Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\server.exe

Details

Is windows:	false
Is dropped:	false
PID:	3536
Target ID:	0
Parent PID:	3528
Name:	server.exe
Path:	C:\Users\user\Desktop\server.exe
Commandline:	C:\Users\user\Desktop\server.exe
Size:	316928
MD5:	768928D17E8D3489407B540DBAD4A770
Time:	14:39:04
Date:	15/03/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	40964096
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

URLs

Name

Malicious

http://5.44.43.17/drew/4g9Pq9f8yl_2BqLNg_2F/GsF66vmh2Tpicwg37xs/IeFtLuJ4Vgq9WwijsD2n0d/Bquuj0kLXj_2B/g9_2Bh6q/18_2Bd4Y19mjSIvebXNvx4u/IKPQjubsH_/2BffqZNZA6lqyycQo/1wN43eb54EKC/UkUZJXRrn4j/R3115Fw4Czb8SK/xar7XimyyrkEE9m9c0UP0/1KSNpQlordpxo1Ws/_2B6QH8tLTSTNrP/6dO_2BuUeu5EmaGfZI/wcja66YPQ/Z_2B4nfOuMl7_2BnQaBq/8KUwwwam.jlk

5.44.43.17

http://5.44.43.17/drew/4g9Pq9f8yl_2BqLNg_2F/GsF66vmh2Tpicwg37xs/IeFtLuJ4Vgq9WwijsD2n0d/Bquuj0kLXj_2B

unknown

http://5.44.43.17/

unknown

http://5.44.43.17/-A1ED-B2838757AE1B

unknown

http://31.41.44.108/drew/FJTU0wze8Hjvm_2BHka/T78K158O_2Fv5farATygbE/7uQJsjJeUPlO2/LBUhKSJa/o4FD53ecF

unknown

http://5.44.43.17/98D0-4585-A1ED-B2838757AE1B

unknown

http://31.41.44.108/

unknown

http://31.41.44.108/32

unknown

http://31.41.

unknown

http://checklist.skype.com/drew/RCiQyn59/Gow2vU3BObfVI7A8uLXOgnm/720Rvxrh27/9sCisgCQ1dbhwi3H4/XmYN2I

unknown

Domains

Name

Malicious

checklist.skype.com

unknown

Details

Name:	checklist.skype.com
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

5.44.43.17

unknown

Russian Federation

Details

IP:	5.44.43.17
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	202423
ASN name:	MGNHOST-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

31.41.44.108

unknown

Russian Federation

Details

IP:	31.41.44.108
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	56577
ASN name:	ASRELINKRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

5258000

heap

page read and write

5258000

heap

page read and write

5258000

heap

page read and write

5258000

heap

page read and write

5258000

heap

page read and write

5258000

heap

page read and write

5258000

heap

page read and write

5258000

heap

page read and write

5258000

heap

page read and write

8DC817D000

stack

page read and write

2C90000

direct allocation

page read and write

26DEC64F000

heap

page read and write

2CF0000

heap

page read and write

5CAD000

stack

page read and write

57AF000

stack

page read and write

1F0000

heap

page read and write

2CE0000

unclassified section

page read and write

26DEC959000

heap

page read and write

9D000

stack

page read and write

407000

unkown

page execute and read and write

485E000

stack

page read and write

8DC7FF9000

stack

page read and write

525B000

heap

page read and write

26DEC5F0000

trusted library allocation

page read and write

2E3A000

heap

page read and write

26DEC600000

heap

page read and write

8DC7EFE000

stack

page read and write

26DEC960000

trusted library allocation

page read and write

4810000

heap

page read and write

26DEC647000

heap

page read and write

59ED000

stack

page read and write

4E60000

heap

page read and write

2AE9000

unkown

page readonly

19C000

stack

page read and write

48B0000

heap

page read and write

427000

unkown

page read and write

58AF000

stack

page read and write

2CCC000

stack

page read and write

5A2E000

stack

page read and write

26DEC8E0000

trusted library allocation

page read and write

26DEC880000

trusted library allocation

page read and write

410000

unkown

page write copy

2E30000

heap

page read and write

58EE000

stack

page read and write

49E0000

heap

page read and write

26DEC64F000

heap

page read and write

8DC7BCB000

stack

page read and write

4E08000

heap

page read and write

5DAA000

stack

page read and write

2EB8000

heap

page read and write

26DEC65E000

heap

page read and write

2CEC000

unclassified section

page readonly

26DEC550000

heap

page read and write

525B000

heap

page read and write

26DEC64F000

heap

page read and write

40F000

unkown

page execute read

26DEC4F0000

trusted library allocation

page read and write

2E48000

heap

page execute and read and write

26DEC5E0000

trusted library allocation

page read and write

26DED450000

trusted library allocation

page read and write

26DEC66F000

heap

page read and write

4A10000

heap

page read and write

2CEA000

unclassified section

page read and write

489E000

stack

page read and write

8DC807E000

stack

page read and write

400000

unkown

page readonly

56AF000

stack

page read and write

2E5E000

heap

page read and write

26DEC950000

heap

page read and write

26DEC570000

heap

page read and write

5C6F000

stack

page read and write

8DC7F79000

stack

page read and write

26DEC860000

trusted library allocation

page read and write

2C80000

direct allocation

page execute and read and write

2CE1000

unclassified section

page execute read

49BC000

stack

page read and write

26DEC664000

heap

page read and write

26DEC608000

heap

page read and write

400000

unkown

page execute and read and write

4E5E000

stack

page read and write

2D00000

heap

page read and write

26DEC890000

trusted library allocation

page read and write

405000

unkown

page execute and read and write

410000

unkown

page read and write

26DEC955000

heap

page read and write

401000

unkown

page execute read

8DC7E7E000

stack

page read and write

411000

unkown

page write copy

26DEC820000

trusted library allocation

page read and write

2AE9000

unkown

page readonly

2CE9000

unclassified section

page readonly

5B6E000

stack

page read and write

26DEC870000

heap

page readonly

5B2C000

stack

page read and write

8DC80F9000

stack

page read and write

403000

unkown

page execute and read and write

26DEC610000

heap

page read and write

26DEC4E0000

heap

page read and write

30000

heap

page read and write

2EAC000

heap

page read and write

4D89000

heap

page read and write

There are 91 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
server.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportserver.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
server.exe