Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ent.exe

"C:\Users\user\Desktop\ent.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7488
Target ID:	0
Parent PID:	2580
Name:	ent.exe
Path:	C:\Users\user\Desktop\ent.exe
Commandline:	"C:\Users\user\Desktop\ent.exe"
Size:	45056
MD5:	211661398474B9C96A1D704823D0E552
Time:	19:05:51
Date:	03/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x670000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://pastebin.com/raw/XzLzRHpk

172.67.19.24

Details

Name:	https://pastebin.com/raw/XzLzRHpk
IP:	172.67.19.24
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\ent.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\ent.exe
Source:	ent.exe, 00000000.00000002.4091153100.0000000002961000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

0.tcp.eu.ngrok.io

3.124.142.205

Details

Name:	0.tcp.eu.ngrok.io
IP:	3.124.142.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

pastebin.com

172.67.19.24

Details

Name:	pastebin.com
IP:	172.67.19.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to a pastebin service (likely for C&C)	Networking	Web Service
Sample uses string decryption to hide its real strings	AV Detection
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

3.124.142.205

0.tcp.eu.ngrok.io

United States

Details

IP:	3.124.142.205
TargetID:	0
Current Path:	C:\Users\user\Desktop\ent.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	0.tcp.eu.ngrok.io

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

172.67.19.24

pastebin.com

United States

Details

IP:	172.67.19.24
TargetID:	0
Current Path:	C:\Users\user\Desktop\ent.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	pastebin.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ent_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

672000

unkown

page readonly

29AB000

trusted library allocation

page read and write

B30000

heap

page read and write

7FFD9B904000

trusted library allocation

page read and write

27C0000

heap

page read and write

C1D000

heap

page read and write

2783000

trusted library allocation

page read and write

7FFD9BAD0000

trusted library allocation

page read and write

12961000

trusted library allocation

page read and write

1B5F3000

heap

page read and write

1BF80000

heap

page read and write

2760000

trusted library allocation

page read and write

2C6C000

trusted library allocation

page read and write

1B570000

heap

page read and write

B10000

heap

page read and write

7FFD9B9B0000

trusted library allocation

page read and write

7FFD9B924000

trusted library allocation

page read and write

7FFD9BAC0000

trusted library allocation

page execute and read and write

1BA6F000

stack

page read and write

A10000

heap

page read and write

7FFD9B900000

trusted library allocation

page read and write

7FFD9BA20000

trusted library allocation

page execute and read and write

295E000

stack

page read and write

1C34E000

stack

page read and write

BD4000

heap

page read and write

27B0000

heap

page execute and read and write

DA0000

heap

page read and write

1B46E000

stack

page read and write

7FFD9B903000

trusted library allocation

page execute and read and write

C61000

heap

page read and write

B9C000

heap

page read and write

B96000

heap

page read and write

29E5000

trusted library allocation

page read and write

BFE000

heap

page read and write

7FFD9B92B000

trusted library allocation

page execute and read and write

1A960000

trusted library allocation

page read and write

1C84C000

stack

page read and write

7FFD9B9E6000

trusted library allocation

page execute and read and write

C64000

heap

page read and write

1C44C000

stack

page read and write

1B86C000

stack

page read and write

2AFA000

trusted library allocation

page read and write

7FFD9B910000

trusted library allocation

page read and write

670000

unkown

page readonly

1BC6E000

stack

page read and write

1B56C000

stack

page read and write

1BE64000

stack

page read and write

1B628000

heap

page read and write

7FFD9BAB0000

trusted library allocation

page execute and read and write

C09000

heap

page read and write

7FFD9B90D000

trusted library allocation

page execute and read and write

EAE000

stack

page read and write

CCE000

stack

page read and write

C00000

heap

page read and write

7FFD9B920000

trusted library allocation

page read and write

2C70000

trusted library allocation

page read and write

2850000

heap

page execute and read and write

FAD000

stack

page read and write

1B96E000

stack

page read and write

7FFD9B92D000

trusted library allocation

page execute and read and write

1B5BF000

heap

page read and write

1BF70000

heap

page read and write

C03000

heap

page read and write

7FFD9BAA2000

trusted library allocation

page read and write

7FFD9B91D000

trusted library allocation

page execute and read and write

1B5C1000

heap

page read and write

2961000

trusted library allocation

page read and write

7FFD9BAD2000

trusted library allocation

page read and write

D90000

trusted library allocation

page read and write

B75000

heap

page read and write

1B624000

heap

page read and write

1ACEE000

heap

page read and write

7FFD9B9C0000

trusted library allocation

page execute and read and write

1BD6A000

stack

page read and write

B70000

heap

page read and write

7FFD9B95C000

trusted library allocation

page execute and read and write

1296F000

trusted library allocation

page read and write

AF0000

heap

page read and write

BBC000

heap

page read and write

7C4000

stack

page read and write

7FFD9B913000

trusted library allocation

page read and write

67E000

unkown

page readonly

B90000

heap

page read and write

1AEED000

stack

page read and write

27C3000

heap

page read and write

7FF4E8190000

trusted library allocation

page execute and read and write

7FFD9B9BC000

trusted library allocation

page execute and read and write

DA5000

heap

page read and write

2770000

heap

page read and write

7FFD9B9B6000

trusted library allocation

page read and write

C26000

heap

page read and write

670000

unkown

page readonly

1B76C000

stack

page read and write

29E7000

trusted library allocation

page read and write

1C54A000

stack

page read and write

BD1000

heap

page read and write

1B5F1000

heap

page read and write

2780000

trusted library allocation

page read and write

There are 88 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ent.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportent.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
ent.exe