Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6652
Target ID:	0
Parent PID:	2580
Name:	SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe"
Size:	578048
MD5:	BAB05624883FC9D5FE21F6E26C509C80
Time:	22:22:46
Date:	04/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfd0000
Modulesize:	540590
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6676
Target ID:	1
Parent PID:	6652
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	22:22:47
Date:	04/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x760000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

plaintediousidowsko.shop

acceptabledcooeprs.shop

zippyfinickysofwps.shop

pearcyworkeronej.shop

boredimperissvieos.shop

obsceneclassyjuwks.shop

sweetsquarediaslw.shop

holicisticscrarws.shop

miniaturefinerninewjs.shop

https://pearcyworkeronej.shop/api

172.67.131.204

https://pearcyworkeronej.shop/apibu4

unknown

https://pearcyworkeronej.shop/

unknown

https://pearcyworkeronej.shop:443/api

unknown

https://pearcyworkeronej.shop/s

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

pearcyworkeronej.shop

172.67.131.204

Details

Name:	pearcyworkeronej.shop
IP:	172.67.131.204
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

172.67.131.204

pearcyworkeronej.shop

United States

Details

IP:	172.67.131.204
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	pearcyworkeronej.shop

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

FFD000

unkown

page read and write

E67000

heap

page read and write

306E000

stack

page read and write

FD1000

unkown

page execute read

E5C000

heap

page read and write

DE0000

heap

page read and write

1150000

heap

page read and write

FD0000

unkown

page readonly

E71000

heap

page read and write

9FC000

stack

page read and write

296D000

stack

page read and write

ECA000

heap

page read and write

2F6E000

stack

page read and write

EBF000

heap

page read and write

2E2E000

stack

page read and write

144E000

stack

page read and write

FFD000

unkown

page write copy

E1A000

heap

page read and write

1053000

unkown

page execute and read and write

E3B000

heap

page read and write

292E000

stack

page read and write

A3B000

stack

page read and write

E75000

heap

page read and write

1051000

unkown

page readonly

282E000

stack

page read and write

ED0000

heap

page read and write

400000

remote allocation

page execute and read and write

FD1000

unkown

page execute read

EE1000

heap

page read and write

DDE000

stack

page read and write

B70000

heap

page read and write

30BC000

trusted library allocation

page read and write

115A000

heap

page read and write

E30000

heap

page read and write

2CE0000

heap

page read and write

115E000

heap

page read and write

2A6E000

stack

page read and write

1051000

unkown

page readonly

EBE000

stack

page read and write

26ED000

stack

page read and write

F0B000

heap

page read and write

3520000

heap

page read and write

E5F000

heap

page read and write

33DF000

stack

page read and write

E53000

heap

page read and write

E10000

heap

page read and write

EED000

heap

page read and write

E45000

heap

page read and write

FF3000

unkown

page readonly

C50000

heap

page read and write

FD0000

unkown

page readonly

32DE000

stack

page read and write

FFF000

unkown

page write copy

C90000

heap

page read and write

104F000

unkown

page execute and read and write

1053000

unkown

page execute and read and write

2F2F000

stack

page read and write

EDB000

heap

page read and write

3114000

trusted library allocation

page read and write

D50000

heap

page read and write

E7E000

stack

page read and write

457000

remote allocation

page execute and read and write

B39000

stack

page read and write

134F000

stack

page read and write

CFD000

stack

page read and write

CDD000

stack

page read and write

3080000

trusted library allocation

page read and write

3180000

heap

page read and write

C55000

heap

page read and write

FF3000

unkown

page readonly

C60000

heap

page read and write

27ED000

stack

page read and write

There are 62 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.Evo-gen.17272.18065.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe