Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	5.4183837941963615
Filename:	SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
Filesize:	30208
MD5:	e40eb702f369e5decfb33b3d78bd4b0c
SHA1:	3de25a909a7d8f20aaa4d9aba60aeb501c247f86
SHA256:	16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e
SHA512:	d015925072810f6ec5044ead32efc8ed6bee2d533c39915ceb526edce20edbc7fd3447423bd6ec608478eb87fdc70c9ad6dcce8b00b8328206adc9294137b60f
SSDEEP:	384:pWIooQkbZYGM0D4DTrMiRShFRDwSH3I6ELjTo0z2d6GHnGtI4qk9QlEM69+j5P0u:nQFGM0D4DKF9wHmhAvP9Ql369aR0
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o2!.+SO.+SO.+SO."+..'SO...L./SO...K.!SO...J.1SO...N.-SO.`+N.,SO.+SN.RSO.>.F.SO.>...SO.>.M.*SO.Rich+SO.........PE..d...x..f...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe
Category:	dropped
Dump:	XWormUI[1].exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.623796350941972
Encrypted:	false
Ssdeep:	768:SlV/w9ILiCuu+bi9telDSN+iV08YbygeQ5TQBJFvEgK/Jq0Vc6KN:SlV/Ii9tKDs4zb1qBJFnkJq0VclN
Size:	49152
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
Category:	dropped
Dump:	RuntimeBroker.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.623796350941972
Encrypted:	false
Ssdeep:	768:SlV/w9ILiCuu+bi9telDSN+iV08YbygeQ5TQBJFvEgK/Jq0Vc6KN:SlV/Ii9tKDs4zb1qBJFnkJq0VclN
Size:	49152
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Machine Learning detection for dropped file	AV Detection
Queries memory information (via WMI often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4976
Target ID:	0
Parent PID:	4004
Name:	SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe"
Size:	30208
MD5:	E40EB702F369E5DECFB33B3D78BD4B0C
Time:	21:24:06
Date:	29/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff651790000
Modulesize:	49152
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe

Details

Is windows:	false
Is dropped:	true
PID:	3420
Target ID:	3
Parent PID:	4976
Name:	RuntimeBroker.exe
Path:	C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
Commandline:	C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
Size:	49152
MD5:	2C417B524AED1DA84F185711E5A478F1
Time:	21:24:09
Date:	29/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x610000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected DcRat	Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://raw.githubusercontent.com/e.b

unknown

https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exeWYL

unknown

https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exeA4z

unknown

https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exe0

unknown

https://github.com/3;C

unknown

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exer

unknown

https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exemYj

unknown

https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exetXa

unknown

https://raw.githubusercontent.com/a

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exeProgramDownloade

unknown

https://github.com/D;

unknown

https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exe

185.199.111.133

https://raw.githubusercontent.com/

unknown

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exe

140.82.121.3

There are 5 hidden URLs, click here to show them.

Domains

Name

Malicious

github.com

140.82.121.3

Details

Name:	github.com
IP:	140.82.121.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

raw.githubusercontent.com

185.199.111.133

Details

Name:	raw.githubusercontent.com
IP:	185.199.111.133
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

37.18.62.18

unknown

Netherlands

Details

IP:	37.18.62.18
TargetID:	3
Current Path:	C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	203714
ASN name:	FLEXLTD-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

140.82.121.3

github.com

United States

Details

IP:	140.82.121.3
TargetID:	0
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
Country:	United States
Countrycode:	USA
ASN number:	36459
ASN name:	GITHUBUS
Private:	false
Domain:	github.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

185.199.111.133

raw.githubusercontent.com

Netherlands

Details

IP:	185.199.111.133
TargetID:	0
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	54113
ASN name:	FASTLYUS
Private:	false
Domain:	raw.githubusercontent.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

