Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\R.exe

"C:\Users\user\Desktop\R.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6632
Target ID:	0
Parent PID:	2580
Name:	R.exe
Path:	C:\Users\user\Desktop\R.exe
Commandline:	"C:\Users\user\Desktop\R.exe"
Size:	154112
MD5:	24CF2F25CBF27D1EA57A4B995F8D36D9
Time:	05:04:04
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff78e660000
Modulesize:	286720
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6612
Target ID:	1
Parent PID:	6632
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	05:04:04
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe""

Details

Is windows:	true
Is dropped:	false
PID:	4412
Target ID:	2
Parent PID:	6632
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe""
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	05:04:04
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff707680000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.r-project.orgD

unknown

https://bugs.R-project.org

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

1148BC02000

heap

page read and write

8A59FF000

stack

page read and write

8A5BFF000

stack

page read and write

7FF78E661000

unkown

page execute read

7FF78E694000

unkown

page readonly

8A57FA000

stack

page read and write

1148BD02000

heap

page read and write

7FF78E667000

unkown

page write copy

7FF78E667000

unkown

page write copy

1148BBA0000

heap

page read and write

1148BC13000

heap

page read and write

7FF78E691000

unkown

page write copy

7FF78E660000

unkown

page readonly

7FF78E668000

unkown

page readonly

1148BC00000

heap

page read and write

7FF78E694000

unkown

page readonly

7FF78E661000

unkown

page execute read

7FF78E668000

unkown

page readonly

1148BB80000

heap

page read and write

1148BC2B000

heap

page read and write

7FF78E660000

unkown

page readonly

7FF78E691000

unkown

page read and write

1148BBB0000

heap

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
R.exe

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportR.exe

Processes

URLs

Memdumps

IOC Report
R.exe