Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	7.009704680519339
Filename:	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Filesize:	2070528
MD5:	456442e5615445a54f15eae38140c50a
SHA1:	f81074ce9855601a33b97fb357fbee1bbdd7fcf6
SHA256:	0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5
SHA512:	b69f617e0deb48af12f230dcf016211f94eea612f364357d84e96499f61b1bdc028cca43bbfa7f8f169b2645f6f6d6f243671e4c10ab2080f9c5896b45bc8ed0
SSDEEP:	24576:oynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52jOXuq01dKqOFWYuO:ZjN3CdJ81nEQhs30e1uqsrOFA
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6c.IW._IW._IW._O..^EW._O..^XW._O..^gW._@/._GW._./.^BW._IW._IV._.+.^BW._.+.^.W._IW._KW._#..^HW._#.._HW._#..^HW._RichIW._.......

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Access Token Manipulation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for dropped file	AV Detection	Access Token Manipulation
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Drops PE files to the user root directory	Boot Survival
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates processes with suspicious names	Persistence and Installation Behavior
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Category:	dropped
Dump:	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	7.009704680519339
Encrypted:	false
Ssdeep:	24576:oynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52jOXuq01dKqOFWYuO:ZjN3CdJ81nEQhs30e1uqsrOFA
Size:	2070528
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected UAC Bypass using CMSTP	Exploits
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe:Zone.Identifier
Category:	modified
Dump:	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe

"C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe"

Details

Is windows:	false
Is dropped:	false
PID:	6548
Target ID:	0
Parent PID:	1028
Name:	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Path:	C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Commandline:	"C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe"
Size:	2070528
MD5:	456442E5615445A54F15EAE38140C50A
Time:	09:12:50
Date:	23/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff77c310000
Modulesize:	2469888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6368
Target ID:	3
Parent PID:	6548
Name:	jsc.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Size:	47584
MD5:	94C8E57A80DFCA2482DEDB87B93D4FD9
Time:	09:12:51
Date:	23/05/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xe20000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5972
Target ID:	1
Parent PID:	6548
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:12:50
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidX

unknown

http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY

unknown

https://sectigo.com/CPS0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid

unknown

https://account.dyn.com/

unknown

https://aka.ms/dotnet-warnings/

unknown

http://ocsp.sectigo.com0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://cp8nl.hyperhost.ua

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

cp8nl.hyperhost.ua

185.174.175.187

Details

Name:	cp8nl.hyperhost.ua
IP:	185.174.175.187
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.174.175.187

cp8nl.hyperhost.ua

Ukraine

Details

IP:	185.174.175.187
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Country:	Ukraine
Countrycode:	UKR
ASN number:	21100
ASN name:	ITLDC-NLUA
Private:	false
Domain:	cp8nl.hyperhost.ua

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

7FF77C48D000

unkown

page readonly

7FF77C48D000

unkown

page readonly

7FF77C43D000

unkown

page read and write

328E000

trusted library allocation

page read and write

286E183A000

direct allocation

page read and write

32B9000

trusted library allocation

page read and write

3241000

trusted library allocation

page read and write

1325000

heap

page read and write

1710000

trusted library allocation

page read and write

1704000

trusted library allocation

page read and write

1703000

trusted library allocation

page execute and read and write

286DD230000

heap

page read and write

6500000

trusted library allocation

page read and write

31A1000

trusted library allocation

page read and write

157E000

heap

page read and write

573E000

stack

page read and write

5D0C000

trusted library allocation

page read and write

FB9000

stack

page read and write

7FF77C50A000

unkown

page read and write

EBA000

stack

page read and write

32A9000

trusted library allocation

page read and write

31F3000

heap

page read and write

8E611FF000

stack

page read and write

32B5000

trusted library allocation

page read and write

286E1000000

direct allocation

page read and write

8E612FE000

stack

page read and write

3186000

trusted library allocation

page read and write

31D0000

trusted library allocation

page read and write

1730000

trusted library allocation

page read and write

5B5E000

stack

page read and write

286DCEA0000

heap

page read and write

4269000

trusted library allocation

page read and write

1220000

heap

page read and write

1726000

trusted library allocation

page execute and read and write

286DCFA0000

heap

page read and write

154D000

heap

page read and write

286DD006000

heap

page read and write

2C773380000

heap

page read and write

7FF77C311000

unkown

page execute read

5D00000

trusted library allocation

page read and write

32A7000

trusted library allocation

page read and write

3180000

trusted library allocation

page read and write

17D0000

heap

page read and write

1700000

trusted library allocation

page read and write

328C000

trusted library allocation

page read and write

7FF77C311000

unkown

page execute read

173B000

trusted library allocation

page execute and read and write

7FF77C310000

unkown

page readonly

6520000

trusted library allocation

page execute and read and write

677D000

stack

page read and write

56BC000

stack

page read and write

286DCEC0000

heap

page read and write

6680000

heap

page read and write

171D000

trusted library allocation

page execute and read and write

6C7E000

stack

page read and write

7F820000

trusted library allocation

page execute and read and write

595C000

stack

page read and write

286E1400000

direct allocation

page read and write

15C5000

heap

page read and write

2C6F287F000

direct allocation

page read and write

56FE000

stack

page read and write

14E8000

heap

page read and write

1760000

trusted library allocation

page execute and read and write

6620000

trusted library allocation

page read and write

1737000

trusted library allocation

page execute and read and write

31C0000

trusted library allocation

page read and write

5760000

heap

page read and write

31AD000

trusted library allocation

page read and write

286DCFAC000

heap

page read and write

656E000

stack

page read and write

31A6000

trusted library allocation

page read and write

6640000

heap

page read and write

8E610F9000

stack

page read and write

1300000

heap

page read and write

31B2000

trusted library allocation

page read and write

7FF77C518000

unkown

page readonly

286DCDC0000

heap

page read and write

6D7E000

stack

page read and write

286DCFA6000

heap

page read and write

6EC0000

heap

page read and write

6516000

trusted library allocation

page read and write

317C000

stack

page read and write

14E0000

heap

page read and write

42A7000

trusted library allocation

page read and write

5B9D000

stack

page read and write

30A8000

trusted library allocation

page read and write

286DCFBA000

heap

page read and write

319A000

trusted library allocation

page read and write

6630000

trusted library allocation

page read and write

1732000

trusted library allocation

page read and write

1770000

heap

page read and write

400000

remote allocation

page execute and read and write

4241000

trusted library allocation

page read and write

286DCEF0000

direct allocation

page read and write

6570000

trusted library allocation

page execute and read and write

16F0000

trusted library allocation

page read and write

1720000

trusted library allocation

page read and write

1515000

heap

page read and write

1735000

trusted library allocation

page execute and read and write

660E000

stack

page read and write

14B0000

heap

page read and write

17C0000

trusted library allocation

page read and write

172A000

trusted library allocation

page execute and read and write

7FF77C310000

unkown

page readonly

6510000

trusted library allocation

page read and write

1561000

heap

page read and write

5A5E000

stack

page read and write

5748000

trusted library allocation

page read and write

5740000

trusted library allocation

page read and write

5C9E000

stack

page read and write

7FF77C518000

unkown

page readonly

318B000

trusted library allocation

page read and write

18F0000

heap

page read and write

286E416B000

direct allocation

page read and write

31F0000

heap

page read and write

6F10000

heap

page read and write

533D000

stack

page read and write

32C1000

trusted library allocation

page read and write

1320000

heap

page read and write

1722000

trusted library allocation

page read and write

18E0000

trusted library allocation

page read and write

147E000

stack

page read and write

2C6E685A000

direct allocation

page read and write

7FF77C510000

unkown

page read and write

3192000

trusted library allocation

page read and write

3230000

heap

page execute and read and write

286DEC00000

direct allocation

page read and write

318E000

trusted library allocation

page read and write

137E000

unkown

page read and write

17BE000

stack

page read and write

1518000

heap

page read and write

286E4B6B000

direct allocation

page read and write

150B000

heap

page read and write

8E613FF000

stack

page read and write

319E000

trusted library allocation

page read and write

286E0C00000

direct allocation

page read and write

18DE000

stack

page read and write

286E3800000

direct allocation

page read and write

1750000

trusted library allocation

page read and write

2C773449000

heap

page read and write

286DCF00000

direct allocation

page read and write

697D000

stack

page read and write

6617000

trusted library allocation

page read and write

15B4000

heap

page read and write

5750000

heap

page execute and read and write

7FF77C50A000

unkown

page write copy

6ED0000

trusted library allocation

page execute and read and write

286DCFFE000

heap

page read and write

6656000

heap

page read and write

2C773470000

heap

page read and write

6610000

trusted library allocation

page read and write

170D000

trusted library allocation

page execute and read and write

There are 143 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportT#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe