Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe

PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	4.435315914713855
Filename:	SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Filesize:	5120
MD5:	97256334ade473a5c605c276d37478ef
SHA1:	8aa10980c5457439aaafe3435c724364f17d9eac
SHA256:	763e2cc6bdb6dc1feb190e36acf1ba9b87e3e7cd9ac211f94f7e85a11101046a
SHA512:	8076a8898c8eefde5dba1df5006339e0756b68eff4d85d8d62b29cdbfe6f4c626cadb7b66bbce738b6b5d21d194427c607407562246320d2d7b3d19c382af330
SSDEEP:	96:aXaNFKbZWGx/24LE28FC0MoC0Mj7V87P3mAuzNt:IUFa/zLFP7V8T1o
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....~............"...0.................. .....@..... .......................`............`...@......@............... .....

Signature Hits	Behavior Group	Mitre Attack
Drops script or batch files to the startup folder	Boot Survival	Scripting
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bat.bat

Java archive data (JAR)

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bat.bat
Category:	dropped
Dump:	bat.bat.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Type:	Java archive data (JAR)
Entropy:	7.812330612187677
Encrypted:	false
Ssdeep:	96:qsZNm5jNUniC4MpoU6BOEjIZh48fUFQ99kCby:FNSJUiC4M9Wj07b8Fq9S
Size:	4397
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops script or batch files to the startup folder	Boot Survival	Scripting

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe.log
Category:	dropped
Dump:	SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe.log.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Type:	CSV text
Entropy:	5.354334472896228
Encrypted:	false
Ssdeep:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
Size:	847
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\tech.exe

Java archive data (JAR)

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\tech.exe
Category:	dropped
Dump:	tech.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Type:	Java archive data (JAR)
Entropy:	7.812330612187677
Encrypted:	false
Ssdeep:	96:qsZNm5jNUniC4MpoU6BOEjIZh48fUFQ99kCby:FNSJUiC4M9Wj07b8Fq9S
Size:	4397
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe

"C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4044
Target ID:	0
Parent PID:	4004
Name:	SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe"
Size:	5120
MD5:	97256334ADE473A5C605C276D37478EF
Time:	17:29:58
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x193f4af0000
Modulesize:	24576
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for sample	AV Detection
Sigma detected: Suspicious Startup Folder Persistence	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Startup Folder File Write	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4620
Target ID:	1
Parent PID:	4044
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	17:29:58
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://github.com

unknown

Details

Name:	http://github.com
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Source:	SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe, 00000000.00000002.2162888913.00000193800A7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe, 00000000.00000002.2162888913.0000019380144000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://raw.githubusercontent.com(

unknown

https://raw.githubusercontent.com

unknown

Details

Name:	https://raw.githubusercontent.com
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Source:	SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe, 00000000.00000002.2162888913.0000019380144000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe, 00000000.00000002.2162888913.00000193800CC000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://github.com/rolc4/jar/raw/main/MinecraftHelper.jar

140.82.121.4

Details

Name:	https://github.com/rolc4/jar/raw/main/MinecraftHelper.jar
IP:	140.82.121.4
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://raw.githubusercontent.com/rolc4/jar/main/MinecraftHelper.jar

185.199.109.133

Details

Name:	https://raw.githubusercontent.com/rolc4/jar/main/MinecraftHelper.jar
IP:	185.199.109.133
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://github.com

unknown

http://raw.githubusercontent.com

unknown

Details

Name:	http://raw.githubusercontent.com
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Source:	SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe, 00000000.00000002.2162888913.00000193800E7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe, 00000000.00000002.2162888913.0000019380144000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

github.com

140.82.121.4

Details

Name:	github.com
IP:	140.82.121.4
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

raw.githubusercontent.com

185.199.109.133

Details

Name:	raw.githubusercontent.com
IP:	185.199.109.133
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

185.199.109.133

raw.githubusercontent.com

Netherlands

Details

IP:	185.199.109.133
TargetID:	0
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	54113
ASN name:	FASTLYUS
Private:	false
Domain:	raw.githubusercontent.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

