com

unknown

http://paulaggg.com/css/1305UKdw.zip5

unknown

http://www.paulaggg.com/digitaldrawings/

unknown

http://download.luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip3Z

unknown

http://paulaggg.com/

unknown

http://download.luxesydiseno.com/images/powerslide/Concha/1305UKdw.zipOY

unknown

http://luxesydiseno.com/images/powerslide/Concha/1305UKdw.zipH

unknown

http://www.paulaggg.com/preciousmetaldrawing/

unknown

http://paulaggg.com/css/1305UKdw.zip=

unknown

http://paulaggg.com/css/1305UKdw.zipLMEM

unknown

http://luxesydiseno.com/images/powerslide/Concha/1305UKdw.zipO

unknown

http://www.paulastinypottery.com/

unknown

http://luxesydiseno.com/images/powerslide/Concha/1305UKdw.zipswsock.dll.mui

unknown

There are 30 hidden URLs, click here to show them.

Domains

Name

Malicious

luxesydiseno.com

192.254.232.193

Details

Name:	luxesydiseno.com
IP:	192.254.232.193
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

download.luxesydiseno.com

192.254.232.193

Details

Name:	download.luxesydiseno.com
IP:	192.254.232.193
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

paulaggg.com

198.54.115.45

Details

Name:	paulaggg.com
IP:	198.54.115.45
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

198.54.115.45

paulaggg.com

United States

192.254.232.193

luxesydiseno.com

United States

Memdumps

Base Address

Regiontype

Protect

Malicious

8B0000

heap

page read and write

293F000

stack

page read and write

2CFC000

stack

page read and write

1F0000

heap

page read and write

2CBF000

stack

page read and write

227E000

heap

page read and write

556000

heap

page read and write

560000

heap

page read and write

1F0000

heap

page read and write

401000

unkown

page execute read

401000

unkown

page execute read

2A3F000

stack

page read and write

2BBE000

stack

page read and write

402000

unkown

page readonly

8C0000

heap

page read and write

2DDE000

stack

page read and write

990000

heap

page read and write

484000

heap

page read and write

402000

unkown

page readonly

2C8B000

stack

page read and write

401000

unkown

page execute read

27FE000

stack

page read and write

6BF000

heap

page read and write

7AE000

stack

page read and write

2B8D000

stack

page read and write

400000

unkown

page readonly

404000

unkown

page readonly

232E000

heap

page read and write

2E31000

heap

page read and write

66E000

stack

page read and write

2830000

heap

page read and write

400000

unkown

page readonly

404000

unkown

page readonly

2B4D000

stack

page read and write

420000

heap

page read and write

2A4E000

stack

page read and write

6CB000

heap

page read and write

4E0000

heap

page read and write

670000

heap

page read and write

404000

unkown

page readonly

6EE000

heap

page read and write

2DFC000

stack

page read and write

9B000

stack

page read and write

400000

unkown

page readonly

42A000

heap

page read and write

19C000

stack

page read and write

67E000

heap

page read and write

99E000

stack

page read and write

402000

unkown

page readonly

290E000

stack

page read and write

9C0000

heap

page read and write

28CF000

stack

page read and write

19A000

stack

page read and write

277E000

stack

page read and write

27BE000

stack

page read and write

404000

unkown

page readonly

402000

unkown

page readonly

565000

heap

page read and write

679000

heap

page read and write

2A7E000

stack

page read and write

410000

heap

page read and write

550000

heap

page read and write

400000

unkown

page readonly

2A0F000

stack

page read and write

450000

heap

page read and write

8AF000

stack

page read and write

2180000

heap

page read and write

401000

unkown

page execute read

2B7F000

stack

page read and write

9C000

stack

page read and write

2230000

heap

page read and write

76D000

stack

page read and write

42E000

heap

page read and write

6DA000

heap

page read and write

2CDE000

stack

page read and write

222E000

stack

page read and write

There are 66 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exe