Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://103.150.10.45:8443/" > cmdline.out 2>&1

Details

Is windows:	true
Is dropped:	false
PID:	7028
Target ID:	0
Parent PID:	3620
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://103.150.10.45:8443/" > cmdline.out 2>&1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	05:22:01
Date:	06/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5608
Target ID:	1
Parent PID:	7028
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	05:22:01
Date:	06/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\wget.exe

wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://103.150.10.45:8443/"

Details

Is windows:	true
Is dropped:	false
PID:	6344
Target ID:	2
Parent PID:	7028
Name:	wget.exe
Path:	C:\Windows\SysWOW64\wget.exe
Commandline:	wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://103.150.10.45:8443/"
Size:	3895184
MD5:	3DADB6E2ECE9C4B3E1E322E617658B60
Time:	05:22:02
Date:	06/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	3956736
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///

Details

Is windows:	true
Is dropped:	false
PID:	3168
Target ID:	3
Parent PID:	1928
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	05:22:07
Date:	06/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2052,i,1206108902238518992,8905996449890180929,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	3384
Target ID:	5
Parent PID:	3168
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2052,i,1206108902238518992,8905996449890180929,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	05:22:07
Date:	06/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://103.150.10.45:8443/

unknown

https://www.google.com/async/ddljson?async=ntp:2

192.178.50.36

https://www.google.com/async/newtab_promos

192.178.50.36

https://103.150.10.45:8443/2

unknown

https://103.150.10.45:8443/l64

unknown

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

192.178.50.36

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

192.178.50.36

https://103.150.10.45:8443/?

unknown

https://103.150.10.45:8443/es

unknown

Domains

Name

Malicious

plus.l.google.com

142.250.217.206

www.google.com

192.178.50.36

Details

Name:	www.google.com
IP:	192.178.50.36
TargetID:	5
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

apis.google.com

unknown

IPs

Domain

Country

Malicious

103.150.10.45

unknown

Details

IP:	103.150.10.45
TargetID:	2
Current Path:	C:\Windows\SysWOW64\wget.exe
ASN number:	59253
ASN name:	LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

192.178.50.36

www.google.com

United States

239.255.255.250

unknown

Reserved

Memdumps

Base Address

Regiontype

Protect

Malicious

B62000

heap

page read and write

1E0000

heap

page read and write

A4E000

stack

page read and write

B5F000

heap

page read and write

C90000

heap

page read and write

C98000

heap

page read and write

B5A000

heap

page read and write

138C000

heap

page read and write

2EDF000

stack

page read and write

B10000

heap

page read and write

B2B000

heap

page read and write

B56000

heap

page read and write

138B000

heap

page read and write

B2D000

heap

page read and write

1380000

heap

page read and write

118F000

stack

page read and write

B16000

heap

page read and write

A50000

heap

page read and write

100000

heap

page read and write

1385000

heap

page read and write

B20000

heap

page read and write

A0E000

stack

page read and write

ABE000

stack

page read and write

F8F000

stack

page read and write

B63000

heap

page read and write

A60000

heap

page read and write

B5A000

heap

page read and write

9CD000

stack

page read and write

B60000

heap

page read and write

B5F000

heap

page read and write

B56000

heap

page read and write

138E000

heap

page read and write

138D000

heap

page read and write

9C000

stack

page read and write

There are 24 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://103.150.10.45:8443/

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://103.150.10.45:8443/

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
https://103.150.10.45:8443/