Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

FSJs1TlAyf.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	7.92076736379278
Filename:	FSJs1TlAyf.exe
Filesize:	1908755
MD5:	ee9523e1c8dacfac2fa2414e6ff2bb3e
SHA1:	0134b858c8ad7445ea13f7fbd92705dc80dd726f
SHA256:	d275d3443707fd0808aadf5e4697b4dc38f5c74034cec06af426142c4ea72bd0
SHA512:	f302124d0224657fc25e05bc16fe8a4bd7426f9e822094ed6c549c559b3d8d12652bbb62b4016537f30e91d0f1d4e11c4ab20eac100bfaf87214dc05118a9c4c
SSDEEP:	24576:zzmVuyO5XT6785RIWO4r2EBnfxGmTgayLPA8nkweCk9mIZQeICFcIiLbnQNbnKWX:zXzXTK82EZ5zgzQCFIKerF1wA2W5V
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0..&t..ut..ut..u...ts..u...t...u...t~..u...uw..u&..tS..u&..te..u&..t}..u...tq..ut..u...u...t`..u...tu..uRicht..u...............

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample reads its own file content	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

\Device\ConDrv

JSON data

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\FSJs1TlAyf.exe
Type:	JSON data
Entropy:	4.992032697619302
Encrypted:	false
Ssdeep:	3:sVWLVVALkjBXFEWMAK0Nk8uUWJRWjdpi2mgL5eT98uUWJRWjGvn:sAzTFXF2oNk8uNJALtHAT98uNJAav
Size:	158
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\FSJs1TlAyf.exe

"C:\Users\user\Desktop\FSJs1TlAyf.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6088
Target ID:	0
Parent PID:	1028
Name:	FSJs1TlAyf.exe
Path:	C:\Users\user\Desktop\FSJs1TlAyf.exe
Commandline:	"C:\Users\user\Desktop\FSJs1TlAyf.exe"
Size:	1908755
MD5:	EE9523E1C8DACFAC2FA2414E6FF2BB3E
Time:	10:45:55
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff715200000
Modulesize:	401408
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5676
Target ID:	1
Parent PID:	6088
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:45:55
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF715201000

unkown

page execute read

7FF71524D000

unkown

page readonly

1AC10084000

heap

page read and write

1AC10000000

heap

page read and write

7FF71523C000

unkown

page write copy

1AC10020000

heap

page read and write

347C7CF000

stack

page read and write

347C3E6000

stack

page read and write

7FF715200000

unkown

page readonly

7FF71524B000

unkown

page read and write

7FF71524D000

unkown

page readonly

7FF71522A000

unkown

page readonly

1AC10070000

heap

page read and write

347C3EC000

stack

page read and write

1AC10078000

heap

page read and write

1AC10040000

heap

page read and write

1AC10010000

heap

page readonly

1AC102E0000

heap

page read and write

7FF71523C000

unkown

page read and write

7FF715201000

unkown

page execute read

7FF715200000

unkown

page readonly

347C5DF000

stack

page read and write

7FF71522A000

unkown

page readonly

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
FSJs1TlAyf.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportFSJs1TlAyf.exe

Files

Processes

Memdumps

IOC Report
FSJs1TlAyf.exe