Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.FileRepMalware.7704.21109.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.128143892143662
Filename:	SecuriteInfo.com.FileRepMalware.7704.21109.exe
Filesize:	145408
MD5:	00a1b2ddc402ca4b20cc5f82f68092e6
SHA1:	fb1e0c07a89b68d0670b2ebf548b6e076eaf8bdb
SHA256:	06707c688782793a9f9e48388edc9439237a860f9e66019272a881a3aa5ea6ab
SHA512:	63c76c695c8733b31c90faad0eb418b92dab9ebfaefc68a654197a25aa9bceab05582c72220ecd8ba73000fb73c8634d9a43f27ae95bba11ad88b28011916d1a
SSDEEP:	768:Hs2t10nBiEI9oSVZU9qZU9ml3yUPuX9XicF5ifgpmUUQVY6CZU9qZU9L:Hs2Huif5Vpv3ySs5a8UQcp
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...A...A...A..L....A..L....A..L....A..L....A...:...A...@...A..L....A..L....A..L....A.Rich..A.................PE..L....i.P...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Extracts suspicious resources from PE file (packer detected)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Drops PE files	Persistence and Installation Behavior
PE file contains an invalid checksum	Data Obfuscation
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Creates files inside the user directory	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Drops files with a known system name (to hide its detection)
Might use command line arguments	System Summary	Command and Scripting Interpreter
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Uses new MSVCR Dlls	Compliance, System Summary

C:\Users\user\AppData\Local\windows update\svchost.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\windows update\svchost.exe
Category:	dropped
Dump:	svchost.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7704.21109.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.338200236806117
Encrypted:	false
Ssdeep:	768:yl3yUPuX9XicF5ifgpmUUQVY6CZU9qZU9:q3ySs5a8UQcp
Size:	82944
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Contains functionality to upload files via FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Drops files with a known system name (to hide its detection)
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary

C:\Users\user\AppData\Local\windows update\config

data

dropped

Details

File:	C:\Users\user\AppData\Local\windows update\config
Category:	dropped
Dump:	config.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\AppData\Local\windows update\svchost.exe
Type:	data
Entropy:	4.556139308819468
Encrypted:	false
Ssdeep:	3:3yt2aX7Fa5zu77/hadYTu25p2jeto2iJ0ihFn2fe+uDTs2J:YrFeCFyspHodhF2beTs2J
Size:	114
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7704.21109.exe

"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7704.21109.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7120
Target ID:	0
Parent PID:	4084
Name:	SecuriteInfo.com.FileRepMalware.7704.21109.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7704.21109.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7704.21109.exe"
Size:	145408
MD5:	00A1B2DDC402CA4B20CC5F82F68092E6
Time:	16:25:29
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x920000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains executable resources (Code or Archives)	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\windows update\svchost.exe

"C:\Users\user\AppData\Local\windows update\svchost.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4896
Target ID:	1
Parent PID:	7120
Name:	svchost.exe
Path:	C:\Users\user\AppData\Local\windows update\svchost.exe
Commandline:	"C:\Users\user\AppData\Local\windows update\svchost.exe"
Size:	82944
MD5:	D759329B5FA8220EFE1161BFF8B9C5EB
Time:	16:25:29
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x670000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Extracts suspicious resources from PE file (packer detected)	Data Obfuscation	Software Packing
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Drops files with a known system name (to hide its detection)
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\windows update\svchost.exe

"C:\Users\user\AppData\Local\windows update\svchost.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5708
Target ID:	4
Parent PID:	4084
Name:	svchost.exe
Path:	C:\Users\user\AppData\Local\windows update\svchost.exe
Commandline:	"C:\Users\user\AppData\Local\windows update\svchost.exe"
Size:	82944
MD5:	D759329B5FA8220EFE1161BFF8B9C5EB
Time:	16:25:42
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x670000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Extracts suspicious resources from PE file (packer detected)	Data Obfuscation	Software Packing
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Drops files with a known system name (to hide its detection)
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\windows update\svchost.exe

