Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

4munRyMrBm.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	7.014633465311287
Filename:	4munRyMrBm.exe
Filesize:	1919488
MD5:	72f322c11bdcf5920ee23f6fffa7d0a7
SHA1:	7c93d6d0af8b5e333dbf2cb2e3df2943c7163103
SHA256:	19b7b25564d95b2f1f3ed8904a5a1369445e9064c6e7e3ff4a058d5546cd38ea
SHA512:	5a0f1741b654de6780f2eff6aa9b2cd265d68d54c96ce03a70b0699be326162a69864c9d7a385901bbea351717565d17a50150c1caedb0695e7acc0f0ad304cc
SSDEEP:	49152:BOD+bTI6YTDml4HJPHDQkOBU0f9iygcrxZ3aU5ZzIrRo2ht1R1ZvkwZJ:wv85
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.x...+...+...+^.....+^.....+^.....+.b.+...+.b....+...+o..+n.....+n.....+...+...+n.....+......+...*...+Rich...+.......

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Access Token Manipulation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API Access Token Manipulation
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Yara signature match	System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to register its own exception handler	Anti Debugging
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1940658735648508
Encrypted:	false
Ssdeep:	3:NlllulJnp/p:NllU
Size:	64
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0v5czuty.3sr.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0v5czuty.3sr.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_0v5czuty.3sr.psm1.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3v3szqea.fmp.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3v3szqea.fmp.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_3v3szqea.fmp.ps1.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lswi5yq0.wwv.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lswi5yq0.wwv.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_lswi5yq0.wwv.ps1.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uo1kv32u.wya.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uo1kv32u.wya.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_uo1kv32u.wya.psm1.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\4munRyMrBm.exe

"C:\Users\user\Desktop\4munRyMrBm.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5660
Target ID:	0
Parent PID:	4004
Name:	4munRyMrBm.exe
Path:	C:\Users\user\Desktop\4munRyMrBm.exe
Commandline:	"C:\Users\user\Desktop\4munRyMrBm.exe"
Size:	1919488
MD5:	72F322C11BDCF5920EE23F6FFFA7D0A7
Time:	09:54:50
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7c5bb0000
Modulesize:	2248704
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile

Details

Is windows:	true
Is dropped:	false
PID:	1340
Target ID:	3
Parent PID:	5660
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	09:54:51
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6e3d50000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5324
Target ID:	5
Parent PID:	5660
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Size:	108664
MD5:	914F728C04D3EDDD5FBA59420E74E56B
Time:	09:54:52
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x9d0000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5916
Target ID:	1
Parent PID:	5660
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:54:51
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	420
Target ID:	4
Parent PID:	1340
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:54:51
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	6620
Target ID:	6
Parent PID:	752
Name:	WmiPrvSE.exe
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Size:	496640
MD5:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Time:	09:54:55
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	true
Modulebase:	0x7ff717f30000
Modulesize:	516096
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://aka.ms/GlobalizationInvariantMode

unknown

http://smtp.ionos.com

unknown

https://account.dyn.com/

unknown

https://aka.ms/nativeaot-c

unknown

https://aka.ms/nativeaot-compatibility

unknown

https://aka.ms/nativeaot-compatibilityY

unknown

https://aka.ms/nativeaot-compatibilityy

unknown

Domains

Name

Malicious

smtp.ionos.com

74.208.5.2

Details

Name:	smtp.ionos.com
IP:	74.208.5.2
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

74.208.5.2

smtp.ionos.com

United States

Details

IP:	74.208.5.2
TargetID:	5
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Country:	United States
Countrycode:	USA
ASN number:	8560
ASN name:	ONEANDONE-ASBrauerstrasse48DE
Private:	false
Domain:	smtp.ionos.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

