Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.4250352264986
Filename:	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Filesize:	532480
MD5:	0b1d213e54d820dd3fefa386aa3e1f43
SHA1:	12e6ac4bed321f1a44e6d71338502e3dae943466
SHA256:	0e7ff3739925d9952c557cd8c3454c181549953975cc6241e95a638c52c33dcd
SHA512:	f97fd05a49223574a6e4fa4e43e03369589ba25112fe04467cd17a122a13c4a496ee3d4d64370d860644ae5bf01443c5bd4d58181f80b9751f31f66227198e35
SSDEEP:	12288:vwEh/b02vun/UtniLxUD9HpxZamJNcXo/0:Yw/Q4u/euUDlPZamAXo/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p....,..p....B..p.......p.......p.......p.......p.......p...p...q.......p.......p.......p....@..p.......p..Rich.p.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to create an SMB header	Exploits	Exploitation of Remote Services
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Contains functionality for error logging	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Data Encrypted for Impact
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.381719730288618
Encrypted:	false
Ssdeep:	3:rRRqmfXMHdMIRgDQCXT+FOEaGj3F/9Dqa+Oe2oTiWWu1AX7oj4NAPWRX6u2vooa4:HfX0VyMCXT741lxoTLK7VAPWchwz4
Size:	336
Whitelisted:	false
Reputation:	timeout

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.61.dr
ID:	dr_27
Target ID:	61
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.003997527334849
Encrypted:	false
Ssdeep:	3:HnRthLK5a6eCMABe:HRoJPO
Size:	44
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe"

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

There are 46 hidden processes, click here to show them.

URLs

Name

Malicious

https://keyauth.win/api/1.1/pace

unknown

http://185.101.104.92/as.exe

unknown

https://keyauth.cc/panel/bronkz/valorantplus/

unknown

Details

Name:	https://keyauth.cc/panel/bronkz/valorantplus/
TargetID:	4
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Source:	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415048357.0000018E503A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415006221.0000018E503B9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5037B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415092286.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415006221.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415092286.0000018E503B9000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://curl.haxx.se/docs/http-cookies.html

unknown

https://curl.haxx.se/docs/http-cookies.html#

unknown

https://keyauth.win/api/1.1/ce

unknown

https://keyauth.win/api/1.1/

104.26.0.5

Details

Name:	https://keyauth.win/api/1.1/
IP:	104.26.0.5
TargetID:	4
From Memory:	false
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://185.101.104.92/as.exeC:

unknown

Domains

Name

Malicious

keyauth.win

104.26.0.5

Details

Name:	keyauth.win
IP:	104.26.0.5
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.26.0.5

keyauth.win

United States

Details

IP:	104.26.0.5
TargetID:	4
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	keyauth.win

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

7919C7E000

stack

page read and write

18E50388000

heap

page read and write

62584FE000

stack

page read and write

CF5567F000

stack

page read and write

18E503BE000

heap

page read and write

7FF6CE570000

unkown

page readonly

CF5577E000

stack

page read and write

1F4368B0000

heap

page read and write

27158349000

heap

page read and write

1D66ADF0000

heap

page read and write

18E503A1000

heap

page read and write

B47DEFE000

stack

page read and write

1F71E8F0000

heap

page read and write

B47DBAE000

stack

page read and write

271582B0000

heap

page read and write

2C9778C0000

heap

page read and write

18E51D25000

heap

page read and write

AFB197E000

stack

page read and write

8D4B9E000

stack

page read and write

18E50350000

heap

page read and write

1F4368E0000

heap

page read and write

2C9779F0000

heap

page read and write

18E502D0000

heap

page read and write

271582D0000

heap

page read and write

62583FF000

stack

page read and write

1D66B0C0000

heap

page read and write

1D66AE30000

heap

page read and write

53A711D000

stack

page read and write

2038A720000

heap

page read and write

1F71EAD9000

heap

page read and write

6257FFF000

stack

page read and write

7FF6CE556000

unkown

page readonly

18E502A0000

heap

page read and write

18E503A0000

heap

page read and write

21C8CF98000

heap

page read and write

7FF6CE4F0000

unkown

page readonly

18E502F0000

remote allocation

page read and write

1F71EA35000

heap

page read and write

18E503A4000

heap

page read and write

18E501C0000

heap

page read and write

2C977BC0000

heap

page read and write

E8567F000

stack

page read and write

1D66B0C5000

heap

page read and write

2C9779A0000

heap

page read and write

1D66B000000

heap

page read and write

2C9779F8000

heap

page read and write

1F436CD0000

heap

page read and write

1F71E9D0000

heap

page read and write

AFB187E000

stack

page read and write

18E503B9000

heap

page read and write

1F436980000

heap

page read and write

53A747E000

stack

page read and write

62581FE000

stack

page read and write

18E5037B000

heap

page read and write

18E50356000

heap

page read and write

1F71EA30000

heap

page read and write

21C8CE00000

heap

page read and write

18E5035C000

heap

page read and write

6257EFC000

stack

page read and write

7919BFE000

unkown

page readonly

27158280000

heap

page read and write

18E503BE000

heap

page read and write

E8547D000

stack

page read and write

7FF6CE556000

unkown

page readonly

1F71EAD0000

heap

page read and write

21C8D150000

heap

page read and write

7919B7F000

stack

page read and write

AFB156C000

stack

page read and write

18E51D20000

heap

page read and write

2038A758000

heap

page read and write

62582FE000

stack

page read and write

2038A710000

heap

page read and write

2C9779FF000

heap

page read and write

8D4A9C000

stack

page read and write

18E503A9000

heap

page read and write

7FF6CE570000

unkown

page readonly

1F436CD5000

heap

page read and write

18E502F0000

remote allocation

page read and write

21C8CEE0000

heap

page read and write

2038A750000

heap

page read and write

21C8CF00000

heap

page read and write

18E503BE000

heap

page read and write

2038AA45000

heap

page read and write

8D4EFF000

stack

page read and write

1F4368C0000

heap

page read and write

7919A7D000

stack

page read and write

21C8CF90000

heap

page read and write

18E5038D000

heap

page read and write

1D66AE39000

heap

page read and write

271582D5000

heap

page read and write

7FF6CE4F0000

unkown

page readonly

B47DAAD000

stack

page read and write

1F71E9F0000

heap

page read and write

2C977BC5000

heap

page read and write

18E502F0000

remote allocation

page read and write

7FF6CE4F1000

unkown

page execute read

2C9779C0000

heap

page read and write

2038A920000

heap

page read and write

1D66AE00000

heap

page read and write

18E503B9000

heap

page read and write

CF5536C000

stack

page read and write

E8557E000

stack

page read and write

2038AA40000

heap

page read and write

21C8D155000

heap

page read and write

7FF6CE4F1000

unkown

page execute read

27158290000

heap

page read and write

7FF6CE56F000

unkown

page read and write

27158340000

heap

page read and write

1F436988000

heap

page read and write

7FF6CE56F000

unkown

page write copy

There are 100 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe