IOC Report
SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_7dd5f59ad4b8c3eff5e6cb56669dac635af4597_e30bf782_3c08e170-e099-426f-ab81-7dafb72511c7\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9f8a51d2e97124c38f6ead774f7a4d26f0c08f_e30bf782_44600bb9-7195-4d8d-b9e1-633f0683a2ec\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER90AF.tmp.dmp

Mini DuMP crash report, 14 streams, Sat Sep 28 20:25:25 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER95FF.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER961F.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA149.tmp.dmp

Mini DuMP crash report, 14 streams, Sat Sep 28 20:25:29 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3EA.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA40A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3872
Target ID:	4
Parent PID:	4004
Name:	SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Swizzor.based.8485.27277.exe"
Size:	753664
MD5:	B954DC27C4BF7B87DCC365EE9E1C99DB
Time:	16:25:24
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x70000
Modulesize:	753664
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file imports many functions	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 488

Details

Is windows:	true
Is dropped:	false
PID:	5880
Target ID:	7
Parent PID:	3872
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 488
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	16:25:25
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x310000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 508

Details

Is windows:	true
Is dropped:	false
PID:	2996
Target ID:	9
Parent PID:	3872
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 508
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	16:25:29
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x310000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

IP

Malicious

http://upx.sf.net

unknown

Domains

Name

IP

Malicious

ax-0001.ax-msedge.net

150.171.28.10

tse1.mm.bing.net

unknown

Registry

Path

Value

Malicious

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

ProgramId

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

FileId

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

LowerCaseLongPath

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

LongPathHash

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

Name

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

OriginalFileName

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

Publisher

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

Version

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

BinFileVersion

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

BinaryType

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

ProductName

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

ProductVersion

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

LinkDate

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

BinProductVersion

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

AppxPackageFullName

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

AppxPackageRelativeId

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

Size

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

Language

\REGISTRY\A\{1782e59d-1ca8-f2c1-3928-c513a7b44afa}\Root\InventoryApplicationFile\securiteinfo.com|3a1fd50737c07cfd

Usn

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000DDABBE6B3

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 15 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1E0000

heap

page read and write

70000

unkown

page readonly

FE000

unkown

page read and write

60E000

stack

page read and write

88E000

heap

page read and write

111000

unkown

page write copy

1B0000

heap

page read and write

11A000

unkown

page readonly

A7F000

stack

page read and write

71000

unkown

page execute read

88A000

heap

page read and write

FC000

unkown

page write copy

B20000

heap

page read and write

70000

unkown

page readonly

1C0000

heap

page read and write

FF000

unkown

page write copy

476000

stack

page read and write

64E000

stack

page read and write

87000

unkown

page readonly

FC000

unkown

page write copy

10C000

unkown

page read and write

7DF000

stack

page read and write

880000

heap

page read and write

71000

unkown

page execute read

87000

unkown

page readonly

11A000

unkown

page readonly

6D0000

heap

page read and write

16C000

stack

page read and write

10D000

unkown

page write copy

110000

unkown

page read and write

2470000

heap

page read and write

There are 21 hidden memdumps, click here to show them.