Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\5U5ouw7ryf.exe

"C:\Users\user\Desktop\5U5ouw7ryf.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7260
Target ID:	0
Parent PID:	3504
Name:	5U5ouw7ryf.exe
Path:	C:\Users\user\Desktop\5U5ouw7ryf.exe
Commandline:	"C:\Users\user\Desktop\5U5ouw7ryf.exe"
Size:	549888
MD5:	41B5953E5D8016A817F4F793F7EB708C
Time:	15:23:09
Date:	26/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1a0000
Modulesize:	561152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Ramnit VNC Module	Stealing of Sensitive Information, Remote Access Functionality
Contains VNC / remote desktop functionality (version string found)	Remote Access Functionality	Remote Access Software Remote Desktop Protocol
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe -k

Details

Is windows:	true
Is dropped:	false
PID:	7292
Target ID:	2
Parent PID:	7260
Name:	svchost.exe
Path:	C:\Windows\System32\svchost.exe
Commandline:	C:\Windows\system32\svchost.exe -k
Size:	55320
MD5:	B7F884C1B74A263F746EE12A5F7C9F6A
Time:	15:23:09
Date:	26/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff77afe0000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Ramnit VNC Module	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains VNC / remote desktop functionality (version string found)	Remote Access Functionality	Remote Access Software Remote Desktop Protocol
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Uncommon Svchost Parent Process	System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

141.11.93.195

unknown

United Kingdom

Details

IP:	141.11.93.195
TargetID:	2
Current Path:	C:\Windows\System32\svchost.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	3215
ASN name:	FranceTelecom-OrangeFR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

10C000

system

page execute and read and write

1A6000

unkown

page write copy

1A6000

unkown

page write copy

F1000

system

page readonly

3486000

direct allocation

page read and write

3320000

direct allocation

page read and write

108000

system

page readonly

1620000

direct allocation

page read and write

10B000

system

page readonly

1A0000

unkown

page readonly

33D6000

direct allocation

page read and write

1E8CD220000

heap

page read and write

1E8CD213000

heap

page read and write

1E8CD302000

heap

page read and write

1620000

direct allocation

page read and write

33C2000

direct allocation

page read and write

107000

system

page read and write

1620000

direct allocation

page read and write

1620000

direct allocation

page read and write

34A6000

direct allocation

page read and write

1E8CD202000

heap

page read and write

3320000

direct allocation

page read and write

190000

remote allocation

page execute and read and write

1E8CD22F000

heap

page read and write

1E8CD200000

heap

page read and write

33B6000

direct allocation

page read and write

33BC000

direct allocation

page read and write

3447000

direct allocation

page read and write

1660000

heap

page read and write

348C000

direct allocation

page read and write

3447000

direct allocation

page read and write

34A6000

direct allocation

page read and write

33C2000

direct allocation

page read and write

33C2000

direct allocation

page read and write

3492000

direct allocation

page read and write

33BC000

direct allocation

page read and write

3486000

direct allocation

page read and write

3492000

direct allocation

page read and write

3447000

direct allocation

page read and write

33C2000

direct allocation

page read and write

DEF217F000

stack

page read and write

33C2000

direct allocation

page read and write

33D6000

direct allocation

page read and write

F90000

heap

page read and write

34A6000

direct allocation

page read and write

348C000

direct allocation

page read and write

33D6000

direct allocation

page read and write

DEF227F000

stack

page read and write

DEF1D0C000

stack

page read and write

1620000

direct allocation

page read and write

1620000

direct allocation

page read and write

1E8CD150000

heap

page read and write

3250000

direct allocation

page read and write

3250000

direct allocation

page read and write

228000

unkown

page readonly

1620000

direct allocation

page read and write

DEF21FF000

stack

page read and write

3486000

direct allocation

page read and write

F80000

heap

page read and write

1340000

heap

page read and write

3517000

direct allocation

page read and write

3320000

direct allocation

page read and write

228000

unkown

page readonly

1E8CEE02000

heap

page read and write

FF0000

heap

page read and write

33B6000

direct allocation

page read and write

1E8CD160000

heap

page read and write

227000

unkown

page read and write

3517000

direct allocation

page read and write

33B6000

direct allocation

page read and write

33D6000

direct allocation

page read and write

134A000

heap

page read and write

1A1000

unkown

page execute read

33D6000

direct allocation

page read and write

1E8CD130000

heap

page read and write

12FD000

stack

page read and write

33C2000

direct allocation

page read and write

3447000

direct allocation

page read and write

FE000

system

page read and write

3447000

direct allocation

page read and write

1E8CD20B000

heap

page read and write

348C000

direct allocation

page read and write

3250000

direct allocation

page read and write

134E000

heap

page read and write

1E8CD231000

heap

page read and write

1620000

direct allocation

page read and write

1A1000

unkown

page execute read

1620000

direct allocation

page read and write

3447000

direct allocation

page read and write

3250000

direct allocation

page read and write

33BC000

direct allocation

page read and write

33BC000

direct allocation

page read and write

3250000

direct allocation

page read and write

1A5000

unkown

page readonly

C0000

system

page read and write

33BC000

direct allocation

page read and write

F2C000

stack

page read and write

3250000

direct allocation

page read and write

33BC000

direct allocation

page read and write

1E8CD190000

heap

page read and write

1A5000

unkown

page readonly

1A0000

unkown

page readonly

3492000

direct allocation

page read and write

33D6000

direct allocation

page read and write

33B6000

direct allocation

page read and write

33B6000

direct allocation

page read and write

3517000

direct allocation

page read and write

33B6000

direct allocation

page read and write

C1000

system

page execute read

There are 99 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
5U5ouw7ryf.exe

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report5U5ouw7ryf.exe

Processes

IPs

Memdumps

IOC Report
5U5ouw7ryf.exe