Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

dcm2niix.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.5850747384413095
Filename:	dcm2niix.exe
Filesize:	968192
MD5:	0d831c8a0b2379cd73393d725ba8f95c
SHA1:	bd2cdd77c5fe97e2b238fb7f1f8ea6342e1d5b18
SHA256:	34de9d74012c9768ed8318d69c0bb0a2b34cb50f787a20f95ab4781c2bcaeb71
SHA512:	0fb88a4b440f12fb93f45f6947e6d9c589bf605fcbeb4d9f1123817187752e5c529fbb7b9e690c34c657d8b72eb6f935866ae975f1e36d851d2f9b6a263e82ca
SSDEEP:	24576:XfyrO84gvaKvQwSbmTXkO/gmpxUNsVyz/luG8Z5JUe:PxgvgwvkO/gmpSDz/G5
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................................D....................%]......%.......%.......%.......................%.......%.......%.......%_....

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

\Device\ConDrv

ASCII text, with very long lines (408), with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\dcm2niix.exe
Type:	ASCII text, with very long lines (408), with CRLF line terminators
Entropy:	5.067059768602068
Encrypted:	false
Ssdeep:	96:IlcfLmljOM1/QgUuAFCUoleMstn9s1ONLeJZk:7fqZltbeVo14
Size:	3187
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\dcm2niix.exe

"C:\Users\user\Desktop\dcm2niix.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2132
Target ID:	0
Parent PID:	1028
Name:	dcm2niix.exe
Path:	C:\Users\user\Desktop\dcm2niix.exe
Commandline:	"C:\Users\user\Desktop\dcm2niix.exe"
Size:	968192
MD5:	0D831C8A0B2379CD73393D725BA8F95C
Time:	04:00:23
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d1ea0000
Modulesize:	1548288
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2276
Target ID:	1
Parent PID:	2132
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	04:00:23
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://neurojson.org)AnnotationFormathttps://github.com/NeuroJSON/jnifti/blob/master/JNIfTI_specific

unknown

https://github.com/NeuroJSON/jnifty

unknown

https://www.cognitiveatlas.org/task/id/trm_4c8a834779883/

unknown

http://json.orgSpecialA75DataTypeNameA75DBNameA75ExtendsA75SessionErrorA75GlobalMaxA75GlobalMinbase6

unknown

https://github.com/rordenlab/dcm2niix/issues/236

unknown

http://neurojson.org)

unknown

https://github.com/NeuroJSON/jnifti/blob/master/JNIfTI_specification.md

unknown

https://github.com/NeuroJSON/jsdata

unknown

https://pypi.org/project/jdata

unknown

https://github.com/NeuroJSON/bjdata/blob/master/Binary_JData_Specification.md

unknown

https://pypi.org/project/bjdatahttps://github.com/NeuroJSON/jniftyJavaScripthttps://github.com/Neuro

unknown

http://teem.sourceforge.net/nrrd/format.html

unknown

https://pypi.org/project/bjdata

unknown

http://json.org

unknown

There are 4 hidden URLs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

D35DBA9000

stack

page read and write

2741B0F8000

heap

page read and write

2741AFD0000

heap

page read and write

7FF7D2010000

unkown

page readonly

7FF7D1F57000

unkown

page readonly

7FF7D200E000

unkown

page read and write

2741B0E8000

heap

page read and write

2741B0C9000

heap

page read and write

7FF7D1F57000

unkown

page readonly

2741B0CC000

heap

page read and write

2741B0F8000

heap

page read and write

7FF7D1EA1000

unkown

page execute read

7FF7D1F84000

unkown

page read and write

2741B0C0000

heap

page read and write

2741B1E0000

heap

page read and write

7FF7D1EA1000

unkown

page execute read

7FF7D1EA0000

unkown

page readonly

2741B1C0000

heap

page read and write

D35FB0F000

stack

page read and write

D35EB5F000

stack

page read and write

7FF7D2006000

unkown

page read and write

2741B3D0000

heap

page read and write

7FF7D1F83000

unkown

page write copy

7FF7D1F83000

unkown

page write copy

7FF7D2010000

unkown

page readonly

7FF7D1EA0000

unkown

page readonly

2741B0D7000

heap

page read and write

There are 17 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
dcm2niix.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportdcm2niix.exe

Files

Processes

URLs

Memdumps

IOC Report
dcm2niix.exe