Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\BCb8yQ0fg8.exe

"C:\Users\user\Desktop\BCb8yQ0fg8.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7252
Target ID:	0
Parent PID:	2580
Name:	BCb8yQ0fg8.exe
Path:	C:\Users\user\Desktop\BCb8yQ0fg8.exe
Commandline:	"C:\Users\user\Desktop\BCb8yQ0fg8.exe"
Size:	944280
MD5:	807675A50EE7545E02DAEAC9822842B7
Time:	15:46:55
Date:	01/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6d0000
Modulesize:	950272
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\SysWOW64\cmd.exe

Details

Is windows:	true
Is dropped:	false
PID:	7272
Target ID:	1
Parent PID:	7252
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\SysWOW64\cmd.exe
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	15:46:55
Date:	01/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample uses string decryption to hide its real strings	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Proxy Execution Via Explorer.exe	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\explorer.exe

Details

Is windows:	true
Is dropped:	false
PID:	8120
Target ID:	7
Parent PID:	7272
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\SysWOW64\explorer.exe
Commandline:	C:\Windows\SysWOW64\explorer.exe
Size:	4514184
MD5:	DD6597597673F72E10C9DE7901FBA0A8
Time:	15:47:17
Date:	01/05/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x180000
Modulesize:	4493312
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Launches a second explorer.exe instance	System Summary
Sigma detected: Proxy Execution Via Explorer.exe	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7280
Target ID:	2
Parent PID:	7272
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:46:55
Date:	01/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/

Details

Is windows:	true
Is dropped:	false
PID:	7372
Target ID:	3
Parent PID:	4412
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	15:47:00
Date:	01/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1800,i,5224496107934403145,5816890975472559302,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7588
Target ID:	5
Parent PID:	7372
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1800,i,5224496107934403145,5816890975472559302,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	15:47:00
Date:	01/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://193.163.7.88/a69d09b357e06b52.php

http://crl.certum.pl/ctsca2021.crl0o

unknown

http://repository.certum.pl/ctnca.cer09

unknown

http://www.vmware.com/0

unknown

http://www.broofa.com

unknown

http://crl.certum.pl/ctnca.crl0k

unknown

https://aka.ms/dotnet/app-launch-failedWould

unknown

https://aka.ms/dotnet-core-applaunch?Architecture:

unknown

http://www.vmware.com/0/

unknown

http://ccsca2021.crl.certum.pl/ccsca2021.crl0s

unknown

https://www.google.com/async/newtab_promos

64.233.180.99

https://aka.ms/dotnet/app-launch-failed

unknown

https://www.certum.pl/CPS0

unknown

http://c0rl.m%L

unknown

http://www.symauth.com/cps0(

unknown

https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1

unknown

http://repository.certum.pl/ccsca2021.cer0

unknown

https://aka.ms/dotnet-core-applaunch?

unknown

https://plus.google.com

unknown

https://www.google.com/async/ddljson?async=ntp:2

64.233.180.99

https://play.google.com/log?format=json&hasfast=true

unknown

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

64.233.180.99

http://repository.certum.pl/ctsca2021.cer0

unknown

https://csp.withgoogle.com/csp/lcreport/

unknown

http://subca.ocsp-certum.com05

unknown

http://www.symauth.com/rpa00

unknown

http://subca.ocsp-certum.com02

unknown

http://subca.ocsp-certum.com01

unknown

http://www.info-zip.org/

unknown

http://crl.certum.pl/ctnca2.crl0l

unknown

http://repository.certum.pl/ctnca2.cer09

unknown

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

64.233.180.99

http://ccsca2021.ocsp-certum.com05

unknown

https://apis.google.com

unknown

http://crl3.digicert.

unknown

http://www.certum.pl/CPS0

unknown

https://domains.google.com/suggest/flow

unknown

https://clients6.google.com

unknown

There are 28 hidden URLs, click here to show them.

Domains

Name

Malicious

plus.l.google.com

142.251.16.100

www.google.com

64.233.180.99

Details

Name:	www.google.com
IP:	64.233.180.99
TargetID:	5
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

apis.google.com

unknown

Details

Name:	apis.google.com
TargetID:	5
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

239.255.255.250

unknown

Reserved

192.168.2.4

unknown

64.233.180.99

www.google.com

United States

192.168.2.6

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

38E0000

direct allocation

page read and write

791000

unkown

page execute and write copy

5875000

trusted library allocation

page read and write

503E000

direct allocation

page read and write

384F000

unkown

page read and write

4ABE000

stack

page read and write

3950000

unkown

page read and write

34E0000

unkown

page read and write

53A1000

unkown

page read and write

3B4000

heap

page read and write

2940000

heap

page read and write

58BD000

trusted library allocation

page read and write

7A4000

unkown

page readonly

4FC9000

direct allocation

page read and write

33C4000

unkown

page read and write

3B4000

heap

page read and write

3B4000

heap

page read and write

352E000

unkown

page read and write

33C4000

unkown

page read and write

2C3E000

stack

page read and write

33C0000

heap

page read and write

4C67000

heap

page read and write

5E03000

unkown

page read and write

2F20000

heap

page read and write

4B44000

heap

page read and write

7A4000

unkown

page readonly

29C3000

heap

page read and write

3905000

direct allocation

page read and write

4860000

heap

page read and write

6ED000

unkown

page write copy

6D1000

unkown

page execute read

9CB000

unkown

page write copy

33B0000

heap

page read and write

3530000

direct allocation

page read and write

33C000

stack

page read and write

3B4000

heap

page read and write

5513000

heap

page read and write

548D000

unkown

page read and write

2EBD000

stack

page read and write

3390000

heap

page read and write

6E5000

unkown

page readonly

4669000

heap

page read and write

3B4000

heap

page read and write

2F30000

heap

page read and write

6E5000

unkown

page readonly

2A04000

heap

page read and write

3B0000

heap

page read and write

5D01000

unkown

page read and write

9C6000

unkown

page readonly

5950000

direct allocation

page read and write

3954000

unkown

page read and write

3380000

unkown

page readonly

33C4000

unkown

page read and write

6EE000

unkown

page readonly

5662000

unkown

page read and write

5A7D000

direct allocation

page read and write

294E000

heap

page read and write

3390000

unkown

page readonly

4561000

heap

page read and write

3920000

heap

page read and write

3240000

trusted library allocation

page read and write

3C0000

heap

page read and write

335A000

stack

page read and write

3B4000

heap

page read and write

6ED000

unkown

page read and write

33C4000

unkown

page read and write

5636000

heap

page read and write

7B3000

unkown

page write copy

33C4000

unkown

page read and write

51D2000

unkown

page read and write

374F000

unkown

page read and write

3A0000

heap

page read and write

5510000

unkown

page read and write

4560000

heap

page read and write

3557000

heap

page read and write

5D01000

unkown

page read and write

33C4000

unkown

page read and write

4F49000

trusted library allocation

page read and write

33C4000

unkown

page read and write

6EE000

unkown

page readonly

3550000

heap

page read and write

34DE000

unkown

page read and write

4561000

heap

page read and write

3B4000

heap

page read and write

3B4000

heap

page read and write

7AB000

unkown

page readonly

293C000

stack

page read and write

4F4D000

trusted library allocation

page read and write

4AC1000

heap

page read and write

33A0000

unkown

page readonly

6D0000

unkown

page readonly

30F0000

heap

page read and write

5AEE000

direct allocation

page read and write

325C000

stack

page read and write

561A000

unkown

page read and write

3955000

unkown

page read and write

5E0C000

unkown

page read and write

5D00000

unkown

page read and write

4FBE000

trusted library allocation

page read and write

33C4000

unkown

page read and write

4EA0000

direct allocation

page read and write

3B4000

heap

page read and write

4FCD000

direct allocation

page read and write

2F40000

heap

page read and write

5A79000

direct allocation

page read and write

2DBE000

stack

page read and write

4E20000

trusted library allocation

page read and write

480A000

heap

page read and write

6D1000

unkown

page execute read

3288000

trusted library allocation

page read and write

30F8000

heap

page read and write

294A000

heap

page read and write

3B4000

heap

page read and write

33C4000

unkown

page read and write

493E000

stack

page read and write

3370000

heap

page read and write

4BE4000

heap

page read and write

3565000

heap

page read and write

3E0000

heap

page read and write

2A7E000

stack

page read and write

52F5000

unkown

page read and write

2E7C000

stack

page read and write

6D0000

unkown

page readonly

3B4000

heap

page read and write

4763000

heap

page read and write

3B4000

heap

page read and write

3B4000

heap

page read and write

2BFF000

stack

page read and write

2A0B000

heap

page read and write

3B4000

heap

page read and write

There are 120 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
BCb8yQ0fg8.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportBCb8yQ0fg8.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
BCb8yQ0fg8.exe