Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

41DLTjkmOm.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.891884878400808
Filename:	41DLTjkmOm.exe
Filesize:	900608
MD5:	922aee056087550daf3f1f73afe27981
SHA1:	9343b922a98667a6ca1224ab67323f557e176de7
SHA256:	37c8afc687419dfc68e7f63c28c0cbbc11ca34cfd32b095711f7a8818788931f
SHA512:	747a358da2760c6720e4a4fc6633aeaa2de1929d17098373f4cd39949a57f87e5e5f802eae8922c6a197f17dfc83ba1fab70e772d78509ea3f80667df7ea6c7a
SSDEEP:	1536:eywzb8kIR7zHKR/sxXsX9jz9jEOCKDncxVvPeLuBT+V48I/0Is0NSRCtQnyuaXaZ:eyb1NKV4mwX/b6f8twq
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...XK.f............................".... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Process Injection Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary	Process Injection
Contains functionality to download additional files from the internet	Networking	Process Injection
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Public key (encryption) found	Cryptography	Account Discovery System Owner/User Discovery Archive Collected Data
Queries a list of all running processes	Malware Analysis System Evasion	Process Injection
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a debug data directory	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\ProgramData\remcos\logs.dat

data

dropped

Details

File:	C:\ProgramData\remcos\logs.dat
Category:	dropped
Dump:	logs.dat.4.dr
ID:	dr_6
Target ID:	4
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	data
Entropy:	3.3742771088625614
Encrypted:	false
Ssdeep:	3:rhlKlViNWWlWfMfWl5JWRal2Jl+7R0DAlBG45klovDl6v:6lViNWWw5YcIeeDAlOWAv
Size:	144
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\41DLTjkmOm.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\41DLTjkmOm.exe.log
Category:	dropped
Dump:	41DLTjkmOm.exe.log.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\41DLTjkmOm.exe
Type:	CSV text
Entropy:	5.357964438493834
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
Size:	425
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\Lamsses.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Lamsses.exe
Category:	dropped
Dump:	Lamsses.exe.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\41DLTjkmOm.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.891884878400808
Encrypted:	false
Ssdeep:	1536:eywzb8kIR7zHKR/sxXsX9jz9jEOCKDncxVvPeLuBT+V48I/0Is0NSRCtQnyuaXaZ:eyb1NKV4mwX/b6f8twq
Size:	900608
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Roaming\Lamsses.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Lamsses.exe:Zone.Identifier
Category:	dropped
Dump:	Lamsses.exe_Zone.Identifier.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\41DLTjkmOm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Lamsses.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Lamsses.exe.log
Category:	dropped
Dump:	Lamsses.exe.log.8.dr
ID:	dr_7
Target ID:	8
Process:	C:\Users\user\AppData\Roaming\Lamsses.exe
Type:	CSV text
Entropy:	5.357964438493834
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
Size:	425
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\json[1].json

JSON data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\json[1].json
Category:	dropped
Dump:	json[1].json.4.dr
ID:	dr_5
Target ID:	4
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	JSON data
Entropy:	5.013811273052389
Encrypted:	false
Ssdeep:	12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
Size:	962
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\MangoDB[1].ytyp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\MangoDB[1].ytyp
Category:	dropped
Dump:	MangoDB[1].ytyp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\41DLTjkmOm.exe
Type:	data
Entropy:	7.9202543406857036
Encrypted:	false
Ssdeep:	384:n5TFJV4WBKpIocOLVEXagvYcEmLn05M1OTCZ+jvA0g:n5SxIoLLVPkY5OnwBGZ+Q
Size:	15872
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Paatapas[1].ytyp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Paatapas[1].ytyp
Category:	dropped
Dump:	Paatapas[1].ytyp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\41DLTjkmOm.exe
Type:	data
Entropy:	7.95553157792528
Encrypted:	false
Ssdeep:	12288:ZmKD2ZcBuqqbIBn2f+s80Rfy1P3qM+xXYKH:oKD2qib8sw0RfyBV+Z
Size:	494592
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\41DLTjkmOm.exe

"C:\Users\user\Desktop\41DLTjkmOm.exe"

Details

Is windows:	false
Is dropped:	false
PID:	516
Target ID:	0
Parent PID:	4004
Name:	41DLTjkmOm.exe
Path:	C:\Users\user\Desktop\41DLTjkmOm.exe
Commandline:	"C:\Users\user\Desktop\41DLTjkmOm.exe"
Size:	900608
MD5:	922AEE056087550DAF3F1F73AFE27981
Time:	05:37:08
Date:	27/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc70000
Modulesize:	917504
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1444
Target ID:	3
Parent PID:	516
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	05:37:12
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x280000
Modulesize:	262144
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3984
Target ID:	4
Parent PID:	516
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	05:37:12
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd80000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\System32\cmd.exe

"cmd.exe" /c schtasks /create /tn "WidgetData" /tr "C:\Users\user\AppData\Roaming\Lamsses.exe " /sc minute /mo 5 /f

Details

Is windows:	true
Is dropped:	false
PID:	3196
Target ID:	5
Parent PID:	516
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"cmd.exe" /c schtasks /create /tn "WidgetData" /tr "C:\Users\user\AppData\Roaming\Lamsses.exe " /sc minute /mo 5 /f
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	05:37:12
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6b4f50000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to launch a control a shell (cmd.exe)	Remote Access Functionality	Command and Scripting Interpreter
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\schtasks.exe

schtasks /create /tn "WidgetData" /tr "C:\Users\user\AppData\Roaming\Lamsses.exe " /sc minute /mo 5 /f

