Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\server.exe

Details

Is windows:	false
Is dropped:	false
PID:	5776
Target ID:	0
Parent PID:	3324
Name:	server.exe
Path:	C:\Users\user\Desktop\server.exe
Commandline:	C:\Users\user\Desktop\server.exe
Size:	182784
MD5:	386839452984E2EDA4151746D57EA19B
Time:	15:26:12
Date:	20/03/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	708608
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

URLs

Name

Malicious

http://193.233.175.113/drew/V9a0o6ef3/Au9_2F9Ppi_2FsgXZknJ/9gyATvTasA37TGnwf_2/FF8_2FeHTfCbmbSNhIELze/nTrHQt_2F5xY5/R3GxHbhE/YI67FVPjLAHvMvQCPm1ZB2r/hUITXAVF6y/1AwvZRZpD_2BX4_2B/OLj6it5W6CBi/bb63MeG6yuy/QmyD_2FX_2F1Ss/xqhYIyVOpHg2U1VNG_2Fq/xK7Nn_2Fqm4MHDMP/QwAVZmc5HxKcFpM/zNu_2F2WLah1WqJIoz/_2Fgr_2B0/Yx87G29pDT1ZwKwi4aHO/N92d2eUOVnKaenJHbAo/y89RoyrX/My.jlk

193.233.175.113

Details

Name:	http://193.233.175.113/drew/V9a0o6ef3/Au9_2F9Ppi_2FsgXZknJ/9gyATvTasA37TGnwf_2/FF8_2FeHTfCbmbSNhIELze/nTrHQt_2F5xY5/R3GxHbhE/YI67FVPjLAHvMvQCPm1ZB2r/hUITXAVF6y/1AwvZRZpD_2BX4_2B/OLj6it5W6CBi/bb63MeG6yuy/QmyD_2FX_2F1Ss/xqhYIyVOpHg2U1VNG_2Fq/xK7Nn_2Fqm4MHDMP/QwAVZmc5HxKcFpM/zNu_2F2WLah1WqJIoz/_2Fgr_2B0/Yx87G29pDT1ZwKwi4aHO/N92d2eUOVnKaenJHbAo/y89RoyrX/My.jlk
IP:	193.233.175.113
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\server.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

http://62.173.142.81/drew/L41ZdaozWB/9G_2FCBbfzGg7ByXT/_2Bg8QMbKe0e/hoJ4ZQmshRx/yrzS4Fo3MBljQG/zLPIZfVEynjc1_2BzcNzJ/VlCSBaC_2BsWiOk3/S_2FVtn98ADwViF/w4EuoTZ6r2ouB5CbJQ/OJAYX7gGB/SPaOx4IeK2WgwzyMW0mh/a6bMYaMIQJb9DwJ1_2B/abyaGtCr0edo_2BHNpcXcS/i41T8cYfwvY4g/ixrgvBpj/x9Y_2FoxbDLce5swL7_2FuZ/twfMwTZOCD/kYv7KY9tbIJovwRgo/dob_2F_2FGBd/pRbVJOI3b/HRL7.jlk

62.173.142.81

Details

Name:	http://62.173.142.81/drew/L41ZdaozWB/9G_2FCBbfzGg7ByXT/_2Bg8QMbKe0e/hoJ4ZQmshRx/yrzS4Fo3MBljQG/zLPIZfVEynjc1_2BzcNzJ/VlCSBaC_2BsWiOk3/S_2FVtn98ADwViF/w4EuoTZ6r2ouB5CbJQ/OJAYX7gGB/SPaOx4IeK2WgwzyMW0mh/a6bMYaMIQJb9DwJ1_2B/abyaGtCr0edo_2BHNpcXcS/i41T8cYfwvY4g/ixrgvBpj/x9Y_2FoxbDLce5swL7_2FuZ/twfMwTZOCD/kYv7KY9tbIJovwRgo/dob_2F_2FGBd/pRbVJOI3b/HRL7.jlk
IP:	62.173.142.81
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\server.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

http://193.23

unknown

Details

Name:	http://193.23
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\server.exe
Source:	server.exe, 00000000.00000002.572075785.00000000029BC000.00000004.00000010.00020000.00000000.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

checklist.skype.com

unknown

Details

Name:	checklist.skype.com
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

62.173.142.81

unknown

Russian Federation

Details

IP:	62.173.142.81
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	34300
ASN name:	SPACENET-ASInternetServiceProviderRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

193.233.175.113

unknown

Russian Federation

Details

IP:	193.233.175.113
TargetID:	0
Current Path:	C:\Users\user\Desktop\server.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	8749
ASN name:	REDCOM-ASRedcomKhabarovskRussiaRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found malware configuration	AV Detection

Memdumps

Base Address

Regiontype

Protect

Malicious

2F48000

heap

page read and write

2F48000

heap

page read and write

2F48000

heap

page read and write

2F48000

heap

page read and write

2F48000

heap

page read and write

2F48000

heap

page read and write

2F48000

heap

page read and write

2F48000

heap

page read and write

2F48000

heap

page read and write

1F0000

heap

page read and write

2829000

heap

page read and write

30000

heap

page read and write

239E000

stack

page read and write

407000

unkown

page execute and read and write

49F000

unkown

page readonly

225E000

stack

page read and write

2F4B000

heap

page read and write

660000

heap

page read and write

339F000

stack

page read and write

641000

unclassified section

page execute read

359D000

stack

page read and write

389C000

stack

page read and write

379F000

stack

page read and write

49F000

unkown

page readonly

2F4B000

heap

page read and write

29BC000

stack

page read and write

620000

direct allocation

page execute and read and write

66A000

heap

page read and write

349F000

stack

page read and write

2B50000

heap

page read and write

229E000

stack

page read and write

400000

unkown

page execute and read and write

630000

direct allocation

page read and write

405000

unkown

page execute and read and write

640000

unclassified section

page read and write

6D1000

heap

page read and write

22D0000

heap

page read and write

21D0000

heap

page read and write

649000

unclassified section

page readonly

213C000

stack

page read and write

23D0000

heap

page read and write

40D000

unkown

page write copy

369A000

stack

page read and write

28A8000

heap

page read and write

401000

unkown

page execute read

69F000

heap

page read and write

221E000

stack

page read and write

9D000

stack

page read and write

2ABF000

stack

page read and write

235E000

stack

page read and write

403000

unkown

page execute and read and write

2B00000

heap

page read and write

676000

heap

page execute and read and write

689000

heap

page read and write

64C000

unclassified section

page readonly

64A000

unclassified section

page read and write

2F4B000

heap

page read and write

231D000

stack

page read and write

24B0000

heap

page read and write

400000

unkown

page readonly

40F000

unkown

page write copy

420000

unkown

page read and write

219E000

stack

page read and write

19B000

stack

page read and write

5D0000

heap

page read and write

There are 55 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
server.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportserver.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
server.exe