Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.080484692009945
Filename:	SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
Filesize:	507392
MD5:	d9e95ae1bc04e66f7333eaf9079ae849
SHA1:	dfaffbd0736b93665e702b24737b64647d70f03f
SHA256:	2fc46917a56f67b597fd3e56792a5e3a0a563c8bb9f4410adf209e0670be1f68
SHA512:	ecba89786f5dccb015395a4246f2606de9a0749bad66e2eab46322baea414c4a312129d22b91ae7bcac3990849f37501d7e939dfe8d217532fb29f350656a3d1
SSDEEP:	6144:Kiw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFm6axHUdi0G/7v:KkqjVnl36ud0zR/6CtQ9PUHIG8DnMj/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0..0...........M... ........@.. ....................... ............`................................

Signature Hits	Behavior Group	Mitre Attack
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large strings	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Potential time zone aware malware	Malware Analysis System Evasion	System Time Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.032507930559015
Encrypted:	false
Ssdeep:	6:prVjE5JQ879cwdEQ87CGUE87XC8WBBFaD87E3hCRyFP6eIuFUfyAe:prVjEs87mG87rv87XC88eD87E3UApt5v
Size:	288
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe

"C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4904
Target ID:	0
Parent PID:	4004
Name:	SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe"
Size:	507392
MD5:	D9E95AE1BC04E66F7333EAF9079AE849
Time:	15:34:30
Date:	13/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x90000
Modulesize:	532480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Costura Assembly Loader	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2812
Target ID:	1
Parent PID:	4904
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:34:30
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.newtonsoft.com/json

unknown

Details

Name:	https://www.newtonsoft.com/json
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
Source:	SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.nuget.org/packages/Newtonsoft.Json.Bson

unknown

Details

Name:	https://www.nuget.org/packages/Newtonsoft.Json.Bson
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
Source:	SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://james.newtonking.com/projects/json

unknown

https://www.newtonsoft.com/jsonschema

unknown

https://github.com/JamesNK/Newtonsoft.Json

unknown

Details

Name:	https://github.com/JamesNK/Newtonsoft.Json
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
Source:	SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2611000

trusted library allocation

page read and write

92000

unkown

page readonly

800000

trusted library allocation

page read and write

E6000

unkown

page readonly

8D1000

heap

page read and write

25B7000

trusted library allocation

page read and write

A80000

heap

page read and write

860000

trusted library allocation

page execute and read and write

510000

heap

page read and write

A70000

trusted library allocation

page read and write

870000

trusted library allocation

page read and write

827000

trusted library allocation

page execute and read and write

49FE000

stack

page read and write

1AC000

stack

page read and write

81A000

trusted library allocation

page execute and read and write

690000

heap

page read and write

89A000

heap

page read and write

8E3000

heap

page read and write

7F0000

trusted library allocation

page read and write

6E6000

heap

page read and write

25C0000

trusted library allocation

page read and write

259E000

stack

page read and write

2430000

trusted library section

page read and write

4A3E000

stack

page read and write

249E000

stack

page read and write

363D000

trusted library allocation

page read and write

25B5000

trusted library allocation

page read and write

2600000

heap

page execute and read and write

890000

heap

page read and write

7FD000

trusted library allocation

page execute and read and write

242E000

stack

page read and write

850000

heap

page read and write

25BA000

trusted library allocation

page read and write

4DEF000

stack

page read and write

25C7000

trusted library allocation

page read and write

7F3000

trusted library allocation

page execute and read and write

4F5000

stack

page read and write

7F4000

trusted library allocation

page read and write

6E0000

heap

page read and write

8C4000

heap

page read and write

4A40000

heap

page execute and read and write

8BB000

heap

page read and write

4B3E000

stack

page read and write

9CE000

stack

page read and write

90000

unkown

page readonly

FC000

unkown

page readonly

2450000

heap

page read and write

6D0000

trusted library allocation

page read and write

38AB000

trusted library allocation

page read and write

82B000

trusted library allocation

page execute and read and write

89E000

heap

page read and write

25B3000

trusted library allocation

page read and write

25B0000

trusted library allocation

page read and write

816000

trusted library allocation

page execute and read and write

A79000

trusted library allocation

page read and write

4EEE000

stack

page read and write

3611000

trusted library allocation

page read and write

5F0000

heap

page read and write

4C4E000

stack

page read and write

25D0000

trusted library allocation

page read and write

4A50000

trusted library section

page read and write

There are 51 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe

Files

Processes

URLs

Memdumps

IOC Report
SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe