Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

1.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.5312679305983075
Filename:	1.exe
Filesize:	1212233
MD5:	d940ad60dee55174455c2a43a8353d2e
SHA1:	7b0832cd378423da73831e6a45144248fe5d17e4
SHA256:	47c1439cbe3d3ea852e7e45c2d201cb83e5949193b07d9f321c41e0343eaa6a8
SHA512:	67f71849e159598fc3aa358cacfff739ab6aa7f470df00497915cc15237b9f66d0d779b079fde3326b93beeaf1414abf2510233929e38da9b32d4c4253ea7f2d
SSDEEP:	24576:87g8Od5CN7g8O+C7WUtLpwbtLpwEoJdXN0BN2qnw4an:87rO67rO5btL2tLFoJdXN0BMOwLn
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................T................................{......................................Rich............................PE..L..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Archive Collected Data
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May infect USB drives	Spreading	Replication Through Removable Media
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary contains paths to development resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\1.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.901853079623814
Encrypted:	false
Ssdeep:	12:IfwB/Mv/ClbUnubUnKYcgrqKjveBKbUnCtbUneoRgOuIBGE:RB/SNBQKj2BhHeMgU7
Size:	501
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\1.exe

"C:\Users\user\Desktop\1.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7292
Target ID:	0
Parent PID:	1028
Name:	1.exe
Path:	C:\Users\user\Desktop\1.exe
Commandline:	"C:\Users\user\Desktop\1.exe"
Size:	1212233
MD5:	D940AD60DEE55174455C2A43A8353D2E
Time:	10:59:35
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5d0000
Modulesize:	98304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
May infect USB drives	Spreading	Replication Through Removable Media
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary contains paths to development resources	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7300
Target ID:	1
Parent PID:	7292
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:59:35
Date:	01/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.symauth.com/rpa04

unknown

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://www.symauth.com/cps09

unknown

http://www.symauth.com/cps0(

unknown

http://ocsp.thawte.com0

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

5D0000

unkown

page readonly

5A0000

heap

page read and write

5E5000

unkown

page readonly

76E000

stack

page read and write

5DE000

unkown

page readonly

820000

heap

page read and write

82E000

heap

page read and write

5DE000

unkown

page readonly

5D0000

unkown

page readonly

43C000

stack

page read and write

A1F000

stack

page read and write

800000

heap

page read and write

6D0000

heap

page read and write

82A000

heap

page read and write

5B0000

heap

page read and write

72E000

stack

page read and write

5E5000

unkown

page readonly

5E2000

unkown

page write copy

6E0000

heap

page read and write

5D1000

unkown

page execute read

5E2000

unkown

page read and write

22BF000

stack

page read and write

5D1000

unkown

page execute read

53C000

stack

page read and write

There are 14 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
1.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report1.exe

Files

Processes

URLs

Memdumps

IOC Report
1.exe