Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\server.exe

Details

Is windows:	false
Is dropped:	false
PID:	5540
Target ID:	0
Parent PID:	3324
Name:	server.exe
Path:	C:\Users\user\Desktop\server.exe
Commandline:	C:\Users\user\Desktop\server.exe
Size:	192000
MD5:	8F092511C91BFC1F2516E420739A7967
Time:	16:00:49
Date:	14/03/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	716800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

URLs

Name

Malicious

http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2BWc8v/UHxdAMkcyeaROQd9/EwiLplzlm9gCiDQ/KqEVG_2BN1u2apPrXD/iYwyB9P6y/3dh1O1SBALUj6nSMRJfH/HHlM5d4xQO9d95rkA_2/Bt59zcQMsfJpOgJC8GeSrH/5REGnF8guLwya/xQ1cfd2Y/w3tCRH4bjXIzu_2B_2F_2B5/MmfV_2FK_2/B5ux_2BgxJ6omqMfT/iSBh1mrWB9_2/BRaJgBOq4gEVdF7OIVd_2B/4.jlk

62.173.142.51

Details

Name:	http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2BWc8v/UHxdAMkcyeaROQd9/EwiLplzlm9gCiDQ/KqEVG_2BN1u2apPrXD/iYwyB9P6y/3dh1O1SBALUj6nSMRJfH/HHlM5d4xQO9d95rkA_2/Bt59zcQMsfJpOgJC8GeSrH/5REGnF8guLwya/xQ1cfd2Y/w3tCRH4bjXIzu_2B_2F_2B5/MmfV_2FK_2/B5ux_2BgxJ6omqMfT/iSBh1mrWB9_2/BRaJgBOq4gEVdF7OIVd_2B/4.jlk
IP:	62.173.142.51
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\server.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
IP address seen in connection with other malware	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

http://62.173.142.51/

unknown

http://62.173

unknown

Details

Name:	http://62.173
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\server.exe
Source:	server.exe, 00000000.00000002.580755093.000000000281C000.00000004.00000010.00020000.00000000.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2

unknown

Domains

Name

Malicious

checklist.skype.com

unknown

Details

Name:	checklist.skype.com
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

62.173.142.51

unknown

Russian Federation

Details

IP:	62.173.142.51
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	34300
ASN name:	SPACENET-ASInternetServiceProviderRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2C68000

heap

page read and write

2C68000

heap

page read and write

2C68000

heap

page read and write

2C68000

heap

page read and write

2C68000

heap

page read and write

2C68000

heap

page read and write

2C68000

heap

page read and write

2C68000

heap

page read and write

2C68000

heap

page read and write

689000

unclassified section

page readonly

223E000

stack

page read and write

40D000

unkown

page write copy

219E000

stack

page read and write

34FE000

stack

page read and write

22B0000

heap

page read and write

30000

heap

page read and write

2689000

heap

page read and write

2C6B000

heap

page read and write

35FF000

stack

page read and write

70E000

heap

page read and write

681000

unclassified section

page execute read

2708000

heap

page read and write

21FE000

stack

page read and write

22D0000

heap

page read and write

9D000

stack

page read and write

560000

heap

page read and write

32BF000

stack

page read and write

680000

unclassified section

page read and write

34BE000

stack

page read and write

407000

unkown

page execute and read and write

540000

direct allocation

page execute and read and write

2870000

heap

page read and write

67C000

stack

page read and write

690000

heap

page read and write

6CA000

heap

page read and write

717000

heap

page read and write

70F000

heap

page read and write

717000

heap

page read and write

373C000

stack

page read and write

40F000

unkown

page write copy

400000

unkown

page execute and read and write

69A000

heap

page read and write

49E000

unkown

page readonly

281C000

stack

page read and write

68A000

unclassified section

page read and write

285E000

stack

page read and write

41F000

unkown

page read and write

706000

heap

page read and write

363E000

stack

page read and write

68C000

unclassified section

page readonly

30BF000

stack

page read and write

19C000

stack

page read and write

31BF000

stack

page read and write

49E000

unkown

page readonly

550000

direct allocation

page read and write

33BA000

stack

page read and write

6BB000

heap

page read and write

6A8000

heap

page execute and read and write

2310000

heap

page read and write

228D000

stack

page read and write

403000

unkown

page execute and read and write

21B0000

heap

page read and write

2C6B000

heap

page read and write

1F0000

heap

page read and write

405000

unkown

page execute and read and write

401000

unkown

page execute read

21A0000

heap

page read and write

400000

unkown

page readonly

There are 58 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
server.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportserver.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
server.exe