Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\GqSL8M2a72.exe

'C:\Users\user\Desktop\GqSL8M2a72.exe'

Details

Is windows:	true
Is dropped:	false
PID:	1832
Target ID:	1
Parent PID:	5716
Name:	GqSL8M2a72.exe
Path:	C:\Users\user\Desktop\GqSL8M2a72.exe
Commandline:	'C:\Users\user\Desktop\GqSL8M2a72.exe'
Size:	161962
MD5:	4FC29198FCC9A9FE3B31F7549D54D8E9
Time:	15:03:53
Date:	21/02/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	176128
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection,
Detected unpacking (changes PE section rights)	Data Obfuscation,	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation,	Software Packing
Multi AV Scanner detection for submitted file	AV Detection,
Contains VNC / remote desktop functionality (version string found)	Remote Access Functionality	Remote Access Software Remote Desktop Protocol
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Machine Learning detection for sample	AV Detection,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
May initialize a security null descriptor	Lowering of HIPS / PFW / Operating System Security Settings,
Uses 32bit PE files	Compliance, System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion,	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary,
Sample is known by Antivirus	System Summary,
Spawns processes	System Summary,	Process Injection
Urls found in memory or binary data	Networking,

C:\Users\user\Desktop\GqSL8M2a72.exe

'C:\Users\user\Desktop\GqSL8M2a72.exe'

Details

Is windows:	true
Is dropped:	false
PID:	5864
Target ID:	2
Parent PID:	1832
Name:	GqSL8M2a72.exe
Path:	C:\Users\user\Desktop\GqSL8M2a72.exe
Commandline:	'C:\Users\user\Desktop\GqSL8M2a72.exe'
Size:	161962
MD5:	4FC29198FCC9A9FE3B31F7549D54D8E9
Time:	15:03:54
Date:	21/02/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection,
Detected unpacking (changes PE section rights)	Data Obfuscation,	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation,	Software Packing
Multi AV Scanner detection for submitted file	AV Detection,
Contains VNC / remote desktop functionality (version string found)	Remote Access Functionality	Remote Access Software Remote Desktop Protocol
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Machine Learning detection for sample	AV Detection,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
May initialize a security null descriptor	Lowering of HIPS / PFW / Operating System Security Settings,
Uses 32bit PE files	Compliance, System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion,	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary,
Sample is known by Antivirus	System Summary,
Spawns processes	System Summary,	Process Injection
Urls found in memory or binary data	Networking,

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF536415000

unkown

page readonly

480000

heap default

page read and write

3B6000

unkown

page read and write

5B5000

heap default

page read and write

2220000

unkown

page readonly

7FF53620F000

unkown

page readonly

7FF53647E000

unkown

page readonly

290659F0000

heap default

page read and write

400000

unkown image

page execute and read and write

427000

unkown image

page readonly

7FF536489000

unkown

page readonly

29065A29000

unkown

page read and write

680000

heap default

page read and write

A7E000

stack

page read and write

46E000

unkown

page read and write

7FF535F80000

unkown

page readonly

7FF53624E000

unkown

page readonly

7FF536382000

unkown

page readonly

29065A13000

unkown

page read and write

7FF5362FC000

unkown

page readonly

7FF536398000

unkown

page readonly

19C000

stack

page read and write

94E18FF000

unkown

page read and write

400000

unkown image

page readonly

5B0000

heap default

page read and write

29065A46000

unkown

page read and write

401000

unkown image

page execute read

427000

unkown image

page readonly

9B000

unkown

page read and write

7FF53625A000

unkown

page readonly

7FF5362C1000

unkown

page readonly

A0F000

stack

page read and write

7FF536424000

unkown

page readonly

94E15FE000

unkown

page read and write

7FF535F90000

unkown

page readonly

29065A3C000

unkown

page read and write

610000

unkown

page readonly

2260000

heap private

page read and write

29065A50000

unkown

page read and write

29065A6E000

unkown

page read and write

29066140000

unkown

page readonly

427000

unkown image

page readonly

2300000

heap private

page read and write

7FF5363FC000

unkown

page readonly

29065A8A000

unkown

page read and write

94E12FD000

unkown

page read and write

4AE000

unkown

page read and write

23D0000

heap private

page read and write

7FF536481000

unkown

page readonly

29065A00000

unkown

page read and write

5E0000

unkown

page read and write

1F0000

unkown

page read and write

4C0000

unkown

page readonly

5C0000

unkown

page readonly

5CE000

unkown

page read and write

29066150000

unkown

page read and write

29065B13000

unkown

page read and write

7FF536392000

unkown

page readonly

A80000

unkown

page readonly

7FF536427000

unkown

page readonly

425000

unkown

page readonly

3B2000

unkown

page read and write

8CF000

stack

page read and write

428000

unkown image

page write copy

94E16F7000

unkown

page read and write

7FF5363BE000

unkown

page readonly

78F000

stack

page read and write

400000

unkown

page execute and read and write

7FF536278000

unkown

page readonly

A10000

unkown

page readonly

29065990000

heap private

page read and write

29065A4B000

unkown

page read and write

400000

unkown image

page readonly

46E000

unkown

page read and write

7FF536489000

unkown

page readonly

97F000

stack

page read and write

19C000

stack

page read and write

5D0000

unkown

page readonly

29065B08000

unkown

page read and write

400000

unkown image

page readonly

470000

unkown

page readonly

428000

unkown image

page read and write

29065B00000

unkown

page read and write

7FF5363AA000

unkown

page readonly

7FF535F7A000

unkown

page readonly

29065ED0000

unkown

page readonly

24B000

unkown

page read and write

94E137E000

unkown

page read and write

1F0000

unkown

page read and write

7FF536420000

unkown

page readonly

68A000

heap default

page read and write

422000

unkown

page read and write

94E157B000

unkown

page read and write

4B0000

heap default

page read and write

428000

unkown image

page write copy

2300000

heap private

page read and write

265E000

heap private

page read and write

90E000

unkown

page read and write

29066202000

unkown

page read and write

7FF53629D000

unkown

page readonly

580000

unkown

page read and write

401000

unkown image

page execute read

7FF5363D9000

unkown

page readonly

7FF5362C7000

unkown

page readonly

7FF5363F6000

unkown

page readonly

401000

unkown image

page execute read

9D000

unkown

page read and write

7FF536396000

unkown

page readonly

7FF53640C000

unkown

page readonly

7FF5363ED000

unkown

page readonly

401000

unkown

page execute read

29066740000

unkown

page readonly

488000

heap default

page read and write

29065A4D000

unkown

page read and write

29065C00000

unkown

page readonly

7FF5361AA000

unkown

page readonly

29065A55000

unkown

page read and write

29065CD0000

unkown

page readonly

87F000

stack

page read and write

7CE000

unkown

page read and write

7FF536293000

unkown

page readonly

24F000

unkown

page read and write

7FF536406000

unkown

page readonly

7FF536380000

unkown

page readonly

400000

unkown image

page readonly

29065B02000

unkown

page read and write

4A2000

heap default

page read and write

7FF5363CF000

unkown

page readonly

2560000

heap private

page read and write

94E127B000

unkown

page read and write

29066400000

unkown

page readonly

7FF5363C5000

unkown

page readonly

94E17FF000

unkown

page read and write

There are 123 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Processes

Memdumps