Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\Newtonsoft.dll"

Details

Is windows:	true
Is dropped:	false
PID:	6756
Target ID:	0
Parent PID:	2580
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Newtonsoft.dll"
Size:	126464
MD5:	51E6071F9CBA48E79F10C84515AAE618
Time:	20:04:05
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x910000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6784
Target ID:	1
Parent PID:	6756
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	20:04:05
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Newtonsoft.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	6904
Target ID:	2
Parent PID:	6756
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Newtonsoft.dll",#1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	20:04:05
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\Newtonsoft.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	6984
Target ID:	3
Parent PID:	6904
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\Newtonsoft.dll",#1
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	20:04:05
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xbe0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.newtonsoft.com/json

unknown

https://www.nuget.org/packages/Newtonsoft.Json.Bson

unknown

http://james.newtonking.com/projects/json

unknown

https://www.newtonsoft.com/jsonschema

unknown

https://github.com/JamesNK/Newtonsoft.Json

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

4C0000

heap

page read and write

5F60000

heap

page read and write

2F18000

heap

page read and write

477F000

stack

page read and write

67B000

heap

page read and write

2F23000

heap

page read and write

2F2E000

heap

page read and write

2D50000

heap

page read and write

6044000

heap

page read and write

463F000

stack

page read and write

670000

heap

page read and write

2D3A000

heap

page read and write

2F10000

heap

page read and write

6390000

trusted library allocation

page read and write

4AE000

stack

page read and write

2F23000

heap

page read and write

A9C000

stack

page read and write

2F18000

heap

page read and write

2F18000

heap

page read and write

1AD000

stack

page read and write

2F35000

heap

page read and write

2F14000

heap

page read and write

B00000

heap

page read and write

67F000

heap

page read and write

2EF0000

heap

page read and write

2F20000

heap

page read and write

2C00000

heap

page read and write

473E000

stack

page read and write

46E000

stack

page read and write

6040000

heap

page read and write

2CBF000

stack

page read and write

A59000

stack

page read and write

AD000

stack

page read and write

2D36000

heap

page read and write

2D30000

heap

page read and write

86F000

stack

page read and write

2F10000

heap

page read and write

A3F000

stack

page read and write

5F70000

heap

page read and write

2F1D000

heap

page read and write

2C7E000

stack

page read and write

5C0000

heap

page read and write

2EFA000

heap

page read and write

410000

heap

page read and write

2F23000

heap

page read and write

420000

heap

page read and write

2CFE000

stack

page read and write

There are 37 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Newtonsoft.Json

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNewtonsoft.Json

Processes

URLs

Memdumps

IOC Report
Newtonsoft.Json