Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe

"C:\Users\user\Desktop\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6456
Target ID:	0
Parent PID:	4056
Name:	24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe
Path:	C:\Users\user\Desktop\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe
Commandline:	"C:\Users\user\Desktop\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe"
Size:	3597832
MD5:	6B0996924A1FF0DF14223B378C8E4FB8
Time:	12:00:03
Date:	30/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	847872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Initial sample is a PE file and has a suspicious name	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Use Short Name Path in Command Line	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\is-11DL1.tmp\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.tmp

"C:\Users\user~1\AppData\Local\Temp\is-11DL1.tmp\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.tmp" /SL5="$103E8,2740915,793600,C:\Users\user\Desktop\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3172
Target ID:	2
Parent PID:	6456
Name:	24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-11DL1.tmp\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.tmp
Commandline:	"C:\Users\user~1\AppData\Local\Temp\is-11DL1.tmp\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.tmp" /SL5="$103E8,2740915,793600,C:\Users\user\Desktop\24314_DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe"
Size:	3129344
MD5:	832E804AB463815164C8D19D9A98A79B
Time:	12:00:04
Date:	30/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	3190784
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Sigma detected: Classes Autorun Keys Modification	System Summary
Sigma detected: Use Short Name Path in Command Line	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\DellDockFW_UPGRADE_UTILITY\DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe

"C:\Program Files (x86)\DellDockFW_UPGRADE_UTILITY\DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5448
Target ID:	4
Parent PID:	3172
Name:	DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe
Path:	C:\Program Files (x86)\DellDockFW_UPGRADE_UTILITY\DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe
Commandline:	"C:\Program Files (x86)\DellDockFW_UPGRADE_UTILITY\DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe"
Size:	150528
MD5:	9C953B8F51C128897ABCE0FB9AC21D93
Time:	12:00:09
Date:	30/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000000
Modulesize:	167936
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Initial sample is a PE file and has a suspicious name	System Summary
Drops PE files	Persistence and Installation Behavior
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Use Short Name Path in Command Line	System Summary
Executes batch files	System Summary	Scripting
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1240
Target ID:	5
Parent PID:	5448
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:00:09
Date:	30/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\9B10.tmp\9B11.tmp\9B12.bat "C:\Program Files (x86)\DellDockFW_UPGRADE_UTILITY\DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe""

Details

Is windows:	true
Is dropped:	false
PID:	5392
Target ID:	6
Parent PID:	5448
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\9B10.tmp\9B11.tmp\9B12.bat "C:\Program Files (x86)\DellDockFW_UPGRADE_UTILITY\DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe""
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	12:00:09
Date:	30/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6445c0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\DellDockFW_UPGRADE_UTILITY\SalomonFwUpdaterI2C64W.exe

SalomonFwUpdaterI2C64W.exe /dockinfo

Details

Is windows:	true
Is dropped:	false
PID:	4424
Target ID:	7
Parent PID:	5392
Name:	SalomonFwUpdaterI2C64W.exe
Path:	C:\Program Files (x86)\DellDockFW_UPGRADE_UTILITY\SalomonFwUpdaterI2C64W.exe
Commandline:	SalomonFwUpdaterI2C64W.exe /dockinfo
Size:	2775552
MD5:	97E83C8B38D9556A96C0292B5008EBEE
Time:	12:00:09
Date:	30/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff719780000
Modulesize:	2822144
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Windows\System32\find.exe

find /i check0.log "GetSalomonDockInfo Failed, check if Dock is connected to system"

Details

Is windows:	true
Is dropped:	false
PID:	6976
Target ID:	8
Parent PID:	5392
Name:	find.exe
Path:	C:\Windows\System32\find.exe
Commandline:	find /i check0.log "GetSalomonDockInfo Failed, check if Dock is connected to system"
Size:	17920
MD5:	4BF76A28D31FC73AA9FC970B22D056AF
Time:	12:00:09
Date:	30/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff73c200000
Modulesize:	36864
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crl.entrust.net/g2ca.crl0

unknown

https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU

unknown

https://sectigo.com/CPS0

unknown

http://repository.certum.pl/ctnca.cer09

unknown

http://repository.certum.pl/cscasha2.cer0

unknown

http://ocsp.sectigo.com0

unknown

http://crl.certum.pl/ctnca.crl0k

unknown

http://ocsp.entrust.net03

unknown

http://ocsp.entrust.net02

unknown

http://ocsp.entrust.net01

unknown

http://www.entrust.net/rpa03

unknown

http://ocsp.entrust.net00

unknown

https://www.dell.com/support/home/en-us

unknown

https://www.certum.pl/CPS0

unknown

http://crl.certum.pl/cscasha2.crl0q

unknown

http://aia.entrust.net/ts2-chain256.p7c01

unknown

http://cscasha2.ocsp-certum.com04

unknown

http://crl.entrust.net/ovcs2.crl0

unknown

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

http://crl.entrust.net/csbr1.crl0

unknown

https://www.remobjects.com/ps

unknown

http://aia.entrust.net/ovcs2-chain.p7c01

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

http://subca.ocsp-certum.com01

unknown

https://www.innosetup.com/

unknown

https://sectigo.com/CPS0D

unknown

https://www.dell.com/support/home/en-usNhttps://www.dell.com/support/home/en-usNhttps://www.dell.com

unknown

https://jrsoftware.org0

unknown

https://jrsoftware.org/

unknown

http://crl.entrust.net/ts2ca.crl0

unknown

http://www.entrust.net/rpa0

unknown

http://www.certum.pl/CPS0

unknown

https://www.entrust.net/rpa0

unknown

There are 23 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\OpenWithProgids

DellDockFW_UPGRADE_UTILITYFile.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DellDockFW_UPGRADE_UTILITYFile.exe

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DellDockFW_UPGRADE_UTILITYFile.exe\DefaultIcon

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DellDockFW_UPGRADE_UTILITYFile.exe\shell\open\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DellFW_UPGRADE_DOCK_UTILITY_v1.2.exe\SupportedTypes

.myp