Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Launcher.exe

"C:\Users\user\Desktop\Launcher.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6628
Target ID:	0
Parent PID:	2580
Name:	Launcher.exe
Path:	C:\Users\user\Desktop\Launcher.exe
Commandline:	"C:\Users\user\Desktop\Launcher.exe"
Size:	487936
MD5:	EB703224C407D3D68B7FBD444CC2DFC3
Time:	14:36:58
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x500000
Modulesize:	503808
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3868
Target ID:	2
Parent PID:	6628
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	14:36:59
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x530000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6552
Target ID:	1
Parent PID:	6628
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:36:58
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

kaminiasbbefow.shop

Details

Name:	kaminiasbbefow.shop
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Launcher.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

https://kaminiasbbefow.shop/pi

unknown

https://kaminiasbbefow.shop/C

unknown

https://kaminiasbbefow.shop/)

unknown

https://kaminiasbbefow.shop/re1j

unknown

https://kaminiasbbefow.shop/api

188.114.96.3

Details

Name:	https://kaminiasbbefow.shop/api
IP:	188.114.96.3
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://kaminiasbbefow.shop/

unknown

Domains

Name

Malicious

kaminiasbbefow.shop

188.114.96.3

Details

Name:	kaminiasbbefow.shop
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

188.114.96.3

kaminiasbbefow.shop

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	kaminiasbbefow.shop

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

1650000

heap

page read and write

500000

unkown

page readonly

1470000

direct allocation

page execute and read and write

2E3E000

stack

page read and write

D80000

heap

page read and write

DB0000

heap

page read and write

A46000

heap

page read and write

14C0000

heap

page read and write

FE0000

heap

page read and write

501000

unkown

page execute read

15CF000

stack

page read and write

25CF000

stack

page read and write

A96000

heap

page read and write

8FA000

stack

page read and write

A20000

heap

page read and write

A8E000

heap

page read and write

520000

unkown

page readonly

940000

heap

page read and write

2F3E000

trusted library allocation

page read and write

52B000

unkown

page read and write

A62000

heap

page read and write

A92000

heap

page read and write

A59000

heap

page read and write

260D000

stack

page read and write

500000

unkown

page readonly

579000

unkown

page readonly

33AF000

stack

page read and write

2E59000

trusted library allocation

page read and write

165B000

heap

page read and write

2EDD000

trusted library allocation

page read and write

A1E000

stack

page read and write

270D000

stack

page read and write

ADD000

heap

page read and write

2E54000

trusted library allocation

page read and write

2CFF000

stack

page read and write

A76000

heap

page read and write

2E52000

trusted library allocation

page read and write

501000

unkown

page execute read

2F53000

trusted library allocation

page read and write

578000

unkown

page write copy

2F09000

trusted library allocation

page read and write

2E9E000

trusted library allocation

page read and write

2F1B000

trusted library allocation

page read and write

2E50000

trusted library allocation

page read and write

520000

unkown

page readonly

14BE000

stack

page read and write

3430000

heap

page read and write

950000

heap

page read and write

24CF000

stack

page read and write

3150000

heap

page read and write

12FC000

stack

page read and write

2F39000

trusted library allocation

page read and write

450000

remote allocation

page execute and read and write

F7C000

stack

page read and write

284E000

stack

page read and write

A40000

heap

page read and write

A2A000

heap

page read and write

995000

heap

page read and write

AE5000

heap

page read and write

AE8000

heap

page read and write

52B000

unkown

page write copy

1420000

heap

page read and write

9DE000

stack

page read and write

2F50000

trusted library allocation

page read and write

2D3E000

stack

page read and write

ADF000

heap

page read and write

2E56000

trusted library allocation

page read and write

2BFE000

stack

page read and write

274D000

stack

page read and write

141E000

stack

page read and write

1662000

heap

page read and write

2F0C000

trusted library allocation

page read and write

30EF000

stack

page read and write

5DB000

stack

page read and write

FD0000

heap

page read and write

990000

heap

page read and write

579000

unkown

page readonly

32AE000

stack

page read and write

400000

remote allocation

page execute and read and write

There are 69 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Launcher.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLauncher.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Launcher.exe