30A1000

trusted library allocation

page read and write

1CFBD400000

direct allocation

page read and write

30EE000

trusted library allocation

page read and write

FE5000

trusted library allocation

page execute and read and write

10CB000

heap

page read and write

7FF7C5D09000

unkown

page readonly

FD6000

trusted library allocation

page execute and read and write

3114000

trusted library allocation

page read and write

FDA000

trusted library allocation

page execute and read and write

1030000

heap

page read and write

127E000

stack

page read and write

1080000

heap

page read and write

6330000

trusted library allocation

page read and write

576E000

stack

page read and write

FE2000

trusted library allocation

page read and write

51CE000

trusted library allocation

page read and write

1220000

trusted library allocation

page execute and read and write

1CFB90E0000

heap

page read and write

10C7000

heap

page read and write

1CFB91E0000

heap

page read and write

FB3000

trusted library allocation

page execute and read and write

6920000

trusted library allocation

page read and write

30EC000

trusted library allocation

page read and write

5398000

trusted library allocation

page read and write

7FF7C5BB0000

unkown

page readonly

51ED000

trusted library allocation

page read and write

6980000

heap

page read and write

7FF7C5D09000

unkown

page readonly

400000

remote allocation

page execute and read and write

FD2000

trusted library allocation

page read and write

FB4000

trusted library allocation

page read and write

535C000

stack

page read and write

5F64000

heap

page read and write

1CFB9130000

direct allocation

page read and write

6240000

trusted library allocation

page read and write

1CFBAC00000

direct allocation

page read and write

100E000

heap

page read and write

1CFB91E6000

heap

page read and write

572F000

stack

page read and write

2104F5D0000

heap

page read and write

62DE000

stack

page read and write

5200000

trusted library allocation

page read and write

5220000

heap

page read and write

6930000

trusted library allocation

page read and write

2C68000

trusted library allocation

page read and write

51DA000

trusted library allocation

page read and write

E70000

heap

page read and write

5210000

trusted library allocation

page read and write

7F3A0000

trusted library allocation

page execute and read and write

1CFB9100000

heap

page read and write

FD0000

trusted library allocation

page read and write

51F2000

trusted library allocation

page read and write

2104F6C1000

heap

page read and write

1CFB9000000

heap

page read and write

7FF7C5BB0000

unkown

page readonly

631E000

stack

page read and write

681E000

stack

page read and write

FF8000

heap

page read and write

1CFBF800000

direct allocation

page read and write

1CFC0C00000

direct allocation

page read and write

7FF7C5D79000

unkown

page write copy

FEB000

trusted library allocation

page execute and read and write

64DE000

stack

page read and write

7FF7C5D84000

unkown

page read and write

3108000

trusted library allocation

page read and write

2C5F000

stack

page read and write

102D000

heap

page read and write

C79000

stack

page read and write

E75000

heap

page read and write

30F6000

trusted library allocation

page read and write

61E6000

trusted library allocation

page read and write

51A0000

trusted library allocation

page read and write

1280000

heap

page read and write

4106000

trusted library allocation

page read and write

1CFB91EC000

heap

page read and write

40C9000

trusted library allocation

page read and write

519E000

stack

page read and write

623D000

stack

page read and write

FCD000

trusted library allocation

page execute and read and write

5F80000

heap

page read and write

3118000

trusted library allocation

page read and write

FE7000

trusted library allocation

page execute and read and write

51D2000

trusted library allocation

page read and write

FF0000

heap

page read and write

51C6000

trusted library allocation

page read and write

70DC77F000

stack

page read and write

5390000

trusted library allocation

page read and write

70DCA7F000

stack

page read and write

6960000

heap

page read and write

1CFBD000000

direct allocation

page read and write

61C0000

trusted library allocation

page read and write

1CFB9140000

direct allocation

page read and write

7FF7C5D79000

unkown

page read and write

FB0000

trusted library allocation

page read and write

7FF7C5D87000

unkown

page readonly

E40000

heap

page read and write

51DE000

trusted library allocation

page read and write

61E0000

trusted library allocation

page read and write

7FF7C5BB1000

unkown

page execute read

1CFB9241000

heap

page read and write

FBD000

trusted library allocation

page execute and read and write

54EE000

stack

page read and write

10BE000

heap

page read and write

2D40000

trusted library allocation

page read and write

1CFC0200000

direct allocation

page read and write

61F0000

trusted library allocation

page execute and read and write

20FC2AAA000

direct allocation

page read and write

DF0000

heap

page read and write

1230000

heap

page read and write

562E000

stack

page read and write

70DC8FF000

stack

page read and write

51E1000

trusted library allocation

page read and write

6970000

trusted library allocation

page execute and read and write

691F000

stack

page read and write

7FF7C5D87000

unkown

page readonly

20FCEACF000

direct allocation

page read and write

12B0000

heap

page read and write

6320000

trusted library allocation

page execute and read and write

DE0000

heap

page read and write

51B3000

heap

page read and write

70DC389000

stack

page read and write

2D3C000

stack

page read and write

51B0000

heap

page read and write

1CFBD003000

direct allocation

page read and write

7FF7C5D7F000

unkown

page read and write

6337000

trusted library allocation

page read and write

7FF7C5CC9000

unkown

page read and write

54AC000

stack

page read and write

55EF000

stack

page read and write

51E6000

trusted library allocation

page read and write

5F60000

heap

page read and write

7FF7C5BB1000

unkown

page execute read

40A1000

trusted library allocation

page read and write

D79000

stack

page read and write

2D50000

heap

page execute and read and write

51CB000

trusted library allocation

page read and write

FA0000

trusted library allocation

page read and write

61CC000

trusted library allocation

page read and write

51C0000

trusted library allocation

page read and write

1200000

trusted library allocation

page read and write

53A0000

heap

page execute and read and write

FC0000

trusted library allocation

page read and write

5FC2000

heap

page read and write

1CFB9480000

heap

page read and write

2104F6BE000

heap

page read and write

5E1F000

stack

page read and write

There are 137 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
4munRyMrBm.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report4munRyMrBm.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
4munRyMrBm.exe