Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\8yprhxqBVs.exe

"C:\Users\user\Desktop\8yprhxqBVs.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7412
Target ID:	0
Parent PID:	2580
Name:	8yprhxqBVs.exe
Path:	C:\Users\user\Desktop\8yprhxqBVs.exe
Commandline:	"C:\Users\user\Desktop\8yprhxqBVs.exe"
Size:	6253568
MD5:	7ACC6AAA73AD3BB7B36771F3C9311A0C
Time:	00:37:58
Date:	29/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe80000
Modulesize:	9969664
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

cooperatvassquaidmew.xyzn

grandcommonyktsju.xyz

exuberanttjdkwo.xyz

qualificationjdwko.xyz

wordingnatturedowo.xyz

deadtrainingactioniw.xyzn

crisisrottenyjs.xyz

sweetcalcutangkdow.xyz

https://sweetcalcutangkdow.xyz/

unknown

https://cooperatvassquaidmew.xyz/

unknown

https://crisisrottenyjs.xyz/SOR

unknown

https://qualificationjdwko.xyz/api

unknown

https://sweetcalcutangkdow.xyz/api

unknown

https://turbosms.ua

unknown

https://deadtrainingactioniw.xyz/api

unknown

https://deadtrainingactioniw.xyz:443/api

unknown

https://qualificationjdwko.xyz/

unknown

https://wordingnatturedowo.xyz/

unknown

https://crisisrottenyjs.xyz/api

unknown

https://deadtrainingactioniw.xyz/

unknown

https://wordingnatturedowo.xyz/apisX

unknown

https://exuberanttjdkwo.xyz/es(

unknown

https://qualificationjdwko.xyz/api4

unknown

https://wordingnatturedowo.xyz/api

unknown

https://qualificationjdwko.xyz/a

unknown

https://deadtrainingactioniw.xyz/)G4

unknown

https://deadtrainingactioniw.xyz/api(

unknown

https://grandcommonyktsju.xyz/B

unknown

There are 18 hidden URLs, click here to show them.

Domains

Name

Malicious

qualificationjdwko.xyz

unknown

Details

Name:	qualificationjdwko.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

crisisrottenyjs.xyz

unknown

Details

Name:	crisisrottenyjs.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

deadtrainingactioniw.xyz

unknown

Details

Name:	deadtrainingactioniw.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

grandcommonyktsju.xyz

unknown

Details

Name:	grandcommonyktsju.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

cooperatvassquaidmew.xyz

unknown

Details

Name:	cooperatvassquaidmew.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

sweetcalcutangkdow.xyz

unknown

Details

Name:	sweetcalcutangkdow.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

wordingnatturedowo.xyz

unknown

Details

Name:	wordingnatturedowo.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

exuberanttjdkwo.xyz

unknown

Details

Name:	exuberanttjdkwo.xyz
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Performs DNS queries to domains with low reputation	Networking
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

EBB000

unkown

page readonly

39BE000

stack

page read and write

E81000

unkown

page execute read

35EE000

stack

page read and write

179F000

unkown

page readonly

B5C000

stack

page read and write

34ED000

stack

page read and write

195B000

heap

page read and write

194B000

heap

page read and write

1958000

heap

page read and write

366E000

stack

page read and write

EBE000

unkown

page read and write

E80000

unkown

page readonly

1961000

heap

page read and write

1CEE000

stack

page read and write

BC0000

heap

page read and write

39D0000

remote allocation

page read and write

197A000

heap

page read and write

192A000

heap

page read and write

1966000

heap

page read and write

11B0000

unkown

page read and write

1974000

heap

page read and write

1971000

heap

page read and write

1BEF000

stack

page read and write

362D000

stack

page read and write

198B000

heap

page read and write

BC5000

heap

page read and write

1965000

heap

page read and write

190C000

stack

page read and write

39D0000

remote allocation

page read and write

1992000

heap

page read and write

198E000

heap

page read and write

1920000

heap

page read and write

197D000

heap

page read and write

1974000

heap

page read and write

11B1000

unkown

page execute read

ED0000

unkown

page execute read

39D0000

remote allocation

page read and write

BD0000

heap

page read and write

1948000

heap

page read and write

E3E000

stack

page read and write

38BE000

stack

page read and write

11B0000

unkown

page write copy

17A8000

unkown

page readonly

1992000

heap

page read and write

3490000

trusted library allocation

page read and write

E7E000

stack

page read and write

1986000

heap

page read and write

1943000

heap

page read and write

377D000

stack

page read and write

192E000

heap

page read and write

1994000

heap

page read and write

3E5E000

stack

page read and write

BE0000

heap

page read and write

1952000

heap

page read and write

387F000

stack

page read and write

1987000

heap

page read and write

1952000

heap

page read and write

3670000

heap

page read and write

3D5D000

stack

page read and write

3490000

heap

page read and write

There are 51 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
8yprhxqBVs.exe

Processes

URLs

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report8yprhxqBVs.exe

Processes

URLs

Domains

Memdumps

IOC Report
8yprhxqBVs.exe