Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.380968074399036
Filename:	SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
Filesize:	1613824
MD5:	c3c547a2f7ba40a8ccc74c64f56f74bf
SHA1:	3499ffe761db6d8a1f3d506e3cc3497e18f0a5ff
SHA256:	be1650866941ac704ce9dd90f87276c3b9f008f25040e8ac78f3cc2c62233124
SHA512:	e54a7b6b63857eacd8082f8f6f540749e02a40afa726dd17624c9f8177697c940927b4aeeae9a989288d36135a2a5c3b9851f19ddda82d0c284eab0d200bb561
SSDEEP:	24576:YBbdrmZoGk/52SCUAO55ksXy4gE47he4wtL/xExlzXyDK:Or3/5PkO553eEQwtqx1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...U...U...U.p.[...U..._.H.U...Y...U...F...U...F...U...T...U...^...U...^...U..._...U...U...U.4.S...U.Rich..U................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API Security Software Discovery
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Security Software Discovery Process Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Security Software Discovery Process Discovery Archive Collected Data Encrypted Channel
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to download additional files from the internet	Networking	Security Software Discovery Ingress Tool Transfer
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	Security Software Discovery File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Information Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy)

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy)
Category:	dropped
Dump:	csrss2.exe.0.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\csrss2.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.342927646017908
Encrypted:	false
Ssdeep:	12288:v5mcnXTgXcH3y4gE94PDheqjwLpL/duo6F+tdjBgj3V6XEHNYEu0l8+zXw:v55ksXy4gE47he4wtL/xExlzX
Size:	913408
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\AppData\Local\Temp\csrss2.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\csrss2.exe
Category:	dropped
Dump:	csrss2.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.342927646017908
Encrypted:	false
Ssdeep:	12288:v5mcnXTgXcH3y4gE94PDheqjwLpL/duo6F+tdjBgj3V6XEHNYEu0l8+zXw:v55ksXy4gE47he4wtL/xExlzX
Size:	913408
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found large amount of non-executed APIs	Malware Analysis System Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to instantiate COM classes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.39113595572983
Encrypted:	false
Ssdeep:	6144:ul4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuN1xOBSqa:u4vF0MYQUMM6VFYLxU
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6388
Target ID:	0
Parent PID:	3504
Name:	SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe"
Size:	1613824
MD5:	C3C547A2F7BA40A8CCC74C64F56F74BF
Time:	02:34:18
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1703936
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\csrss2.exe

Details

Is windows:	false
Is dropped:	true
PID:	1544
Target ID:	2
Parent PID:	6388
Name:	csrss2.exe
Path:	C:\Users\user\AppData\Local\Temp\csrss2.exe
Commandline:	C:\Users\user\AppData\Local\Temp\csrss2.exe
Size:	913408
MD5:	A38A05E4A9DBFC6E7B6608B7F48D909C
Time:	02:34:18
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1093632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.eyuyan.com)DVarFileInfo$

unknown

http://upx.sf.net

unknown

http://38.147.172.248:8080/apii.php

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

58B000

unkown

page read and write

760000

heap

page read and write

2170000

heap

page read and write

54B000

unkown

page readonly

86F000

stack

page read and write

596000

unkown

page readonly

530000

heap

page read and write

4CD000

unkown

page write copy

47C000

unkown

page readonly

780000

heap

page read and write

9A000

stack

page read and write

4B7000

unkown

page write copy

401000

unkown

page execute read

2440000

heap

page read and write

2471000

heap

page read and write

2150000

heap

page read and write

401000

unkown

page execute read

2434000

heap

page read and write

19D000

stack

page read and write

5A0000

heap

page read and write

84E000

heap

page read and write

400000

unkown

page readonly

4BA000

unkown

page write copy

400000

unkown

page readonly

2430000

heap

page read and write

4F3000

unkown

page read and write

1D0000

heap

page read and write

4CE000

unkown

page read and write

670000

heap

page read and write

2570000

trusted library allocation

page read and write

8AE000

stack

page read and write

4FB000

unkown

page readonly

550000

heap

page read and write

840000

heap

page read and write

4A2000

unkown

page readonly

4B7000

unkown

page write copy

2154000

heap

page read and write

572000

unkown

page write copy

4F9000

unkown

page read and write

520000

heap

page read and write

4F5000

unkown

page read and write

56E000

unkown

page write copy

4B9000

unkown

page read and write

401000

unkown

page execute read

4CD000

unkown

page write copy

19D000

stack

page read and write

401000

unkown

page execute read

4FB000

unkown

page readonly

4CA000

unkown

page read and write

47C000

unkown

page readonly

76E000

stack

page read and write

5B0000

heap

page read and write

56E000

unkown

page write copy

84A000

heap

page read and write

57F000

unkown

page read and write

9AF000

stack

page read and write

9A000

stack

page read and write

56A000

heap

page read and write

570000

unkown

page read and write

4A2000

unkown

page readonly

592000

unkown

page read and write

54B000

unkown

page readonly

400000

unkown

page readonly

57F000

unkown

page write copy

56E000

heap

page read and write

650000

heap

page read and write

560000

heap

page read and write

2570000

trusted library allocation

page read and write

2470000

heap

page read and write

4DA000

unkown

page read and write

57B000

unkown

page read and write

58F000

heap

page read and write

400000

unkown

page readonly

2210000

heap

page read and write

1D4000

heap

page read and write

596000

unkown

page readonly

There are 66 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Files

Processes

URLs

Memdumps

IOC Report
SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe