Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.996401190961517
Filename:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Filesize:	2596914
MD5:	3ea7144962bfbe89e0145695fd039655
SHA1:	38e4c4c1f1d104da067f12c1d06734d354ce0ce1
SHA256:	b0c1e15f1b660f639ea88e6999bbe4bab7b35e84337b92b1059638e0c7fa947f
SHA512:	eace33f7981f50db457a504ba6f08d909de47548e5f1daeb4d66c586cb4160e7bc47bb408e83c5fea7d80d05b869e05b31ca26b061b602a8aa42292b073eacaf
SSDEEP:	49152:v2FHdDBI88HSk1769bp27F7I8qMcs2THzTpeKrGmVXJq10SBWX7NcH6swr:uF9VI8ESK769bpnMl0NJXg1rWrNcH52
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation System Shutdown/Reboot
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Found evasive API chain (date check)	Malware Analysis System Evasion	Access Token Manipulation
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
Category:	dropped
Dump:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.469782512324722
Encrypted:	false
Ssdeep:	12288:L/vksLWtSNrPi37NzHDA6Y1gbl5d7Ifoz4mrNNpRpzqjxy:jvksLWtkrPi37NzHDA6Yg5dsfoTzsxy
Size:	685056
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to call native functions	System Summary
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads ini files	System Summary	File and Directory Discovery
Reads the Windows registered organization settings	System Summary	System Owner/User Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Executable creates window controls seldom found in malware	System Summary
Reads the Windows registered owner settings	System Summary	System Owner/User Discovery

C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp
Category:	dropped
Dump:	_RegDLL.tmp.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	4.012434743866195
Encrypted:	false
Ssdeep:	48:iAnz1hEU3FR/pmqBl8/QMCBaquEMx5BCwSS4k+bkguj0K:pz1eEFNcqBC/Qrex5MSKD
Size:	3584
Whitelisted:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp
Category:	dropped
Dump:	_setup64.tmp.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	4.203889009972449
Encrypted:	false
Ssdeep:	48:SvTmfWvPcXegCWUo1vlZwrAxoONfHFZONfH3d1xCWMBgW2p3SS4k+bkg6j0K:nfkcXegjJ/ZgYNzcld1xamW2pCSKv
Size:	5632
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll
Category:	dropped
Dump:	_shfoldr.dll.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	4.596242908851566
Encrypted:	false
Ssdeep:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
Size:	23312
Whitelisted:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

"C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6332
Target ID:	0
Parent PID:	2580
Name:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"
Size:	2596914
MD5:	3EA7144962BFBE89E0145695FD039655
Time:	20:25:00
Date:	25/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp

"C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp" /SL5="$1043A,2318969,53248,C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6308
Target ID:	1
Parent PID:	6332
Name:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp
Commandline:	"C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp" /SL5="$1043A,2318969,53248,C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"
Size:	685056
MD5:	52950AC9E2B481453082F096120E355A
Time:	20:25:01
Date:	25/05/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://cyworld.nate.com/nuclear_mine

unknown

Details

Name:	http://cyworld.nate.com/nuclear_mine
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Source:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1665732024.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922256093.00000000020F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1664682629.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922277470.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1668682583.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1669698962.00000000021A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922656836.00000000021A4000.00000004.00001000.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.innosetup.com/

unknown

http://www.remobjects.com/?ps

unknown

Details

Name:	http://www.remobjects.com/?ps
TargetID:	-1
From Memory:	true
Source:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ispp.sourceforge.net/

unknown

Details

Name:	http://ispp.sourceforge.net/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Source:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1665732024.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1664682629.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922277470.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1668682583.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1669698962.00000000021A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922656836.00000000021A4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922580890.0000000002195000.00000004.00001000.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ispp.sourceforge.net/Des

unknown

http://www.remobjects.com/?psU

unknown

Details

Name:	http://www.remobjects.com/?psU
TargetID:	-1
From Memory:	true
Source:	SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

491000

unkown

page read and write

5CF000

heap

page read and write

2150000

heap

page read and write

4F0000

heap

page read and write

2770000

trusted library allocation

page read and write

494000

unkown

page write copy

401000

unkown

page execute read

580000

heap

page read and write

21B0000

direct allocation

page read and write

4A0E000

stack

page read and write

65A000

heap

page read and write

48AE000

stack

page read and write

338F000

stack

page read and write

30F0000

direct allocation

page read and write

2198000

direct allocation

page read and write

40D000

unkown

page write copy

21A6000

direct allocation

page read and write

420000

heap

page read and write

491000

unkown

page write copy

4C0000

heap

page read and write

2101000

direct allocation

page read and write

5AC000

heap

page read and write

328E000

stack

page read and write

2180000

heap

page read and write

2330000

heap

page read and write

324F000

stack

page read and write

20F0000

direct allocation

page read and write

4A2000

unkown

page readonly

21B0000

direct allocation

page read and write

650000

heap

page read and write

560000

heap

page read and write

19A000

stack

page read and write

5D0000

heap

page read and write

2334000

heap

page read and write

60B000

heap

page read and write

401000

unkown

page execute read

20F4000

direct allocation

page read and write

30F0000

heap

page read and write

411000

unkown

page readonly

400000

unkown

page readonly

2189000

heap

page read and write

21BF000

direct allocation

page read and write

58A000

heap

page read and write

2360000

direct allocation

page read and write

9B000

stack

page read and write

2210000

heap

page read and write

401000

unkown

page execute read

91000

stack

page read and write

400000

unkown

page readonly

40B000

unkown

page read and write

2360000

direct allocation

page read and write

21A4000

direct allocation

page read and write

2185000

heap

page read and write

400000

unkown

page readonly

19D000

stack

page read and write

2195000

direct allocation

page read and write

314E000

stack

page read and write

21D8000

direct allocation

page read and write

2101000

direct allocation

page read and write

40B000

unkown

page write copy

4C90000

trusted library allocation

page read and write

21BD000

direct allocation

page read and write

65E000

heap

page read and write

2160000

heap

page read and write

30F0000

direct allocation

page read and write

4B0F000

stack

page read and write

401000

unkown

page execute read

566000

heap

page read and write

4A2000

unkown

page readonly

58E000

heap

page read and write

430000

heap

page read and write

411000

unkown

page readonly

26E0000

heap

page read and write

49AE000

stack

page read and write

2120000

direct allocation

page execute and read and write

21B0000

direct allocation

page read and write

400000

unkown

page readonly

4D0000

heap

page read and write

2108000

direct allocation

page read and write

2190000

direct allocation

page read and write

There are 70 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Files

Processes

URLs

Memdumps

IOC Report
SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe