Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\to.exe

"C:\Users\user\Desktop\to.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6576
Target ID:	0
Parent PID:	2580
Name:	to.exe
Path:	C:\Users\user\Desktop\to.exe
Commandline:	"C:\Users\user\Desktop\to.exe"
Size:	628736
MD5:	6DC33BA531FCE8C8EE24585F48D14297
Time:	16:07:52
Date:	22/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x100000
Modulesize:	655360
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected CobaltStrike	Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6604
Target ID:	1
Parent PID:	6576
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	16:07:52
Date:	22/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

138.68.79.95

Details

Name:	138.68.79.95
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\to.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6h

unknown

http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6

unknown

http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6p

unknown

http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6b

unknown

http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6Cryptographic

unknown

http://138.68.79.95:4545/messages/EUZe0uldTA2AbkYWRhTDDfV6zreju6.

unknown

Domains

Name

Malicious

171.39.242.20.in-addr.arpa

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

12513000

trusted library allocation

page read and write

2241000

direct allocation

page read and write

2270000

direct allocation

page execute read

550000

heap

page read and write

19C000

unkown

page readonly

B50000

trusted library allocation

page read and write

7FFD9B846000

trusted library allocation

page execute and read and write

4F6000

stack

page read and write

6A2000

heap

page read and write

7FFD9B76D000

trusted library allocation

page execute and read and write

6BA000

heap

page read and write

23C1000

trusted library allocation

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

650000

heap

page read and write

225A000

direct allocation

page read and write

2260000

direct allocation

page read and write

6D5000

heap

page read and write

5C5000

heap

page read and write

1B4B4000

heap

page read and write

7FFD9B810000

trusted library allocation

page read and write

123C9000

trusted library allocation

page read and write

60E000

heap

page read and write

2257000

direct allocation

page read and write

1B4AD000

stack

page read and write

7FFD9B820000

trusted library allocation

page execute and read and write

616000

heap

page read and write

5C0000

heap

page read and write

1AD90000

heap

page execute and read and write

6D1000

heap

page read and write

1A94D000

stack

page read and write

225D000

direct allocation

page read and write

1B4B0000

heap

page read and write

2262000

direct allocation

page read and write

7FFD9B770000

trusted library allocation

page read and write

530000

heap

page read and write

2200000

heap

page execute and read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

656000

heap

page read and write

621000

heap

page read and write

2210000

direct allocation

page execute read

7FFD9B764000

trusted library allocation

page read and write

2271000

direct allocation

page execute and read and write

1B3AB000

stack

page read and write

658000

heap

page read and write

570000

heap

page read and write

123C1000

trusted library allocation

page read and write

1B1AE000

stack

page read and write

7FFD9B774000

trusted library allocation

page read and write

102000

unkown

page readonly

123C7000

trusted library allocation

page read and write

23BE000

stack

page read and write

123C3000

trusted library allocation

page read and write

520000

heap

page read and write

100000

unkown

page readonly

5E0000

heap

page read and write

B63000

trusted library allocation

page read and write

B60000

trusted library allocation

page read and write

5D0000

trusted library allocation

page read and write

22B0000

heap

page read and write

B75000

heap

page read and write

7FFD9B880000

trusted library allocation

page execute and read and write

5EC000

heap

page read and write

1B0AF000

stack

page read and write

1B4C6000

heap

page read and write

6CF000

heap

page read and write

6BC000

heap

page read and write

7FFD9B780000

trusted library allocation

page read and write

1B2AE000

stack

page read and write

7FFD9B7BC000

trusted library allocation

page execute and read and write

5E6000

heap

page read and write

100000

unkown

page readonly

7FFD9B772000

trusted library allocation

page read and write

1AD8E000

stack

page read and write

6D3000

heap

page read and write

624000

heap

page read and write

B70000

heap

page read and write

7FF4F2980000

trusted library allocation

page execute and read and write

628000

heap

page read and write

There are 68 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
to.exe

Processes

URLs

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportto.exe

Processes

URLs

Domains

Memdumps

IOC Report
to.exe