"C:\Users\user\AppData\Local\windows update\svchost.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3020
Target ID:	6
Parent PID:	4084
Name:	svchost.exe
Path:	C:\Users\user\AppData\Local\windows update\svchost.exe
Commandline:	"C:\Users\user\AppData\Local\windows update\svchost.exe"
Size:	82944
MD5:	D759329B5FA8220EFE1161BFF8B9C5EB
Time:	16:25:50
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x670000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Extracts suspicious resources from PE file (packer detected)	Data Obfuscation	Software Packing
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Drops files with a known system name (to hide its detection)
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

Domains

Name

Malicious

ruslyz.ftp.narod.ru

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

windows update

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	windows update
Value data:	"C:\Users\user\AppData\Local\windows update\svchost.exe"

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

E00000

heap

page read and write

678000

unkown

page read and write

E2D000

heap

page read and write

EF8000

heap

page read and write

7F1000

heap

page read and write

67C000

unkown

page readonly

ABD000

heap

page read and write

E24000

heap

page read and write

EBE000

heap

page read and write

F60000

heap

page read and write

AC6000

heap

page read and write

925000

unkown

page readonly

A00000

heap

page read and write

EC1000

heap

page read and write

28EE000

stack

page read and write

925000

unkown

page readonly

2C01000

heap

page read and write

BC0000

heap

page read and write

2ECE000

stack

page read and write

E2D000

heap

page read and write

492E000

stack

page read and write

A2C000

heap

page read and write

E58000

heap

page read and write

AFE000

heap

page read and write

310E000

stack

page read and write

E20000

heap

page read and write

E30000

heap

page read and write

2645000

heap

page read and write

2578000

heap

page read and write

7F6000

heap

page read and write

E29000

heap

page read and write

2750000

heap

page read and write

B01000

heap

page read and write

4B1E000

stack

page read and write

2B50000

trusted library allocation

page read and write

4A1E000

stack

page read and write

ED3000

heap

page read and write

48DE000

stack

page read and write

EEE000

heap

page read and write

E24000

heap

page read and write

670000

unkown

page readonly

EE3000

heap

page read and write

E1F000

stack

page read and write

B6B000

stack

page read and write

802000

heap

page read and write

78B000

stack

page read and write

7E0000

heap

page read and write

49DE000

stack

page read and write

519F000

stack

page read and write

A5B000

heap

page read and write

786000

stack

page read and write

ED3000

heap

page read and write

671000

unkown

page execute read

7F1000

heap

page read and write

749000

stack

page read and write

A0A000

heap

page read and write

2A9F000

stack

page read and write

676000

unkown

page readonly

7F0000

heap

page read and write

671000

unkown

page execute read

3612000

heap

page read and write

67C000

unkown

page readonly

924000

unkown

page read and write

505E000

stack

page read and write

676000

unkown

page readonly

D9E000

stack

page read and write

C9E000

stack

page read and write

C00000

heap

page read and write

676000

unkown

page readonly

E29000

heap

page read and write

2FCF000

stack

page read and write

C00000

heap

page read and write

67C000

unkown

page readonly

E52000

heap

page read and write

2560000

heap

page read and write

E12000

heap

page read and write

44DE000

stack

page read and write

15C0000

heap

page read and write

A48000

heap

page read and write

E9A000

heap

page read and write

770000

heap

page read and write

7B0000

heap

page read and write

638000

stack

page read and write

670000

unkown

page readonly

2764000

heap

page read and write

2720000

heap

page read and write

2570000

heap

page read and write

4520000

trusted library allocation

page read and write

920000

unkown

page readonly

67C000

unkown

page readonly

A26000

heap

page read and write

7A0000

heap

page read and write

2C13000

heap

page read and write

EE3000

heap

page read and write

479F000

stack

page read and write

EDC000

heap

page read and write

C02000

heap

page read and write

317E000

stack

page read and write

4B5E000

stack

page read and write

676000

unkown

page readonly

2760000

trusted library allocation

