Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6792
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	515584
MD5:	665359FE7AD7626FFDE7260978EC9470
Time:	11:44:49
Date:	30/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x390000
Modulesize:	532480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	344
Target ID:	1
Parent PID:	6792
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	11:44:49
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x20000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

demonstationfukewko.shop

incredibleextedwj.shop

greetclassifytalk.shop

shortsvelventysjo.shop

productivelookewr.shop

tolerateilusidjukl.shop

https://greetclassifytalk.shop/api

172.67.177.98

liabilitynighstjsko.shop

shatterbreathepsw.shop

alcojoldwograpciw.shop

https://greetclassifytalk.shop//

unknown

https://greetclassifytalk.shop/apiM

unknown

https://greetclassifytalk.shop:443/api

unknown

https://greetclassifytalk.shop/

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

greetclassifytalk.shop

172.67.177.98

Details

Name:	greetclassifytalk.shop
IP:	172.67.177.98
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

172.67.177.98

greetclassifytalk.shop

United States

Details

IP:	172.67.177.98
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	greetclassifytalk.shop

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

52E000

stack

page read and write

9D8000

heap

page read and write

29C0000

trusted library allocation

page read and write

BBF000

stack

page read and write

410000

unkown

page readonly

530000

heap

page read and write

2A33000

trusted library allocation

page read and write

708000

heap

page read and write

330000

heap

page read and write

6BA000

heap

page read and write

73C000

heap

page read and write

274E000

stack

page read and write

765000

heap

page read and write

21AE000

stack

page read and write

716000

heap

page read and write

40E000

unkown

page execute and read and write

391000

unkown

page execute read

391000

unkown

page execute read

320000

heap

page read and write

490000

heap

page read and write

535000

heap

page read and write

9CA000

heap

page read and write

990000

heap

page read and write

1CD000

stack

page read and write

2A02000

trusted library allocation

page read and write

284F000

stack

page read and write

4A0000

heap

page read and write

410000

unkown

page readonly

390000

unkown

page readonly

2DF0000

heap

page read and write

20AF000

stack

page read and write

77C000

heap

page read and write

78F000

heap

page read and write

3BB000

unkown

page write copy

64E000

stack

page read and write

8FF000

stack

page read and write

3AF000

unkown

page readonly

701000

heap

page read and write

288E000

stack

page read and write

CB000

stack

page read and write

9CE000

heap

page read and write

37E000

stack

page read and write

550000

heap

page read and write

97E000

stack

page read and write

22AD000

stack

page read and write

3AF000

unkown

page readonly

3B9000

unkown

page write copy

29A0000

trusted library allocation

page read and write

6FC000

heap

page read and write

23AF000

stack

page read and write

3B9000

unkown

page read and write

9C0000

heap

page read and write

711000

heap

page read and write

2A2C000

trusted library allocation

page read and write

390000

unkown

page readonly

2AA0000

heap

page read and write

6B0000

heap

page read and write

50E000

stack

page read and write

6E6000

heap

page read and write

2CD000

stack

page read and write

29E2000

trusted library allocation

page read and write

1C9000

stack

page read and write

298E000

stack

page read and write

510000

heap

page read and write

2CFF000

stack

page read and write

76B000

heap

page read and write

9B0000

heap

page read and write

68D000

stack

page read and write

2BFE000

stack

page read and write

459000

remote allocation

page execute and read and write

There are 61 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe