Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Riskware.Application.25773.563.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	7.920098021724909
Filename:	SecuriteInfo.com.Riskware.Application.25773.563.exe
Filesize:	28346898
MD5:	168b53e30b4b064151a7d3b5b8fb64b8
SHA1:	60c94ca95e67a143984da48906760a10344af23a
SHA256:	1bbda33a4a0ee71425e0ef5188383a661c01aa9f430f4cea6bdae78212f9c8e0
SHA512:	01fd6882d7fab22a1d8d57189c923224e3aa576f7c77a877fdd22febb928e70d8550d35d8789e36980a143050f1fb5f4afe5030fbe5ee9de5270d250d84616d5
SSDEEP:	393216:x509tqWcvPnE1wPlqOlf5Y36of4VGP8ZpNlwy99sN2AyaWWqWi00kSE:x58tClmBAAPqpN7982AyaoW1F
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...X..f..........#......L...^........1........@.......................................... ........................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Found potential dummy code loops (likely to delay analysis)	Anti Debugging
Hides threads from debuggers	Anti Debugging
Overwrites code with unconditional jumps - possibly settings hooks in foreign process	Hooking and other Techniques for Hiding and Protection	Credential API Hooking
PE file contains section with special chars	System Summary
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion
Tries to detect debuggers (CloseHandle check)	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Tries to evade analysis by execution special instruction (VM detection)	Malware Analysis System Evasion
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Checks if the current process is being debugged	Anti Debugging
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

\Device\ConDrv

ASCII text, with CRLF, CR line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe
Type:	ASCII text, with CRLF, CR line terminators
Entropy:	1.501585090809539
Encrypted:	false
Ssdeep:	6:Y/ZluTZ1/h1gb5FFeJ4ajbWQwVd6ai041kUvuetFIgcNOPFaaP:Yg1/UbbE/ONfi0BUvLtm1oFLP
Size:	1254
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6204
Target ID:	0
Parent PID:	2580
Name:	SecuriteInfo.com.Riskware.Application.25773.563.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.25773.563.exe"
Size:	28346898
MD5:	168B53E30B4B064151A7D3B5B8FB64B8
Time:	15:41:22
Date:	13/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000000
Modulesize:	44740608
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains section with special chars	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6228
Target ID:	1
Parent PID:	6204
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:41:22
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

8B6000

heap

page read and write

4D6000

heap

page read and write

21A0000

heap

page read and write

21A6000

heap

page read and write

140106000

unkown

page readonly

4D0000

heap

page read and write

21A4000

heap

page read and write

4DC000

heap

page read and write

140001000

unkown

page execute read

14C000

stack

page read and write

140143000

unkown

page read and write

140000000

unkown

page readonly

140000000

unkown

page readonly

190000

heap

page read and write

1412EE000

unkown

page execute read

141CEE000

unkown

page execute read

1426EE000

unkown

page execute read

1F0000

trusted library allocation

page read and write

140C79000

unkown

page execute read

1412EE000

unkown

page execute read

1A0000

heap

page read and write

14023F000

unkown

page execute read

7F0000

trusted library allocation

page read and write

142AAA000

unkown

page readonly

140237000

unkown

page readonly

8B0000

heap

page read and write

1426EE000

unkown

page execute read

140279000

unkown

page execute read

141CEE000

unkown

page execute read

142AAA000

unkown

page readonly

1C0000

heap

page read and write

7D0000

heap

page read and write

140273000

unkown

page read and write

There are 23 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Riskware.Application.25773.563.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Riskware.Application.25773.563.exe

Files

Processes

Memdumps

IOC Report
SecuriteInfo.com.Riskware.Application.25773.563.exe