page read and write

80C000

heap

page read and write

E80000

heap

page read and write

A6A000

stack

page read and write

ED3000

heap

page read and write

2A20000

heap

page read and write

814000

heap

page read and write

2813000

heap

page read and write

7E7000

heap

page read and write

E47000

heap

page read and write

E20000

heap

page read and write

2B40000

heap

page read and write

736000

stack

page read and write

C02000

heap

page read and write

921000

unkown

page execute read

32BD000

stack

page read and write

1210000

heap

page read and write

A56000

heap

page read and write

670000

unkown

page readonly

2C13000

heap

page read and write

509E000

stack

page read and write

678000

unkown

page read and write

676000

unkown

page readonly

E00000

heap

page read and write

923000

unkown

page readonly

33FD000

stack

page read and write

2760000

heap

page read and write

E55000

heap

page read and write

EE3000

heap

page read and write

E5A000

heap

page read and write

E58000

heap

page read and write

790000

heap

page read and write

2801000

heap

page read and write

EC1000

heap

page read and write

E41000

heap

page read and write

BA0000

heap

page read and write

E5A000

heap

page read and write

B66000

stack

page read and write

EC1000

heap

page read and write

676000

unkown

page readonly

EE3000

heap

page read and write

AFB000

stack

page read and write

A42000

heap

page read and write

67C000

unkown

page readonly

2575000

heap

page read and write

3600000

heap

page read and write

EDC000

heap

page read and write

780000

heap

page read and write

7F8000

heap

page read and write

137E000

stack

page read and write

2BFF000

stack

page read and write

4200000

heap

page read and write

2D01000

heap

page read and write

73B000

stack

page read and write

147F000

stack

page read and write

67C000

unkown

page readonly

BD0000

heap

page read and write

671000

unkown

page execute read

4CBE000

stack

page read and write

923000

unkown

page readonly

4212000

heap

page read and write

E41000

heap

page read and write

110E000

stack

page read and write

A12000

heap

page read and write

671000

unkown

page execute read

E30000

heap

page read and write

671000

unkown

page execute read

43DE000

stack

page read and write

807000

heap

page read and write

EC1000

heap

page read and write

2AFE000

stack

page read and write

ABD000

heap

page read and write

2901000

heap

page read and write

B9E000

stack

page read and write

2C01000

heap

page read and write

670000

unkown

page readonly

7CA000

heap

page read and write

671000

unkown

page execute read

7CE000

heap

page read and write

34FF000

stack

page read and write

2550000

heap

page read and write

659000

stack

page read and write

4A2E000

stack

page read and write

7C0000

heap

page read and write

D1E000

stack

page read and write

E12000

heap

page read and write

469E000

stack

page read and write

670000

unkown

page readonly

7F6000

heap

page read and write

F01000

heap

page read and write

2640000

heap

page read and write

7D0000

heap

page read and write

2A30000

trusted library allocation

page read and write

E6E000

heap

page read and write

BF0000

heap

page read and write

4E0E000

stack

page read and write

AF6000

stack

page read and write

47EE000

stack

page read and write

E6E000

heap

page read and write

120F000

stack

page read and write

4C5E000

stack

page read and write

4F5E000

stack

page read and write

7D0000

heap

page read and write

921000

unkown

page execute read

EB9000

heap

page read and write

300E000

stack

page read and write

A6F000

heap

page read and write

33BE000

stack

page read and write

670000

unkown

page readonly

4DBF000

stack

page read and write

2D01000

heap

page read and write

F01000

heap

page read and write

780000

heap

page read and write

920000

unkown

page readonly

48EE000

stack

page read and write

AE1000

heap

page read and write

EC1000

heap

page read and write

4F0E000

stack

page read and write

678000

unkown

page read and write

27EE000

stack

page read and write

327F000

stack

page read and write

7B0000

heap

page read and write

There are 212 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.FileRepMalware.7704.21109.exe

Files

Processes

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.FileRepMalware.7704.21109.exe

Files

Processes

Domains

Registry

Memdumps

IOC Report
SecuriteInfo.com.FileRepMalware.7704.21109.exe