612000

unkown

page readonly

2AA1000

trusted library allocation

page read and write

A28000

heap

page read and write

EF0000

trusted library allocation

page read and write

1FDB6A0C000

heap

page read and write

7FFD3466D000

trusted library allocation

page execute and read and write

A4B000

heap

page read and write

1FDB6A92000

heap

page read and write

1FDB6AD4000

heap

page read and write

2D96000

trusted library allocation

page read and write

12AA1000

trusted library allocation

page read and write

7FF651799000

unkown

page readonly

610000

unkown

page readonly

1FDB6AA6000

heap

page read and write

A50000

heap

page read and write

1FDB87D0000

heap

page read and write

A88000

heap

page read and write

1C502000

heap

page read and write

1FDB6A8F000

heap

page read and write

2DA0000

trusted library allocation

page read and write

7E0000

heap

page read and write

AAE000

heap

page read and write

62A99FF000

stack

page read and write

A1F000

heap

page read and write

1FDB87C0000

remote allocation

page read and write

1FDB69E0000

heap

page read and write

7FFD3467D000

trusted library allocation

page execute and read and write

7FFD3465D000

trusted library allocation

page execute and read and write

7FFD34700000

trusted library allocation

page read and write

A37000

heap

page read and write

A2D000

heap

page read and write

B02000

heap

page read and write

7FFD34706000

trusted library allocation

page read and write

ADF000

heap

page read and write

1FDB6A41000

heap

page read and write

1FDB6A85000

heap

page read and write

1FDB6A8D000

heap

page read and write

7FF651798000

unkown

page write copy

7FFD34654000

trusted library allocation

page read and write

7FFD346AC000

trusted library allocation

page execute and read and write

1B010000

heap

page read and write

1FDB6AA6000

heap

page read and write

A13000

heap

page read and write

62A96FE000

stack

page read and write

1FDB6A8F000

heap

page read and write

7FF651790000

unkown

page readonly

1C500000

heap

page read and write

1FDB6AA1000

heap

page read and write

7FFD34674000

trusted library allocation

page read and write

F60000

heap

page execute and read and write

62A91FF000

stack

page read and write

1FDB6A5F000

heap

page read and write

A0B000

heap

page read and write

F10000

trusted library allocation

page read and write

2A9F000

stack

page read and write

2D8A000

trusted library allocation

page read and write

1FDB6AD2000

heap

page read and write

A3D000

heap

page read and write

7FFD34800000

trusted library allocation

page execute and read and write

7D0000

heap

page read and write

1FDB6C15000

heap

page read and write

1FDB6A1F000

heap

page read and write

62A92FE000

stack

page read and write

7FF651795000

unkown

page readonly

DCF000

stack

page read and write

1FDB6AD4000

heap

page read and write

1AF1D000

stack

page read and write

1B1A0000

heap

page read and write

7FFD34660000

trusted library allocation

page read and write

7FFD3470C000

trusted library allocation

page execute and read and write

A47000

heap

page read and write

62A90F5000

stack

page read and write

AFE000

heap

page read and write

7FF651791000

unkown

page execute read

7FFD34770000

trusted library allocation

page execute and read and write

1FDB6BD0000

heap

page read and write

1FDB6A79000

heap

page read and write

1C600000

heap

page read and write

1FDB87D1000

heap

page read and write

F43000

trusted library allocation

page read and write

7FFD34736000

trusted library allocation

page execute and read and write

1FDB6AEF000

heap

page read and write

7FFD34710000

trusted library allocation

page execute and read and write

F30000

heap

page execute and read and write

1FDB6AEA000

heap

page read and write

7FF651790000

unkown

page readonly

7FF651798000

unkown

page read and write

1002000

heap

page read and write

610000

unkown

page readonly

1B000000

heap

page read and write

7C0000

heap

page read and write

1FDB69D0000

heap

page read and write

7FF651795000

unkown

page readonly

A45000

heap

page read and write

1FDB6C10000

heap

page read and write

7A0000

heap

page read and write

1FDB6A76000

heap

page read and write

1FDB87C0000

remote allocation

page read and write

764000

stack

page read and write

A26000

heap

page read and write

1FDB6AF0000

heap

page read and write

1C518000

heap

page read and write

1FDB6A97000

heap

page read and write

7FFD34663000

trusted library allocation

page read and write

A00000

heap

page read and write

2D90000

trusted library allocation

page read and write

2DB4000

trusted library allocation

page read and write

1102000

heap

page read and write

7FFD347F0000

trusted library allocation

page read and write

1FDB6A85000

heap

page read and write

1FDB87C0000

remote allocation

page read and write

1C402000

heap

page execute and read and write

1FDB6A8D000

heap

page read and write

1C52D000

heap

page read and write

F40000

trusted library allocation

page read and write

A35000

heap

page read and write

A3F000

heap

page read and write

1FDB6AED000

heap

page read and write

7FF651799000

unkown

page readonly

61E000

unkown

page readonly

A64000

heap

page read and write

1FDB6AD2000

heap

page read and write

1FDB6A00000

heap

page read and write

7FF651791000

unkown

page execute read

1FDB6A97000

heap

page read and write

1FDB6A92000

heap

page read and write

1FDB6A5F000

heap

page read and write

F20000

heap

page read and write

7FF4367D0000

trusted library allocation

page execute and read and write

1C504000

heap

page read and write

7FFD34653000

trusted library allocation

page execute and read and write

1FDB6A42000

heap

page read and write

7FFD34670000

trusted library allocation

page read and write

There are 123 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe