Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.1868791730052095
Filename:	SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Filesize:	27384
MD5:	4629a7d0c64e29caa63f7a4aede12a07
SHA1:	3646b60408d282ceaddfb725ac98a71c276b591f
SHA256:	a61a13fc5a91783172920a1418c06578f267b83a026bd126e653b259a6eb4bda
SHA512:	9cc8734a02a76af07ca39bdd26788307856b7c5653b3be41416dcd84e05087fcddd0f1d10e8ff0f8a75d286fc24c19ab0d3a471146ad343601ea44052d56c0a1
SSDEEP:	384:flrcGPGZee0QPt0GkaUVQLBeuMsx2n9J0+1/wfT3ir2WSx7bLzWY:9cV/PFkaUWLcuMswfA3iPmbLn
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2...S...S...S...+...S..L....S..L....S..L....S..L....S...+...S...S...S..\|....S..\|.q..S..\|....S..Rich.S..................PE..d..

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools Security Software Discovery
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
PE / OLE file has an invalid certificate	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1940658735648508
Encrypted:	false
Ssdeep:	3:NlllulxmH/lZ:NllUg
Size:	64
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0aumyvkw.nef.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0aumyvkw.nef.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_0aumyvkw.nef.psm1.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g45535fo.20t.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g45535fo.20t.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_g45535fo.20t.ps1.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kseaghrs.m5x.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kseaghrs.m5x.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_kseaghrs.m5x.ps1.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xo1yfyfk.ljk.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xo1yfyfk.ljk.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_xo1yfyfk.ljk.psm1.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4356
Target ID:	0
Parent PID:	2592
Name:	SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe"
Size:	27384
MD5:	4629A7D0C64E29CAA63F7A4AEDE12A07
Time:	13:24:47
Date:	29/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff79ea80000
Modulesize:	36864
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"

Details

Is windows:	true
Is dropped:	false
PID:	6704
Target ID:	3
Parent PID:	4356
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	13:24:47
Date:	29/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff63fb00000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"

Details

Is windows:	true
Is dropped:	false
PID:	5564
Target ID:	4
Parent PID:	6704
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	13:24:47
Date:	29/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6eb350000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	628
Target ID:	1
Parent PID:	4356
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:24:47
Date:	29/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff68cce0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	6236
Target ID:	5
Parent PID:	744
Name:	WmiPrvSE.exe
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Size:	496640
MD5:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Time:	13:24:51
Date:	29/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	true
Modulebase:	0x7ff6220e0000
Modulesize:	516096
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0

unknown

https://cleversquad.online/0

unknown

https://sectigo.com/CPS0

unknown

http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#

unknown

http://ocsp.sectigo.com0

unknown

http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z

unknown

https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exeFailed

unknown

https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exe

unknown

http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

19733E80000

heap

page read and write

19733CF0000

heap

page read and write

7FF79EA85000

unkown

page read and write

19733DD0000

heap

page read and write

7FF79EA83000

unkown

page readonly

19733E84000

heap

page read and write

40844FB000

stack

page read and write

40845FE000

stack

page read and write

19733E89000

heap

page read and write

19733E80000

heap

page read and write

7FF79EA86000

unkown

page readonly

197357A5000

heap

page read and write

19733E5C000

heap

page read and write

19737040000

heap

page read and write

7FF79EA83000

unkown

page readonly

197357A0000

heap

page read and write

19735AF0000

heap

page read and write

7FF79EA81000

unkown

page execute read

19737043000

heap

page read and write

7FF79EA80000

unkown

page readonly

7FF79EA85000

unkown

page write copy

40846FF000

stack

page read and write

19737150000

trusted library allocation

page read and write

7FF79EA80000

unkown

page readonly

7FF79EA81000

unkown

page execute read

19733E50000

heap

page read and write

19733E77000

heap

page read and write

19733E77000

heap

page read and write

19735700000

heap

page read and write

7FF79EA86000

unkown

page readonly

19733E00000

heap

page read and write

197357AA000

heap

page read and write

19733E8E000

heap

page read and write

There are 23 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe

Files

Processes

URLs

Memdumps

IOC Report
SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe