Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

QualysCloudAgent (Windows).exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	7.562830715904774
Filename:	QualysCloudAgent (Windows).exe
Filesize:	19191616
MD5:	b7472d4e38a5d4f3a272568142e2e875
SHA1:	a8a6f8b37e84c100aae35ee92fbe9a6911b507ef
SHA256:	844593ab69ce5f479bf937471a385b1a966dcc7b3bfca44ffa9ccfe6420b259e
SHA512:	b537875c5f2745f692bdb8f528a04bf634ab75d7c68c88de3ac220e4deaa11129414965b36c0185fbf43cb95e22268c3ec0d13289df8c87632794b62c26d93d5
SSDEEP:	393216:w2BBNg45YacDU8vcEcvaSfYtGPfq0RIQUlcE1h:w2BU4maDocExeHq0RIQB6
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......RHJ..)$..)$..)$......)$......)$......)$..p!..)$.-w'..)$.-w .0)$.-w!.o)$..Q...)$..w ..)$..w ..)$..Q...)$..)%..($..w-.1)$..w...)$

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
Creates install or setup log file	Compliance, Persistence and Installation Behavior
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Qualys\QualysAgent\InstallerLogs\CloudAgentInstaller.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\ProgramData\Qualys\QualysAgent\InstallerLogs\CloudAgentInstaller.log
Category:	modified
Dump:	CloudAgentInstaller.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\QualysCloudAgent (Windows).exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.221123927436535
Encrypted:	false
Ssdeep:	24:jtb3nnlMoXDW/GQeQQQ7vPHTa9UY+JPZBFaOFq7Qf:jt3neoXDW/GQeQQQbPHG+UQf
Size:	1180
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates install or setup log file	Compliance, Persistence and Installation Behavior

\Device\ConDrv

ASCII text, with CRLF, CR line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\QualysCloudAgent (Windows).exe
Type:	ASCII text, with CRLF, CR line terminators
Entropy:	4.112478772926379
Encrypted:	false
Ssdeep:	3:JI0ACMyqKFEBSE1EBEj9lHQyaFQFL4Ll:JI04yqWCkEUyaFQF8R
Size:	83
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\QualysCloudAgent (Windows).exe

"C:\Users\user\Desktop\QualysCloudAgent (Windows).exe"

Details

Is windows:	false
Is dropped:	false
PID:	7436
Target ID:	0
Parent PID:	2580
Name:	QualysCloudAgent (Windows).exe
Path:	C:\Users\user\Desktop\QualysCloudAgent (Windows).exe
Commandline:	"C:\Users\user\Desktop\QualysCloudAgent (Windows).exe"
Size:	19191616
MD5:	B7472D4E38A5D4F3A272568142E2E875
Time:	06:28:34
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x8f0000
Modulesize:	19210240
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7444
Target ID:	1
Parent PID:	7436
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	06:28:35
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.qualys.com0

unknown

http://www.qualys.com/company/contacts/ARPHELPTELEPHONE(650)

unknown

Details

Name:	http://www.qualys.com/company/contacts/ARPHELPTELEPHONE(650)
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\QualysCloudAgent (Windows).exe
Source:	QualysCloudAgent (Windows).exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

A71000

unkown

page readonly

A8A000

unkown

page readonly

148A000

unkown

page readonly

8F1000

unkown

page execute read

A71000

unkown

page readonly

A6A000

unkown

page read and write

A66000

unkown

page read and write

A2B000

unkown

page readonly

2580000

heap

page read and write

A8A000

unkown

page readonly

A65000

unkown

page write copy

1EFB000

stack

page read and write

148A000

unkown

page readonly

205E000

stack

page read and write

243F000

stack

page read and write

21BE000

stack

page read and write

A71000

unkown

page readonly

8F1000

unkown

page execute read

216F000

stack

page read and write

A65000

unkown

page write copy

1BDC000

stack

page read and write

A2B000

unkown

page readonly

A8A000

unkown

page readonly

2170000

heap

page read and write

2060000

heap

page read and write

1F40000

heap

page read and write

8F0000

unkown

page readonly

A6E000

unkown

page readonly

2248000

heap

page read and write

2240000

heap

page read and write

8F0000

unkown

page readonly

A68000

unkown

page write copy

225E000

heap

page read and write

226A000

heap

page read and write

A6E000

unkown

page readonly

There are 25 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
QualysCloudAgent (Windows).exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQualysCloudAgent (Windows).exe

Files

Processes

URLs

Memdumps

IOC Report
QualysCloudAgent (Windows).exe