Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\XMx8r7SLZr.exe

"C:\Users\user\Desktop\XMx8r7SLZr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7272
Target ID:	0
Parent PID:	2580
Name:	XMx8r7SLZr.exe
Path:	C:\Users\user\Desktop\XMx8r7SLZr.exe
Commandline:	"C:\Users\user\Desktop\XMx8r7SLZr.exe"
Size:	1371136
MD5:	484617C0E2A1D6F7E95F121717E11768
Time:	12:30:07
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000000
Modulesize:	1507328
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7280
Target ID:	1
Parent PID:	7272
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:30:07
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://login.microsoftonline.com/common/oauth2/v2.0/tokenI

unknown

https://login.microsoftonline.com/

unknown

https://login.microsoftonline.com/error?code=70000

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/token.dllk

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/tokenlll

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/tokenK

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/tokenllmL

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/tokenl

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/token0

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/tokeny

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/token~

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/tokenllljbin(

unknown

https://login.microsoftonline.com/icates

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/token

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/tokenmL

unknown

https://login.microsoftonline.com/common/oauth2/v2.0/tokenll

unknown

There are 6 hidden URLs, click here to show them.

Domains

Name

Malicious

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

quent-application

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive
Value name:	quent-application
Value data:	09 FB CD ED 56 B7 E0 8C 3A F6 B0 54 6A AD 52 91 F5 A8 A1 83 63 F0 5B 0C A6 79 BA 49 AD 9F 86 7D 82 10 08 1A CF E0 6E 75 4E 32 F2 77 FC 2F 96 EB 97 3B 79 B0 7A 2B 5D 42 1B A6 EA DD 2C F0 B2 0C 2D 2A 3B 3A F0 50 07 B1 6A 1C B1 2C 0E 3D 05 E6 B9 A6 F0 62 03 15 19 A6 6D F1 9E 78 10 D1 5E 81 B6 24 1A CE 60 C0 2E 64 6A 20 B5 08 CF 95 A9 38 22 16 4C 88 AE DD 26 5D 95 EB C3 01 6A 38 74 34 41 B2 2F 4F BA C0 1F EB 33 C5 10 E8 2A 82 9B B2 95 A5 DA 6F 90 A3 4D 5D FE E2 D1 AE 18 A1 0F 40 0D F4 85 F9 EC D6 CE 6A 93 7B 53 F3 E9 35 4E 36 24 DE 9C F0 EA FF 44 ED 83 A5 64 2A F7 53 60 2A 61 B3 7C BE 4F FB 29 6F C9 DF 9A E1 70 27 16 97 6A 9E 71 D8 A0 8D B8 3E 3A CE 26 C2 C8 06 2C F5 73 FE 47 C4 92 72 70 6C 45 76 7F 19 80 F1 84 F5 01 25 A5 E6 11 02 1B F2 B6 30 45 10 11 AB 25 2F F4 76 71 94 0D C2 0C 0F AE 63 3F FD B0 47 9C 74 19 AD D2 08 3E 56 2B 8D CB F0 94 3E 21 71 39 ED 83 76 1A 8E 87 5E D5 8A B6 C3 62 3D A9 06 A8 E1 55 3A 42 B6 B0 2A A6 FE 76 99 0A 30 E4 FE C8 0A B0 C5 8F E7 1F 87 0A 12 8A 48 8A C0 4E 0D 80 AC A5 07 03 FA 39 15 4B 7B BF 8D C4 0D E7 68 17 B4 3E 2E 1C 92 9D 49 FA C9 7A F2 F9 CE 00 E9 87 83

Memdumps

Base Address

Regiontype

Protect

Malicious

4F8000

heap

page read and write

4F8000

heap

page read and write

49B000

heap

page read and write

2C4E000

stack

page read and write

4F8000

heap

page read and write

489000

heap

page read and write

4F8000

heap

page read and write

4D6000

heap

page read and write

2130000

heap

page read and write

5D0000

stack

page read and write

284E000

stack

page read and write

462000

heap

page read and write

4D4000

heap

page read and write

40C000

heap

page read and write

4F8000

heap

page read and write

4D8000

heap

page read and write

2D4F000

stack

page read and write

49B000

heap

page read and write

140000000

unkown

page readonly

4D6000

heap

page read and write

4D6000

heap

page read and write

14C000

stack

page read and write

49B000

heap

page read and write

4D9000

heap

page read and write

180000

heap

page read and write

4A3000

heap

page read and write

2B4D000

stack

page read and write

4D4000

heap

page read and write

4D6000

heap

page read and write

4D8000

heap

page read and write

5D0000

unkown

page execute read

492000

heap

page read and write

274F000

stack

page read and write

4F8000

heap

page read and write

4D4000

heap

page read and write

492000

heap

page read and write

2A4B000

stack

page read and write

14015C000

unkown

page readonly

2D51000

unkown

page read and write

4F2000

heap

page read and write

2240000

unkown

page execute read

4AA000

heap

page read and write

4F8000

heap

page read and write

4D9000

heap

page read and write

140000000

unkown

page read and write

4F8000

heap

page read and write

14016E000

unkown

page readonly

2135000

heap

page read and write

14013F000

unkown

page write copy

4AA000

heap

page read and write

4A3000

heap

page read and write

434000

heap

page read and write

2066000

stack

page read and write

4A3000

heap

page read and write

4AA000

heap

page read and write

4D4000

heap

page read and write

140001000

unkown

page execute read

4F1000

heap

page read and write

4D4000

heap

page read and write

462000

heap

page read and write

400000

heap

page read and write

14015C000

unkown

page readonly

4AA000

heap

page read and write

4D4000

heap

page read and write

4F8000

heap

page read and write

2260000

unkown

page execute read

14016E000

unkown

page readonly

4F1000

heap

page read and write

2240000

remote allocation

page read and write

190000

heap

page read and write

4D6000

heap

page read and write

409000

heap

page read and write

4D9000

heap

page read and write

2300000

heap

page read and write

444000

heap

page read and write

140110000

unkown

page readonly

294F000

stack

page read and write

2240000

remote allocation

page read and write

140158000

unkown

page read and write

2240000

remote allocation

page read and write

1E0000

heap

page read and write

14013F000

unkown

page read and write

4D6000

heap

page read and write

489000

heap

page read and write

4A3000

heap

page read and write

2240000

unkown

page read and write

140001000

unkown

page execute read

4F8000

heap

page read and write

1C0000

heap

page read and write

445000

heap

page read and write

4A7000

heap

page read and write

140110000

unkown

page readonly

There are 82 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XMx8r7SLZr.exe

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXMx8r7SLZr.exe

Processes

URLs

Domains

Registry

Memdumps

IOC Report
XMx8r7SLZr.exe