Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PASS-1234.exe

"C:\Users\user\Desktop\PASS-1234.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6732
Target ID:	0
Parent PID:	2580
Name:	PASS-1234.exe
Path:	C:\Users\user\Desktop\PASS-1234.exe
Commandline:	"C:\Users\user\Desktop\PASS-1234.exe"
Size:	1229424
MD5:	91A6507A51DDCF98F542E89C58B9A17E
Time:	09:04:54
Date:	21/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd00000
Modulesize:	1241088
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5104
Target ID:	1
Parent PID:	6732
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	09:04:54
Date:	21/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe60000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

demonstationfukewko.shop

incredibleextedwj.shop

sideindexfollowragelrew.pw

shortsvelventysjo.shop

shatterbreathepsw.shop

productivelookewr.shop

tolerateilusidjukl.shop

liabilitynighstjsko.shop

alcojoldwograpciw.shop

https://productivelookewr.shop/

unknown

https://productivelookewr.shop/apis

unknown

https://productivelookewr.shop/api

104.21.11.250

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

productivelookewr.shop

104.21.11.250

Details

Name:	productivelookewr.shop
IP:	104.21.11.250
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

sideindexfollowragelrew.pw

unknown

Details

Name:	sideindexfollowragelrew.pw
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

104.21.11.250

productivelookewr.shop

United States

Details

IP:	104.21.11.250
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	productivelookewr.shop

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

FFF000

stack

page read and write

7AD000

stack

page read and write

E22000

unkown

page write copy

DAB000

unkown

page execute read

14DE000

heap

page read and write

2F8D000

stack

page read and write

12F7000

stack

page read and write

B10000

heap

page read and write

C0E000

heap

page read and write

318F000

stack

page read and write

151B000

heap

page read and write

380B000

trusted library allocation

page read and write

E23000

unkown

page write copy

3980000

trusted library allocation

page read and write

150C000

heap

page read and write

146D000

stack

page read and write

DC7000

unkown

page write copy

10FF000

stack

page read and write

1578000

heap

page read and write

44A000

remote allocation

page execute and read and write

DAB000

unkown

page execute read

B20000

heap

page read and write

15A2000

heap

page read and write

E28000

unkown

page readonly

E28000

unkown

page readonly

E26000

unkown

page readonly

F60000

heap

page read and write

F80000

heap

page read and write

3880000

heap

page read and write

12D0000

heap

page read and write

376E000

stack

page read and write

378E000

trusted library allocation

page read and write

3E60000

heap

page read and write

1562000

heap

page read and write

D0F000

unkown

page execute read

378A000

trusted library allocation

page read and write

14CA000

heap

page read and write

E12000

unkown

page execute and read and write

2E8E000

stack

page read and write

DC7000

unkown

page read and write

142E000

stack

page read and write

14FD000

heap

page read and write

380F000

trusted library allocation

page read and write

14F0000

heap

page read and write

D0F000

unkown

page execute read

DB3000

unkown

page readonly

14C0000

heap

page read and write

37CE000

trusted library allocation

page read and write

C0A000

heap

page read and write

37B4000

trusted library allocation

page read and write

F65000

heap

page read and write

AFD000

stack

page read and write

E22000

unkown

page read and write

362F000

stack

page read and write

D0B000

unkown

page execute read

37C4000

trusted library allocation

page read and write

D00000

unkown

page readonly

14AE000

stack

page read and write

37AE000

trusted library allocation

page read and write

13D0000

heap

page read and write

E24000

unkown

page read and write

3813000

trusted library allocation

page read and write

F90000

heap

page read and write

B6E000

stack

page read and write

3780000

trusted library allocation

page read and write

37C9000

trusted library allocation

page read and write

366D000

stack

page read and write

1770000

heap

page read and write

FFE000

stack

page read and write

D00000

unkown

page readonly

F0B000

stack

page read and write

BDE000

stack

page read and write

E26000

unkown

page readonly

D0B000

unkown

page execute read

3CDF000

stack

page read and write

14F5000

heap

page read and write

C1B000

heap

page read and write

D01000

unkown

page execute read

308E000

stack

page read and write

D01000

unkown

page execute read

352E000

stack

page read and write

3BDE000

stack

page read and write

DB3000

unkown

page readonly

15B5000

heap

page read and write

C00000

heap

page read and write

B90000

heap

page read and write

There are 77 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PASS-1234.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPASS-1234.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
PASS-1234.exe