Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"

Details

Is windows:	true
Is dropped:	false
PID:	5580
Target ID:	0
Parent PID:	792
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	07:40:06
Date:	03/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	2736
Target ID:	2
Parent PID:	5580
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	07:40:08
Date:	03/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download"

Details

Is windows:	true
Is dropped:	false
PID:	6484
Target ID:	3
Parent PID:	792
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	07:40:09
Date:	03/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\unarchiver.exe

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"

Details

Is windows:	true
Is dropped:	false
PID:	6224
Target ID:	5
Parent PID:	5580
Name:	unarchiver.exe
Path:	C:\Windows\SysWOW64\unarchiver.exe
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
Size:	12800
MD5:	16FF3CC6CC330A08EED70CBC1D35F5D2
Time:	07:40:33
Date:	03/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfc0000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\7za.exe

"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"

Details

Is windows:	true
Is dropped:	false
PID:	6268
Target ID:	6
Parent PID:	6224
Name:	7za.exe
Path:	C:\Windows\SysWOW64\7za.exe
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
Size:	289792
MD5:	77E556CDFDC5C592F5C46DB4127C6F4C
Time:	07:40:33
Date:	03/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x8b0000
Modulesize:	315392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6900
Target ID:	7
Parent PID:	6268
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:40:34
Date:	03/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

Details

Filetype:	URL
Filename:	http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

Signature Hits	Behavior Group	Mitre Attack
Downloads suspicious files via Chrome	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Tries to load missing DLLs	System Summary	DLL Side-Loading
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Downloads compressed data via HTTP	Networking	System Information Discovery Non-Application Layer Protocol Ingress Tool Transfer
Downloads files from webservers via HTTP	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Uses HTTPS	Networking	Encrypted Channel Application Layer Protocol
Writes ini files	System Summary	File and Directory Discovery
Creates license or readme file	Compliance, Persistence and Installation Behavior
Uses new MSVCR Dlls	Compliance, System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

http://nsis.sf.net/NSIS_Error

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

http://www.arraynetworks.net

unknown

http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

103.230.39.225

Details

Name:	http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download
IP:	103.230.39.225
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.214.172

nxtgen.infinitevaults.com

103.230.39.225

Details

Name:	nxtgen.infinitevaults.com
IP:	103.230.39.225
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

www.google.com

142.250.189.132

fp2e7a.wpc.phicdn.net

192.229.211.108

IPs

Domain

Country

Malicious

239.255.255.250

unknown

Reserved

103.230.39.225

nxtgen.infinitevaults.com

Singapore

142.250.189.132

www.google.com

United States

192.168.2.4

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

1892000

trusted library allocation

page execute and read and write

4641000

trusted library allocation

page read and write

14EE000

stack

page read and write

FBE000

stack

page read and write

152E000

stack

page read and write

36A9000

trusted library allocation

page read and write

3670000

trusted library allocation

page read and write

5BEF000

stack

page read and write

586E000

stack

page read and write

1AC0000

heap

page read and write

1A90000

trusted library allocation

page read and write

596D000

stack

page read and write

1540000

heap

page read and write

369E000

trusted library allocation

page read and write

367A000

trusted library allocation

page read and write

F30000

heap

page read and write

1690000

heap

page read and write

164E000

stack

page read and write

2D30000

heap

page read and write

14A0000

heap

page read and write

16CD000

heap

page read and write

1940000

heap

page read and write

18A2000

trusted library allocation

page execute and read and write

BBC000

stack

page read and write

16B7000

heap

page read and write

5AEE000

stack

page read and write

13C0000

heap

page read and write

18EB000

trusted library allocation

page execute and read and write

189A000

trusted library allocation

page execute and read and write

36A3000

trusted library allocation

page read and write

16E8000

heap

page read and write

1B50000

heap

page read and write

F7E000

stack

page read and write

1545000

heap

page read and write

135B000

stack

page read and write

59AE000

stack

page read and write

36B0000

trusted library allocation

page read and write

369B000

trusted library allocation

page read and write

18A0000

trusted library allocation

page read and write

368A000

trusted library allocation

page read and write

12AE000

stack

page read and write

18E7000

trusted library allocation

page execute and read and write

18E0000

trusted library allocation

page read and write

5C2E000

stack

page read and write

7F790000

trusted library allocation

page execute and read and write

3641000

trusted library allocation

page read and write

1A8F000

stack

page read and write

BF0000

heap

page read and write

5AAD000

stack

page read and write

FC0000

heap

page read and write

16D2000

heap

page read and write

1980000

heap

page read and write

188F000

stack

page read and write

2C80000

trusted library allocation

page read and write

1356000

stack

page read and write

192E000

stack

page read and write

1680000

trusted library allocation

page read and write

1B0E000

stack

page read and write

18D0000

heap

page execute and read and write

367C000

trusted library allocation

page read and write

169B000

heap

page read and write

1359000

stack

page read and write

13AE000

stack

page read and write

2D35000

heap

page read and write

FE0000

heap

page read and write

125C000

stack

page read and write

2C60000

trusted library allocation

page read and write

FE8000

heap

page read and write

3695000

trusted library allocation

page read and write

57DE000

stack

page read and write

18AA000

trusted library allocation

page execute and read and write

169E000

heap

page read and write

18AC000

trusted library allocation

page execute and read and write

EFD000

stack

page read and write

2B50000

heap

page read and write

2B60000

heap

page read and write

18C2000

trusted library allocation

page execute and read and write

36A6000

trusted library allocation

page read and write

18CA000

trusted library allocation

page execute and read and write

5D2E000

stack

page read and write

2D40000

trusted library allocation

page read and write

1AA0000

trusted library allocation

page execute and read and write

There are 72 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttp://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download