140.82.121.4

github.com

United States

Details

IP:	140.82.121.4
TargetID:	0
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe
Country:	United States
Countrycode:	USA
ASN number:	36459
ASN name:	GITHUBUS
Private:	false
Domain:	github.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

193F4BE4000

heap

page read and write

19747FE000

stack

page read and write

193F4DF0000

trusted library allocation

page read and write

193F4ED5000

heap

page read and write

1974FFE000

stack

page read and write

7FF49FEE0000

trusted library allocation

page execute and read and write

7FFD345F0000

trusted library allocation

page execute and read and write

7FFD3458C000

trusted library allocation

page execute and read and write

193F4F40000

heap

page read and write

7FFD345E0000

trusted library allocation

page read and write

193F7070000

heap

page read and write

7FFD3453D000

trusted library allocation

page execute and read and write

19727FE000

stack

page read and write

193F4C90000

heap

page read and write

1972BFE000

stack

page read and write

193800C4000

trusted library allocation

page read and write

193F4DA0000

heap

page read and write

19380138000

trusted library allocation

page read and write

193F4C1F000

heap

page read and write

7FFD345EC000

trusted library allocation

page execute and read and write

193F4AF4000

unkown

page readonly

193800A7000

trusted library allocation

page read and write

7FFD34554000

trusted library allocation

page read and write

1971DDE000

stack

page read and write

193F4BF2000

heap

page read and write

193800BB000

trusted library allocation

page read and write

193F4BDD000

heap

page read and write

193F4BB0000

heap

page read and write

19380140000

trusted library allocation

page read and write

1938009E000

trusted library allocation

page read and write

193F7090000

heap

page read and write

193800B9000

trusted library allocation

page read and write

7FFD34534000

trusted library allocation

page read and write

193F4D80000

heap

page read and write

7FFD3455D000

trusted library allocation

page execute and read and write

7FFD346D0000

trusted library allocation

page read and write

193F4BB6000

heap

page read and write

193F4F45000

heap

page read and write

193F4B90000

heap

page read and write

19380172000

trusted library allocation

page read and write

19723E9000

stack

page read and write

193F4AF0000

unkown

page readonly

19743FC000

stack

page read and write

193F6810000

heap

page read and write

1974BFE000

stack

page read and write

197583E000

stack

page read and write

1975C3C000

stack

page read and write

19757FE000

stack

page read and write

19753FE000

stack

page read and write

19380102000

trusted library allocation

page read and write

19380001000

trusted library allocation

page read and write

7FFD34550000

trusted library allocation

page read and write

193800C8000

trusted library allocation

page read and write

19380104000

trusted library allocation

page read and write

7FFD345E6000

trusted library allocation

page read and write

193F70C4000

heap

page read and write

193F4ED0000

heap

page read and write

193F4E10000

trusted library allocation

page read and write

19733FD000

stack

page read and write

1973BFE000

stack

page read and write

193F4BF0000

heap

page read and write

7FFD34542000

trusted library allocation

page read and write

7FFD34616000

trusted library allocation

page execute and read and write

193F69A0000

heap

page execute and read and write

193F4C23000

heap

page read and write

193800E7000

trusted library allocation

page read and write

1973FFE000

stack

page read and write

19380144000

trusted library allocation

page read and write

7FFD34533000

trusted library allocation

page execute and read and write

1938013C000

trusted library allocation

page read and write

193F4BBC000

heap

page read and write

1938016C000

trusted library allocation

page read and write

7FFD34540000

trusted library allocation

page read and write

7FFD346E0000

trusted library allocation

page execute and read and write

193F4AF2000

unkown

page readonly

193800CC000

trusted library allocation

page read and write

193F7210000

heap

page execute and read and write

19737FE000

stack

page read and write

193F4C1D000

heap

page read and write

19390001000

trusted library allocation

page read and write

7FFD3454D000

trusted library allocation

page execute and read and write

19380170000

trusted library allocation

page read and write

193F4B80000

heap

page read and write

1972FFE000

stack

page read and write

7FFD34650000

trusted library allocation

page execute and read and write

There are 75 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exe