Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.820907275699891
Filename:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Filesize:	333639
MD5:	b1382f20fc2ac8ee00bc5d35cfe2a883
SHA1:	92dbed9a976191f17357082391fd69c38847875e
SHA256:	abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d
SHA512:	e34b752a0c6c9918b822640f5564449a5e82c31fe3d0cf57aaf3baae5b57bbf805f0194761c40f9444ba87d0b43828669b564c342e8cf9f834c3eed72fcd382d
SSDEEP:	6144:oP7OolMPaDCUFSjKDQBH3AgeedRuUCFJ2H/uRGtfotLxVDZF8b8a0gX5jT/R26WM:g7blMPaDCUFSO0d37N3uUCeYGtf0jZOX
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Found evasive API chain (date check)	Malware Analysis System Evasion	Access Token Manipulation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads software policies	System Summary	Access Token Manipulation
Sample might require command line arguments	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp
Category:	dropped
Dump:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.527940424581213
Encrypted:	false
Ssdeep:	12288:ZsMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce05aDCUFJyx9Z6:6McMoi3rPR37dzHRA6G7WbuSEmK50qy0
Size:	733184
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Uses shutdown.exe to shutdown or reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to call native functions	System Summary
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads the Windows registered organization settings	System Summary	System Owner/User Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Reads the Windows registered owner settings	System Summary	System Owner/User Discovery

C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp
Category:	dropped
Dump:	_setup64.tmp.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	4.720366600008286
Encrypted:	false
Ssdeep:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
Size:	6144
Whitelisted:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp

"C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp" /SL5="$103E6,76800,76800,C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3360
Target ID:	1
Parent PID:	432
Name:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp
Commandline:	"C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp" /SL5="$103E6,76800,76800,C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"
Size:	733184
MD5:	5F7561BFCBA09FC14E1B7F03E65C99E0
Time:	16:25:24
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	798720
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\shutdown.exe

"shutdown.exe" -r -f -t 0

Details

Is windows:	true
Is dropped:	false
PID:	1912
Target ID:	3
Parent PID:	3360
Name:	shutdown.exe
Path:	C:\Windows\SysWOW64\shutdown.exe
Commandline:	"shutdown.exe" -r -f -t 0
Size:	23552
MD5:	FCDE5AF99B82AE6137FB90C7571D40C3
Time:	16:25:26
Date:	28/09/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x940000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses shutdown.exe to shutdown or reboot the system	System Summary	System Shutdown/Reboot
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

"C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"

Details

Is windows:	false
Is dropped:	false
PID:	432
Target ID:	0
Parent PID:	3504
Name:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"
Size:	333639
MD5:	B1382F20FC2AC8EE00BC5D35CFE2A883
Time:	16:25:24
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5652
Target ID:	4
Parent PID:	1912
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	16:25:26
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff70f010000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.innosetup.com/

unknown

http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline

unknown

http://www.remobjects.com/psU

unknown

Details

Name:	http://www.remobjects.com/psU
TargetID:	-1
From Memory:	true
Source:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.remobjects.com/ps

unknown

Details

Name:	http://www.remobjects.com/ps
TargetID:	-1
From Memory:	true
Source:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

Memdumps

Base Address

Regiontype

Protect

Malicious

401000

unkown

page execute read

2F3C000

heap

page read and write

49F000

unkown

page write copy

401000

unkown

page execute read

2E6C000

stack

page read and write

2208000

direct allocation

page read and write

6D6000

heap

page read and write

40C000

unkown

page write copy

3250000

heap

page read and write

99F000

stack

page read and write

49D000

unkown

page read and write

21F9000

heap

page read and write

2EAC000

stack

page read and write

5F8000

heap

page read and write

315D000

stack

page read and write

89F000

stack

page read and write

5F0000

heap

page read and write

21E0000

direct allocation

page read and write

3200000

heap

page read and write

400000

unkown

page readonly

2F20000

heap

page read and write

4AD000

unkown

page readonly

23B0000

direct allocation

page read and write

400000

unkown

page readonly

420000

heap

page read and write

6A0000

heap

page read and write

33FF000

stack

page read and write

6BC000

heap

page read and write

34FF000

stack

page read and write

6C0000

heap

page read and write

690000

direct allocation

page execute and read and write

6A8000

heap

page read and write

6E4000

heap

page read and write

2230000

direct allocation

page read and write

21F5000

heap

page read and write

31AE000

stack

page read and write

40E000

unkown

page write copy

2260000

heap

page read and write

2484000

heap

page read and write

3110000

heap

page read and write

2480000

heap

page read and write

20A1000

direct allocation

page read and write

49B000

unkown

page read and write

412000

unkown

page readonly

27D0000

trusted library allocation

page read and write

6E6000

heap

page read and write

4AD000

unkown

page readonly

2207000

direct allocation

page read and write

223C000

direct allocation

page read and write

51E000

stack

page read and write

550000

heap

page read and write

2090000

direct allocation

page read and write

401000

unkown

page execute read

6E2000

heap

page read and write

49B000

unkown

page write copy

2200000

direct allocation

page read and write

400000

unkown

page readonly

8EF000

stack

page read and write

2160000

heap

page read and write

6E6000

heap

page read and write

2F10000

heap

page read and write

2218000

direct allocation

page read and write

2F3A000

heap

page read and write

6E6000

heap

page read and write

2218000

direct allocation

page read and write

2223000

direct allocation

page read and write

64E000

stack

page read and write

2224000

direct allocation

page read and write

536000

heap

page read and write

321E000

stack

page read and write

2F28000

heap

page read and write

49C000

unkown

page write copy

3110000

direct allocation

page read and write

400000

unkown

page readonly

59E000

stack

page read and write

520000

heap

page read and write

3020000

heap

page read and write

2170000

heap

page read and write

6E2000

heap

page read and write

319E000

stack

page read and write

53E000

stack

page read and write

40C000

unkown

page read and write

540000

heap

page read and write

215C000

direct allocation

page read and write

316E000

stack

page read and write

6E6000

heap

page read and write

3040000

heap

page read and write

20A8000

direct allocation

page read and write

23B0000

direct allocation

page read and write

2228000

direct allocation

page read and write

401000

unkown

page execute read

20A4000

direct allocation

page read and write

19C000

stack

page read and write

2238000

direct allocation

page read and write

4D0000

heap

page read and write

27F0000

heap

page read and write

7EF000

stack

page read and write

2234000

direct allocation

page read and write

21F0000

heap

page read and write

2208000

direct allocation

page read and write

19D000

stack

page read and write

6DA000

heap

page read and write

9B000

stack

page read and write

222C000

direct allocation

page read and write

98000

stack

page read and write

530000

heap

page read and write

20A1000

direct allocation

page read and write

31DE000

stack

page read and write

6E2000

heap

page read and write

412000

unkown

page readonly

There are 100 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe