Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.569920995733564
Filename:	SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll
Filesize:	137728
MD5:	b81f570f1838104fd1065617c59ebf48
SHA1:	25d64e34c0f05107cd538a929c58660dac0ce0b1
SHA256:	0ba5cf206550afd14978ff0fa783bd567b8fda75ffcec65dcf0b1ea71f3d13c6
SHA512:	2464f0d3cdb3fafb854e26ae41b054ef61b35df3309a650c18f8140e7d50254729636c0742f933c30aaf2f5aceae34776563d141ca71168c66d358af2c8f1899
SSDEEP:	3072:iiS/DJksL7vkm5IuckdMZO/IdMOnbuE1TBfu8eA99l72eOA:4tplIqM9KGTBG8eA9f72e
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking

C:\Windows\Prairie Wind.bmp.bak

ASCII text, with no line terminators

dropped

Details

File:	C:\Windows\Prairie Wind.bmp.bak
Category:	dropped
Dump:	Prairie Wind.bmp.bak.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\System32\loaddll32.exe
Type:	ASCII text, with no line terminators
Entropy:	3.6381404237049173
Encrypted:	false
Ssdeep:	3:KmjRJxsfCXyG:KURTsfUyG
Size:	33
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll"

Details

Is windows:	true
Is dropped:	false
PID:	4696
Target ID:	2
Parent PID:	4056
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll"
Size:	126464
MD5:	51E6071F9CBA48E79F10C84515AAE618
Time:	16:25:20
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc0000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6388
Target ID:	3
Parent PID:	4696
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	16:25:21
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	7056
Target ID:	5
Parent PID:	4696
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll",#1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	16:25:21
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x410000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	3604
Target ID:	6
Parent PID:	7056
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll",#1
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	16:25:21
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa20000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://ds1.mentality-us.com/ld/HiQueen/v1/down.bmp

unknown

http://ds1.mentality-us.com/ld/HiQueen/v1/index.

unknown

http://ds1.mentality-us.com/ld/HiQueen/v1/index.jpg

unknown

Details

Name:	http://ds1.mentality-us.com/ld/HiQueen/v1/index.jpg
TargetID:	6
From Memory:	true
Current Path:	C:\Windows\SysWOW64\rundll32.exe
Source:	rundll32.exe, 00000006.00000003.1406864693.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1406952150.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1407328351.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ds1.mentality-us.com/ld/HiQueen/v1/getnews.php?s=

unknown

http://ds1.mentality-us.com/ld/HiQueen/v1/index.jpgficmanager.nety

unknown

Details

Name:	http://ds1.mentality-us.com/ld/HiQueen/v1/index.jpgficmanager.nety
TargetID:	6
From Memory:	true
Current Path:	C:\Windows\SysWOW64\rundll32.exe
Source:	rundll32.exe, 00000006.00000002.1407328351.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1406952150.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ds1.mentality-us.com/ld/HiQueen/v1/index.jpgrX

unknown

http://ds1.mentality-us.com/ld/HiQueen/v1/news.jpg

unknown

http://www.rsac.org/ratingsv01.html

unknown

Domains

Name

Malicious

ds1.mentality-us.com

unknown

time.windows.com

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

2DD0000

heap

page read and write

2D88000

heap

page read and write

2CAE000

stack

page read and write

476C000

stack

page read and write

2C6D000

stack

page read and write

2AB0000

heap

page read and write

58E000

stack

page read and write

6444000

heap

page read and write

2F87000

heap

page read and write

22FE000

stack

page read and write

2D8B000

heap

page read and write

2DD0000

heap

page read and write

6430000

heap

page read and write

1EC000

stack

page read and write

2E50000

direct allocation

page read and write

287F000

stack

page read and write

2B50000

heap

page read and write

2170000

heap

page read and write

2DA3000

heap

page read and write

2D10000

heap

page read and write

2D50000

heap

page read and write

638B000

stack

page read and write

2F8C000

heap

page read and write

7E9000

stack

page read and write

2A7C000

stack

page read and write

2B3E000

stack

page read and write

2B56000

heap

page read and write

540000

heap

page read and write

63CD000

stack

page read and write

5C0000

heap

page read and write

9C000

stack

page read and write

47EE000

stack

page read and write

243C000

stack

page read and write

482F000

stack

page read and write

657E000

stack

page read and write

5EF000

heap

page read and write

2D5A000

heap

page read and write

6420000

heap

page read and write

2D8E000

heap

page read and write

4860000

heap

page read and write

545000

heap

page read and write

2F80000

heap

page read and write

2DA3000

heap

page read and write

210C000

stack

page read and write

47AC000

stack

page read and write

2D8E000

heap

page read and write

7BE000

stack

page read and write

5D7000

heap

page read and write

8FF000

stack

page read and write

2CEF000

stack

page read and write

2D8E000

heap

page read and write

5CB000

heap

page read and write

2330000

heap

page read and write

2D79000

heap

page read and write

22BE000

stack

page read and write

430000

heap

page read and write

2AC0000

heap

page read and write

4960000

heap

page read and write

7FE000

stack

page read and write

2180000

direct allocation

page read and write

48FD000

stack

page read and write

5CF000

heap

page read and write

2D91000

heap

page read and write

2ABF000

stack

page read and write

65BF000

stack

page read and write

297F000

stack

page read and write

2D78000

heap

page read and write

29BE000

stack

page read and write

634D000

stack

page read and write

6690000

trusted library allocation

page read and write

48BE000

stack

page read and write

510000

heap

page read and write

640E000

stack

page read and write

2D84000

heap

page read and write

20B0000

heap

page read and write

6440000

heap

page read and write

There are 66 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll

Files

Processes

URLs

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll

Files

Processes

URLs

Domains

Memdumps

IOC Report
SecuriteInfo.com.Win32.MalwareX-gen.16263.14680.dll