Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\1ibwQtrqNy.exe

Details

Is windows:	false
Is dropped:	false
PID:	4080
Target ID:	0
Parent PID:	3452
Name:	1ibwQtrqNy.exe
Path:	C:\Users\user\Desktop\1ibwQtrqNy.exe
Commandline:	C:\Users\user\Desktop\1ibwQtrqNy.exe
Size:	2146015
MD5:	65DD3ED482F22906E70DD004A73E5CEF
Time:	14:30:55
Date:	28/05/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	77824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Submission file is bigger than most known malware samples	System Summary

C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe

"C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe"

Details

Is windows:	false
Is dropped:	true
PID:	2576
Target ID:	2
Parent PID:	4944
Name:	Rec528.exe
Path:	C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe
Commandline:	"C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe"
Size:	2491753
MD5:	9D3532E4DB1BBBCCA78E0D2DC8AE2572
Time:	14:30:57
Date:	28/05/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	17174528
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected Nymaim	E-Banking Fraud, Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\IFLIjCfKSqd.exe

Details

Is windows:	false
Is dropped:	true
PID:	7052
Target ID:	3
Parent PID:	2576
Name:	IFLIjCfKSqd.exe
Path:	C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\IFLIjCfKSqd.exe
Commandline:
Size:	73728
MD5:	3FB36CB0B7172E5298D2992D42984D06
Time:	14:31:01
Date:	28/05/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x90000
Modulesize:	90112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp

"C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp" /SL4 $2048E "C:\Users\user\Desktop\1ibwQtrqNy.exe" 1911253 52224

Details

Is windows:	false
Is dropped:	true
PID:	4944
Target ID:	1
Parent PID:	4080
Name:	is-2H2P0.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp
Commandline:	"C:\Users\user\AppData\Local\Temp\is-50VJD.tmp\is-2H2P0.tmp" /SL4 $2048E "C:\Users\user\Desktop\1ibwQtrqNy.exe" 1911253 52224
Size:	659968
MD5:	1F2BC482C99F55A713CF6CA3C1FF04F8
Time:	14:30:56
Date:	28/05/2023
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	847872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Rec528.exe" /f & erase "C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe" & exit

Details

Is windows:	true
Is dropped:	false
PID:	5924
Target ID:	6
Parent PID:	2576
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "Rec528.exe" /f & erase "C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe" & exit
Size:	232960
MD5:	F3BDBE3BB6F734E357235F4D5898582D
Time:	14:31:38
Date:	28/05/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb0000
Modulesize:	364544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5972
Target ID:	7
Parent PID:	5924
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	14:31:38
Date:	28/05/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff745070000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Rec528.exe" /f

Details

Is windows:	true
Is dropped:	false
PID:	2288
Target ID:	8
Parent PID:	5924
Name:	taskkill.exe
Path:	C:\Windows\SysWOW64\taskkill.exe
Commandline:	taskkill /im "Rec528.exe" /f
Size:	74752
MD5:	15E2E0ACD891510C6268CB8899F2A1A1
Time:	14:31:38
Date:	28/05/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x930000
Modulesize:	86016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://45.12.253.72/default/stuk.php

45.12.253.72

http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte

45.12.253.56

http://45.12.253.72/default/puk.php

45.12.253.72

http://45.12.253.75/dll.php

45.12.253.75

http://www.innosetup.com/

unknown

http://45.12.253.75/dll.phpd

unknown

http://www.imagemagick.org

unknown

https://macrorit.com/free-software.html

unknown

http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixintej

unknown

http://45.12.253.75/dll.phpi

unknown

http://45.12.253.75/dll.phph

unknown

http://45.12.253.75/dll.php%

unknown

http://45.12.253.72/del.php

unknown

http://45.12.253.75/dll.phpQ

unknown

http://www.finalrecovery.com/buy.htm

unknown

http://www.remobjects.com/?ps

unknown

http://45.12.253.75/dll.phpP

unknown

http://45.12.253.72/default/stuk.phpi

unknown

https://macrorit.com/disk-wiper-commercial-license-upgrade.html

unknown

http://45.12.253.75/dll.phpX

unknown

http://www.innosetup.comDVarFileInfo$

unknown

http://45.12.253.72/default/stuk.phpt

unknown

http://45.12.253.75/dll.phpL

unknown

http://45.12.253.75/dll.phpH

unknown

http://45.12.253.75/dll.phps

unknown

http://45.12.253.75/dll.php4

unknown

http://45.12.253.75/dll.php0

unknown

http://45.12.253.75/dll.phpp

unknown

http://www.innosetup.com

unknown

http://45.12.253.75/dll.php9

unknown

http://45.12.253.75/dll.php8

unknown

http://45.12.253.75/dll.phpx

unknown

http://www.remobjects.com/?psU

unknown

There are 23 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

45.12.253.72

unknown

Germany

Details

IP:	45.12.253.72
TargetID:	2
Current Path:	C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe
Country:	Germany
Countrycode:	DEU
ASN number:	33657
ASN name:	CMCSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

45.12.253.75

unknown

Germany

Details

IP:	45.12.253.75
TargetID:	2
Current Path:	C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe
Country:	Germany
Countrycode:	DEU
ASN number:	33657
ASN name:	CMCSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

45.12.253.98

unknown

Germany

Details

IP:	45.12.253.98
TargetID:	255
Country:	Germany
Countrycode:	DEU
ASN number:	33657
ASN name:	CMCSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

45.12.253.56

unknown

Germany

Details

IP:	45.12.253.56
TargetID:	2
Current Path:	C:\Program Files (x86)\FLSCover\Rec528\Rec528.exe
Country:	Germany
Countrycode:	DEU
ASN number:	33657
ASN name:	CMCSUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking