Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Build.exe

"C:\Users\user\Desktop\Build.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6356
Target ID:	0
Parent PID:	2580
Name:	Build.exe
Path:	C:\Users\user\Desktop\Build.exe
Commandline:	"C:\Users\user\Desktop\Build.exe"
Size:	144384
MD5:	19E47B9ABF123F4502545A5FCB43C855
Time:	19:28:55
Date:	29/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x320000
Modulesize:	172032
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4444
Target ID:	2
Parent PID:	6356
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	19:29:17
Date:	29/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3980
Target ID:	3
Parent PID:	4444
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	19:29:17
Date:	29/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /PID 6356

Details

Is windows:	true
Is dropped:	false
PID:	4476
Target ID:	4
Parent PID:	4444
Name:	taskkill.exe
Path:	C:\Windows\SysWOW64\taskkill.exe
Commandline:	taskkill /F /PID 6356
Size:	74240
MD5:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Time:	19:29:17
Date:	29/06/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xfe0000
Modulesize:	86016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	3096
Target ID:	5
Parent PID:	4444
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	19:29:17
Date:	29/06/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x840000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://medical-m.gl.at.ply.gg:6677/IRemotePanel

147.185.221.16

https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy

unknown

http://tempuri.org/IRemotePanel/SendClientInfoResponse05

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

http://tempuri.org/IRemotePanel/GetTasksLR

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/

unknown

http://tempuri.org/IRemotePanel/GetSettingsResponse05

unknown

http://tempuri.org/IRemotePanel/CompleteTaskLR

unknown

https://google.com/

unknown

http://tempuri.org/IRemotePanel/GetSettingsLR

unknown

http://tempuri.org/IRemotePanel/CompleteTaskResponse05

unknown

https://api.ipify.org

unknown

http://medical-m.gl.at.ply.gg

unknown

http://medical-m.gl.at.ply.gg:6677

unknown

http://tempuri.org/IRemotePanel/GetSettingsT

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://tempuri.org/IRemotePanel/SendClientInfoLR

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/fault

unknown

http://tempuri.org/IRemotePanel/GetTasksResponse05

unknown

http://checkip.amazonaws.com/)https://ipinfo.io/ip

unknown

http://tempuri.org/0

unknown

http://tempuri.org/IRemotePanel/

unknown

http://tempuri.org/IRemotePanel/GetSettings

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/soap/actor/next

unknown

There are 16 hidden URLs, click here to show them.

Domains

Name

Malicious

15.164.165.52.in-addr.arpa

unknown

medical-m.gl.at.ply.gg

147.185.221.16

Details

Name:	medical-m.gl.at.ply.gg
IP:	147.185.221.16
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

147.185.221.16

medical-m.gl.at.ply.gg

United States

Details

IP:	147.185.221.16
TargetID:	0
Current Path:	C:\Users\user\Desktop\Build.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	medical-m.gl.at.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2741000

trusted library allocation

page read and write

322000

unkown

page readonly

CD0000

trusted library allocation

page read and write

C52000

trusted library allocation

page read and write

5DCE000

stack

page read and write

33C0000

heap

page read and write

26DF000

stack

page read and write

4E70000

heap

page read and write

AAC000

heap

page read and write

C2E000

stack

page read and write

4C00000

trusted library allocation

page execute and read and write

2730000

heap

page execute and read and write

3DC000

stack

page read and write

294F000

stack

page read and write

A38000

heap

page read and write

510E000

stack

page read and write

A30000

heap

page read and write

C46000

trusted library allocation

page execute and read and write

659E000

stack

page read and write

3741000

trusted library allocation

page read and write

86E000

stack

page read and write

4CD0000

trusted library allocation

page read and write

4D2E000

stack

page read and write

2B48000

heap

page read and write

D30000

trusted library allocation

page read and write

646B000

heap

page read and write

33F6000

heap

page read and write

E30000

heap

page read and write

4C90000

trusted library allocation

page read and write

35C0000

heap

page read and write

A20000

trusted library allocation

page read and write

671E000

stack

page read and write

2DF0000

heap

page read and write

4BF0000

trusted library allocation

page read and write

282A000

trusted library allocation

page read and write

C30000

trusted library allocation

page read and write

820000

heap

page read and write

27EF000

trusted library allocation

page read and write

A72000

heap

page read and write

604E000

stack

page read and write

5ECE000

stack

page read and write

26EB000

trusted library allocation

page read and write

AEB000

heap

page read and write

4C60000

trusted library allocation

page execute and read and write

CE7000

heap

page read and write

33F7000

heap

page read and write

4C70000

trusted library allocation

page read and write

290E000

stack

page read and write

4CC0000

heap

page execute and read and write

27D0000

trusted library allocation

page read and write

4FCE000

stack

page read and write

A23000

trusted library allocation

page execute and read and write

4B80000

trusted library allocation

page read and write

CBE000

stack

page read and write

4CA0000

trusted library allocation

page read and write

5C8E000

stack

page read and write

320000

unkown

page readonly

645A000

stack

page read and write

26F6000

trusted library allocation

page read and write

33CC000

heap

page read and write

8AE000

stack

page read and write

C5B000

trusted library allocation

page execute and read and write

529D000

stack

page read and write

6F8000

stack

page read and write

A10000

trusted library allocation

page read and write

608F000

stack

page read and write

9E0000

heap

page read and write

5F0E000

stack

page read and write

61CE000

stack

page read and write

600D000

stack

page read and write

4BE0000

trusted library allocation

page read and write

60CE000

stack

page read and write

CE0000

heap

page read and write

2D6D000

stack

page read and write

35BF000

stack

page read and write

2702000

trusted library allocation

page read and write

A58000

heap

page read and write

C40000

trusted library allocation

page read and write

27C3000

trusted library allocation

page read and write

635C000

stack

page read and write

E0A000

trusted library allocation

page read and write

335E000

stack

page read and write

C57000

trusted library allocation

page execute and read and write

33E5000

heap

page read and write

270E000

trusted library allocation

page read and write

2DE0000

heap

page read and write

A2D000

trusted library allocation

page execute and read and write

5C4F000

stack

page read and write

740000

heap

page read and write

26E0000

trusted library allocation

page read and write

52DE000

stack

page read and write

282C000

trusted library allocation

page read and write

C55000

trusted library allocation

page execute and read and write

65DE000

stack

page read and write

A3E000

heap

page read and write

33E1000

heap

page read and write

6460000

heap

page read and write

68C000

stack

page read and write

730000

heap

page read and write

D50000

heap

page read and write

27D4000

trusted library allocation

page read and write

661E000

stack

page read and write

C4A000

trusted library allocation

page execute and read and write

50CE000

stack

page read and write

520F000

stack

page read and write

ABF000

heap

page read and write

27E4000

trusted library allocation

page read and write

27D7000

trusted library allocation

page read and write

D2D000

stack

page read and write

2A10000

heap

page read and write

27FC000

trusted library allocation

page read and write

E10000

trusted library allocation

page read and write

E08000

trusted library allocation

page read and write

C42000

trusted library allocation

page read and write

4C10000

trusted library allocation

page read and write

33E3000

heap

page read and write

C3D000

trusted library allocation

page execute and read and write

2721000

trusted library allocation

page read and write

30FD000

stack

page read and write

27FA000

trusted library allocation

page read and write

A24000

trusted library allocation

page read and write

4D30000

trusted library allocation

page read and write

27C9000

trusted library allocation

page read and write

31D0000

heap

page read and write

2B40000

heap

page read and write

E39000

heap

page read and write

28CF000

stack

page read and write

E04000

trusted library allocation

page read and write

8D0000

heap

page read and write

321E000

unkown

page read and write

52E0000

heap

page read and write

61D0000

trusted library allocation

page read and write

4C8A000

trusted library allocation

page read and write

7F020000

trusted library allocation

page execute and read and write

4C8D000

trusted library allocation

page read and write

9DF000

stack

page read and write

26F1000

trusted library allocation

page read and write

27CB000

trusted library allocation

page read and write

4E6E000

stack

page read and write

346000

unkown

page readonly

4D40000

trusted library allocation

page execute and read and write

27E8000

trusted library allocation

page read and write

4BB0000

trusted library allocation

page read and write

CC0000

trusted library allocation

page execute and read and write

ADD000

heap

page read and write

6CC000

stack

page read and write

2DD0000

heap

page read and write

E00000

trusted library allocation

page read and write

4D50000

trusted library allocation

page read and write

A65000

heap

page read and write

288E000

stack

page read and write

810000

heap

page read and write

483E000

stack

page read and write

E20000

trusted library allocation

page read and write

5B4E000

stack

page read and write

4D60000

trusted library allocation

page execute and read and write

2D70000

heap

page read and write

8D5000

heap

page read and write

E37000

heap

page read and write

5D8F000

stack

page read and write

331F000

unkown

page read and write

There are 151 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Build.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportBuild.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Build.exe