Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Riskware.Application.32484.16969.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	7.855312946743356
Filename:	SecuriteInfo.com.Riskware.Application.32484.16969.exe
Filesize:	18314240
MD5:	0c4ff697bf8bee358d876a64d19ab643
SHA1:	d99a8bf2aaa11c7a89dd40bd485f5b2f570af1d4
SHA256:	eaef7bca8697e9832e378f4afedf3504b1c72826514602a1d43eb4bfd0871532
SHA512:	0f3bf070b3d9dbe84a647a45c7f8aa23d86afdae1d1040f61453c682063a16ffd1b84cb6535e94e88ac6d796bdbb12ae2db259644e67e046414f0da4fde464b0
SSDEEP:	393216:P3sKAC+aPhfq9/NadGWRAoYdNk2Lyud2Q:tT35fs/MdGWD+NvLzt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(.sf.........."....'.B....d....."..........@..........................................`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Hides threads from debuggers	Anti Debugging
Machine Learning detection for sample	AV Detection
Overwrites code with unconditional jumps - possibly settings hooks in foreign process	Hooking and other Techniques for Hiding and Protection	Credential API Hooking
PE file contains section with special chars	System Summary
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion
Tries to detect debuggers (CloseHandle check)	Anti Debugging
Tries to evade analysis by execution special instruction (VM detection)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Creates files inside the system directory	System Summary	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\license.id

ASCII text, with no line terminators

dropped

Details

File:	C:\Windows\license.id
Category:	dropped
Dump:	license.id.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe
Type:	ASCII text, with no line terminators
Entropy:	4.726409765557392
Encrypted:	false
Ssdeep:	3:hMTjnxVcC:Wj3cC
Size:	32
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading

\Device\ConDrv

ASCII text, with CRLF, CR, LF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe
Type:	ASCII text, with CRLF, CR, LF line terminators
Entropy:	2.2216070458174753
Encrypted:	false
Ssdeep:	6:jP32E3BKVLd323bC6/5ZccPPlCIK47o3Q+udCKRd6hd6LXb6hvsLt:jPmE8VLdmtfcUPe4EgJpmOLO5sLt
Size:	672
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5640
Target ID:	0
Parent PID:	1028
Name:	SecuriteInfo.com.Riskware.Application.32484.16969.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe"
Size:	18314240
MD5:	0C4FF697BF8BEE358D876A64D19AB643
Time:	21:36:11
Date:	04/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7a4d80000
Modulesize:	34766848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2672
Target ID:	1
Parent PID:	5640
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	21:36:11
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

19DE71A0000

heap

page read and write

7FF7A5D30000

unkown

page execute read

7FF7A581C000

unkown

page execute read

7FF7A6E6F000

unkown

page readonly

7FF7A4DDE000

unkown

page readonly

7FF7A4DE3000

unkown

page execute read

7FF7A4DC6000

unkown

page readonly

19DE7240000

heap

page read and write

19DE5630000

heap

page read and write

19DE5706000

heap

page read and write

7FF7A4D80000

unkown

page readonly

19DE56A0000

heap

page read and write

19DE5660000

heap

page read and write

19DE56FC000

heap

page read and write

19DE5712000

heap

page read and write

19DE7060000

trusted library allocation

page read and write

7FF7A4E16000

unkown

page read and write

7FF7A6E6F000

unkown

page readonly

7FF7A6730000

unkown

page execute read

7FF7A4D80000

unkown

page readonly

7FF7A4D81000

unkown

page execute read

19DE7245000

heap

page read and write

3FFE9AB000

stack

page read and write

19DE56F0000

heap

page read and write

19DE5680000

trusted library allocation

page read and write

19DE71A4000

heap

page read and write

19DE5620000

heap

page read and write

7FF7A4E1C000

unkown

page execute read

7FF7A6730000

unkown

page execute read

19DE5712000

heap

page read and write

7FF7A5D30000

unkown

page execute read

7FF7A4DDA000

unkown

page read and write

There are 22 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Riskware.Application.32484.16969.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Riskware.Application.32484.16969.exe

Files

Processes

Memdumps

IOC Report
SecuriteInfo.com.Riskware.Application.32484.16969.exe