Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\d2ef5.exe

Details

Is windows:	false
Is dropped:	false
PID:	4684
Target ID:	0
Parent PID:	3528
Name:	d2ef5.exe
Path:	C:\Users\user\Desktop\d2ef5.exe
Commandline:	C:\Users\user\Desktop\d2ef5.exe
Size:	37888
MD5:	1D8A445BEF0C0D4A7EC519F06C23224A
Time:	08:29:42
Date:	26/10/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Found malware configuration	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

URLs

Name

Malicious

https://www.reg.ru/web-sites/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_cms

unknown

Details

Name:	https://www.reg.ru/web-sites/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_cms
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Source:	d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.reg.ru/web-sites/website-builder/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_cam

unknown

Details

Name:	https://www.reg.ru/web-sites/website-builder/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_cam
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Source:	d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.reg.ru/domain/new/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_ne

unknown

Details

Name:	https://www.reg.ru/domain/new/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_ne
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Source:	d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://reg.ru

unknown

Details

Name:	https://reg.ru
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Source:	d2ef5.exe, 00000000.00000003.484862658.00000000015FB000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.reg.ru/support/ssl-sertifikaty/zakaz-ssl-sertifikata/Kak-zakazat-besplatny-SSL-sertifika

unknown

Details

Name:	https://www.reg.ru/support/ssl-sertifikaty/zakaz-ssl-sertifikata/Kak-zakazat-besplatny-SSL-sertifika
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Source:	d2ef5.exe, 00000000.00000003.484845306.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.reg.ru/dedicated/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_ser

unknown

Details

Name:	https://www.reg.ru/dedicated/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_ser
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Source:	d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.reg.ru/whois/?check=&dname=siwdmfkshsgw.com&reg_source=parking_auto

unknown

Details

Name:	https://www.reg.ru/whois/?check=&dname=siwdmfkshsgw.com&reg_source=parking_auto
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Source:	d2ef5.exe, 00000000.00000003.484862658.00000000015FB000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://parking.reg.ru/script/get_domain_data?domain_name=siwdmfkshsgw.com&rand=

unknown

Details

Name:	https://parking.reg.ru/script/get_domain_data?domain_name=siwdmfkshsgw.com&rand=
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Source:	d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.reg.ru/hosting/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_host&

unknown

Details

Name:	https://www.reg.ru/hosting/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_host&
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Source:	d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

siwdmfkshsgw.com

194.58.112.174

Details

Name:	siwdmfkshsgw.com
IP:	194.58.112.174
TargetID:	0
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

trackingg-protectioon.cdn1.mozilla.net

unknown

Details

Name:	trackingg-protectioon.cdn1.mozilla.net
TargetID:	0
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

194.58.112.174

siwdmfkshsgw.com

Russian Federation

Details

IP:	194.58.112.174
TargetID:	0
Current Path:	C:\Users\user\Desktop\d2ef5.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	197695
ASN name:	AS-REGRU
Private:	false
Domain:	siwdmfkshsgw.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

15F8000

heap

page read and write

15F8000

heap

page read and write

1019000

heap

page read and write

15F8000

heap

page read and write

15F8000

heap

page read and write

15F8000

heap

page read and write

15F8000

heap

page read and write

15F8000

heap

page read and write

15F8000

heap

page read and write

15F8000

heap

page read and write

421000

unclassified section

page execute read

C7E000

stack

page read and write

10ED000

stack

page read and write

AA0000

heap

page read and write

11EE000

stack

page read and write

315F000

stack

page read and write

440000

heap

page read and write

A4E000

stack

page read and write

4CF000

heap

page read and write

15FB000

heap

page read and write

F247CFE000

stack

page read and write

4BC000

heap

page read and write

2050AD50000

heap

page read and write

401000

unkown

page execute read

9D000

stack

page read and write

2050AA30000

trusted library allocation

page read and write

46E000

heap

page read and write

F24807E000

stack

page read and write

2050AD59000

heap

page read and write

420000

unclassified section

page read and write

42A000

unclassified section

page read and write

2050BB30000

trusted library allocation

page read and write

2050AA20000

heap

page read and write

560000

heap

page read and write

402000

unkown

page readonly

404000

unkown

page read and write

2050AB60000

heap

page read and write

400000

unkown

page readonly

2050B8A0000

trusted library allocation

page read and write

19C000

stack

page read and write

2050AD10000

trusted library allocation

page read and write

2050BAC0000

heap

page readonly

4B7000

heap

page read and write

355F000

stack

page read and write

4CF000

heap

page read and write

F247E79000

stack

page read and write

1200000

heap

page read and write

4D0000

heap

page read and write

F247C7B000

stack

page read and write

F247FFE000

stack

page read and write

4AE000

heap

page read and write

2050AD55000

heap

page read and write

4BA000

heap

page read and write

402000

unkown

page readonly

2050AD00000

trusted library allocation

page read and write

660000

trusted library allocation

page read and write

2050ABC8000

heap

page read and write

F247F79000

stack

page read and write

9FC000

stack

page read and write

2050BAD0000

trusted library allocation

page read and write

404000

unkown

page write copy

3560000

heap

page read and write

CA0000

heap

page read and write

2050BAE0000

trusted library allocation

page read and write

11AE000

stack

page read and write

2050AB88000

heap

page read and write

2050ABEF000

heap

page read and write

565000

heap

page read and write

30000

heap

page read and write

49F000

heap

page read and write

2050ABD0000

heap

page read and write

1160000

heap

page read and write

1098000

heap

page read and write

A8E000

stack

page read and write

42C000

unclassified section

page readonly

F247EFF000

stack

page read and write

429000

unclassified section

page readonly

2050BAB0000

trusted library allocation

page read and write

2050ABD0000

heap

page read and write

345A000

stack

page read and write

2050AB80000

heap

page read and write

15FC000

heap

page read and write

2050AD60000

trusted library allocation

page read and write

375F000

stack

page read and write

2050AD30000

unclassified section

page read and write

400000

unkown

page readonly

8FC000

stack

page read and write

401000

unkown

page execute read

2050ACF0000

trusted library allocation

page read and write

C80000

heap

page read and write

305F000

stack

page read and write

15FB000

heap

page read and write

44A000

heap

page read and write

112D000

stack

page read and write

1F0000

trusted library allocation

page read and write

2050ABD0000

heap

page read and write

325F000

stack

page read and write

4AA000

heap

page read and write

15FC000

heap

page read and write

F247DF9000

stack

page read and write

335B000

stack

page read and write

406000

unkown

page readonly

2050AC80000

heap

page read and write

F247D7F000

stack

page read and write

406000

unkown

page readonly

There are 95 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
d2ef5.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportd2ef5.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
d2ef5.exe