Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\server.exe

Details

Is windows:	false
Is dropped:	false
PID:	5860
Target ID:	0
Parent PID:	3324
Name:	server.exe
Path:	C:\Users\user\Desktop\server.exe
Commandline:	C:\Users\user\Desktop\server.exe
Size:	193024
MD5:	17EBF60197356EB8F2996ABC026907E6
Time:	18:59:13
Date:	14/03/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	716800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

URLs

Name

Malicious

http://62.173.142.51/drew/uzFqBPgZCIqO6jg1c5K/Xjd9gdsAubWMmY_2FDAd8e/U4Ap1PqTIR2WQ/a0CAd0nU/ThrgRPS1U5uEI3kIT3QYk4V/9d6bFT0hxT/5DxxrYQlR4IV_2Fei/ZJj6rXzL8HY8/xQEVwjD3Ur1/F3MhUjI5IvSaS_/2BdrMle6CgPaU6_2BOFFJ/FAcptoJYalDMhiD8/zK9g2iPFhAmXVAs/NjAIlnCY_2B_2FS4qz/z8NkwINX2/bN1cceH77_2BrxV4WYdI/F0hZV08Kh1Pm3jwzz9R/ILM_2FNGfAIX1b0GrBrRbH/64NI6.jlk

62.173.142.51

Details

Name:	http://62.173.142.51/drew/uzFqBPgZCIqO6jg1c5K/Xjd9gdsAubWMmY_2FDAd8e/U4Ap1PqTIR2WQ/a0CAd0nU/ThrgRPS1U5uEI3kIT3QYk4V/9d6bFT0hxT/5DxxrYQlR4IV_2Fei/ZJj6rXzL8HY8/xQEVwjD3Ur1/F3MhUjI5IvSaS_/2BdrMle6CgPaU6_2BOFFJ/FAcptoJYalDMhiD8/zK9g2iPFhAmXVAs/NjAIlnCY_2B_2FS4qz/z8NkwINX2/bN1cceH77_2BrxV4WYdI/F0hZV08Kh1Pm3jwzz9R/ILM_2FNGfAIX1b0GrBrRbH/64NI6.jlk
IP:	62.173.142.51
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\server.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
IP address seen in connection with other malware	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

http://62.173

unknown

Details

Name:	http://62.173
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\server.exe
Source:	server.exe, 00000000.00000002.573293062.00000000022CC000.00000004.00000010.00020000.00000000.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

checklist.skype.com

unknown

Details

Name:	checklist.skype.com
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

62.173.142.51

unknown

Russian Federation

Details

IP:	62.173.142.51
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	34300
ASN name:	SPACENET-ASInternetServiceProviderRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

Memdumps

Base Address

Regiontype

Protect

Malicious

2CD8000

heap

page read and write

2CD8000

heap

page read and write

2CD8000

heap

page read and write

2CD8000

heap

page read and write

2CD8000

heap

page read and write

2CD8000

heap

page read and write

2CD8000

heap

page read and write

2CD8000

heap

page read and write

2CD8000

heap

page read and write

2858000

heap

page read and write

230E000

stack

page read and write

2CDB000

heap

page read and write

58A000

heap

page read and write

2858000

heap

page read and write

550000

direct allocation

page execute and read and write

405000

unkown

page execute and read and write

2070000

heap

page read and write

40F000

unkown

page write copy

2858000

heap

page read and write

9D000

stack

page read and write

401000

unkown

page execute read

49E000

unkown

page readonly

2858000

heap

page read and write

30000

heap

page read and write

1F0000

heap

page read and write

2858000

heap

page read and write

342A000

stack

page read and write

400000

unkown

page readonly

23EE000

stack

page read and write

400000

unkown

page execute and read and write

2858000

heap

page read and write

407000

unkown

page execute and read and write

2858000

heap

page read and write

580000

heap

page read and write

49E000

unkown

page readonly

420000

unkown

page read and write

372C000

stack

page read and write

5EC000

heap

page read and write

332F000

stack

page read and write

20BE000

stack

page read and write

2360000

heap

page read and write

57A000

unclassified section

page read and write

579000

unclassified section

page readonly

2CDB000

heap

page read and write

403000

unkown

page execute and read and write

570000

unclassified section

page read and write

571000

unclassified section

page execute read

322F000

stack

page read and write

2858000

heap

page read and write

22CC000

stack

page read and write

2858000

heap

page read and write

5AB000

heap

page read and write

352E000

stack

page read and write

19C000

stack

page read and write

5F8000

heap

page read and write

312F000

stack

page read and write

560000

direct allocation

page read and write

28E0000

heap

page read and write

5F1000

heap

page read and write

27D9000

heap

page read and write

28AE000

stack

page read and write

23AD000

stack

page read and write

2460000

heap

page read and write

20C0000

heap

page read and write

362F000

stack

page read and write

234E000

stack

page read and write

2410000

heap

page read and write

598000

heap

page execute and read and write

202C000

stack

page read and write

245E000

stack

page read and write

540000

heap

page read and write

57C000

unclassified section

page readonly

40D000

unkown

page write copy

There are 63 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
server.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportserver.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
server.exe