Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

"C:\Users\user\Desktop\LisectAVT_2403002B_445.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6636
Target ID:	0
Parent PID:	2580
Name:	LisectAVT_2403002B_445.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_445.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_445.exe"
Size:	2012017
MD5:	101E706C8B509AF541E6DCA6B289F309
Time:	06:18:13
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2023424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6652
Target ID:	1
Parent PID:	6636
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	06:18:13
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

edurestunningcrackyow.fun

pooreveningfuseor.pw

associationokeo.shop

colorfulequalugliess.shop

turkeyunlikelyofw.shop

detectordiscusser.shop

wisemassiveharmonious.shop

sideindexfollowragelrew.pw

relevantvoicelesskw.shop

https://associationokeo.shop/api

unknown

https://turkeyunlikelyofw.shop/p

unknown

https://associationokeo.shop/_

unknown

https://turkeyunlikelyofw.shop/api

unknown

https://turkeyunlikelyofw.shop/

unknown

https://associationokeo.shop/apiM

unknown

https://edurestunningcrackyow.fun/

unknown

https://colorfulequalugliess.shop/K

unknown

https://pooreveningfuseor.pw/t

unknown

https://detectordiscusser.shop/apie

unknown

https://detectordiscusser.shop/

unknown

https://detectordiscusser.shop/api

unknown

https://associationokeo.shop//

unknown

https://relevantvoicelesskw.shop//

unknown

https://pooreveningfuseor.pw/

unknown

https://associationokeo.shop/i

unknown

There are 15 hidden URLs, click here to show them.

Domains

Name

Malicious

edurestunningcrackyow.fun

unknown

Details

Name:	edurestunningcrackyow.fun
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

turkeyunlikelyofw.shop

unknown

Details

Name:	turkeyunlikelyofw.shop
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

sideindexfollowragelrew.pw

unknown

Details

Name:	sideindexfollowragelrew.pw
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

detectordiscusser.shop

unknown

Details

Name:	detectordiscusser.shop
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

relevantvoicelesskw.shop

unknown

Details

Name:	relevantvoicelesskw.shop
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

pooreveningfuseor.pw

unknown

Details

Name:	pooreveningfuseor.pw
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

wisemassiveharmonious.shop

unknown

Details

Name:	wisemassiveharmonious.shop
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

associationokeo.shop

unknown

Details

Name:	associationokeo.shop
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

colorfulequalugliess.shop

unknown

Details

Name:	colorfulequalugliess.shop
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

5A0000

unkown

page read and write

902000

heap

page read and write

92B000

heap

page read and write

90E000

heap

page read and write

27CF000

stack

page read and write

860000

remote allocation

page read and write

90C000

heap

page read and write

254D000

stack

page read and write

400000

unkown

page readonly

902000

heap

page read and write

8E7000

heap

page read and write

19A000

stack

page read and write

80D000

stack

page read and write

902000

heap

page read and write

8BE000

heap

page read and write

90E000

heap

page read and write

90E000

heap

page read and write

2D8E000

stack

page read and write

6D1000

direct allocation

page execute read

9C000

stack

page read and write

AAF000

stack

page read and write

923000

heap

page read and write

5E8000

unkown

page readonly

92B000

heap

page read and write

290F000

stack

page read and write

923000

heap

page read and write

268E000

stack

page read and write

6D0000

direct allocation

page read and write

70A000

direct allocation

page read and write

401000

unkown

page execute read

8DC000

heap

page read and write

8E7000

heap

page read and write

BAF000

stack

page read and write

92B000

heap

page read and write

5E8000

unkown

page readonly

8EC000

heap

page read and write

8E5000

heap

page read and write

870000

heap

page read and write

599000

unkown

page readonly

90E000

heap

page read and write

5A0000

unkown

page write copy

280E000

stack

page read and write

244D000

stack

page read and write

92B000

heap

page read and write

2C8E000

stack

page read and write

860000

remote allocation

page read and write

599000

unkown

page readonly

8B0000

heap

page read and write

714000

direct allocation

page readonly

2458000

trusted library allocation

page read and write

84E000

stack

page read and write

8E7000

heap

page read and write

8BA000

heap

page read and write

79E000

stack

page read and write

7C0000

heap

page read and write

1F0000

heap

page read and write

923000

heap

page read and write

923000

heap

page read and write

400000

unkown

page readonly

860000

remote allocation

page read and write

6C0000

heap

page read and write

8D6000

heap

page read and write

75E000

stack

page read and write

401000

unkown

page execute read

258E000

stack

page read and write

8EC000

heap

page read and write

8EC000

heap

page read and write

26CE000

stack

page read and write

90B000

heap

page read and write

707000

direct allocation

page readonly

There are 60 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LisectAVT_2403002B_445.exe

Processes

URLs

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLisectAVT_2403002B_445.exe

Processes

URLs

Domains

Memdumps

IOC Report
LisectAVT_2403002B_445.exe