Details

Is windows:	true
Is dropped:	false
PID:	3548
Target ID:	7
Parent PID:	3196
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	schtasks /create /tn "WidgetData" /tr "C:\Users\user\AppData\Roaming\Lamsses.exe " /sc minute /mo 5 /f
Size:	235008
MD5:	76CD6626DD8834BD4A42E6A565104DC2
Time:	05:37:13
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6a5880000
Modulesize:	253952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Lamsses.exe

Details

Is windows:	false
Is dropped:	true
PID:	3496
Target ID:	8
Parent PID:	1064
Name:	Lamsses.exe
Path:	C:\Users\user\AppData\Roaming\Lamsses.exe
Commandline:	C:\Users\user\AppData\Roaming\Lamsses.exe
Size:	900608
MD5:	922AEE056087550DAF3F1F73AFE27981
Time:	05:37:13
Date:	27/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x270000
Modulesize:	917504
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6272
Target ID:	9
Parent PID:	3496
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	05:37:13
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xdc0000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1088
Target ID:	6
Parent PID:	3196
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	05:37:12
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://geoplugin.net/json.gp

178.237.33.50

bignight.net

https://investdirectinsurance.com/assuence/litesolidCha/MangoDB.ytyp

172.67.189.102

https://investdirectinsurance.com/assuence/litesolidCha/MangoDB.ytypim)_

unknown

https://investdirectinsurance.com/

unknown

http://geoplugin.net/json.gp/C

unknown

https://investdirectinsurance.com/assuence/litesolidCha/Paatapas.ytyp

172.67.189.102

https://investdirectinsurance.com/assuence/litesolidCha/MangoDB.ytypcm#_

unknown

http://geoplugin.net/jso

unknown

http://geoplugin.net/json.gp?

unknown

Domains

Name

Malicious

bignight.net

146.70.57.34

Details

Name:	bignight.net
IP:	146.70.57.34
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

bg.microsoft.map.fastly.net

199.232.210.172

investdirectinsurance.com

172.67.189.102

Details

Name:	investdirectinsurance.com
IP:	172.67.189.102
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

178.237.33.50

geoplugin.net

Netherlands

Details

IP:	178.237.33.50
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	8455
ASN name:	ATOM86-ASATOM86NL
Private:	false
Domain:	geoplugin.net

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary

146.70.57.34

bignight.net

United Kingdom

Details

IP:	146.70.57.34
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	2018
ASN name:	TENET-1ZA
Private:	false
Domain:	bignight.net

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

172.67.189.102

investdirectinsurance.com

United States

Details

IP:	172.67.189.102
TargetID:	0
Current Path:	C:\Users\user\Desktop\41DLTjkmOm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	investdirectinsurance.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-SIVP85

exepath

HKEY_CURRENT_USER\SOFTWARE\Rmc-SIVP85

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-SIVP85

time

Memdumps

Base Address

Regiontype

Protect

Malicious

13D7000

heap

page read and write

1416000

heap

page read and write

2F6F000

stack

page read and write

130A9000

trusted library allocation

page read and write

11F8000

heap

page read and write

400000

remote allocation

page execute and read and write

105C000

stack

page read and write

24095D40000

heap

page read and write

11B0000

heap

page read and write

2FB0000

heap

page read and write

7FFD34480000

trusted library allocation

page read and write

13BB000

stack

page read and write

36AE000

stack

page read and write

7FFD34600000

trusted library allocation

page read and write

24095D30000

heap

page read and write

2641000

trusted library allocation

page read and write

C2ADFFF000

stack

page read and write

1B90E000

stack

page read and write

8B0000

heap

page read and write

7FFD34462000

trusted library allocation

page read and write

338E000

trusted library allocation

page read and write

132F000

heap

page read and write

7FFD34602000

trusted library allocation

page read and write

2FA0000

heap

page read and write

127A2000

trusted library allocation

page read and write

1545000

heap

page read and write

DE5000

heap

page read and write

8DF000

heap

page read and write

7FFD34606000

trusted library allocation

page read and write

12FC7000

trusted library allocation

page read and write

1364000

heap

page read and write

7FFD34610000

trusted library allocation

page read and write

3382000

trusted library allocation

page read and write

2DF0000

trusted library allocation

page read and write

263E000

stack

page read and write

1C50D000

stack

page read and write

7FFD34460000

trusted library allocation

page read and write

1B638000

heap

page read and write

24F0000

heap

page read and write

CD5000

heap

page read and write

830000

trusted library allocation

page read and write

959000

heap

page read and write

7FFD34510000

trusted library allocation

page read and write

3C0000

heap

page read and write

CA0000

heap

page execute and read and write

1429000

heap

page read and write

474000

remote allocation

page execute and read and write

12893000

trusted library allocation

page read and write

2E10000

trusted library allocation

page read and write

1BF27000

heap

page read and write

1300000

heap

page read and write

24095F90000

heap

page read and write

144B000

heap

page read and write

7D0000

heap

page read and write

B50000

heap

page read and write

7FFD34463000

trusted library allocation

page execute and read and write

7FFD34472000

trusted library allocation

page read and write

956000

heap

page read and write

3F5F000

stack

page read and write

7FFD34464000

trusted library allocation

page read and write

8F2000

heap

page read and write

7FFD3448B000

trusted library allocation

page execute and read and write

923000

heap

page read and write

1B54C000

stack

page read and write

B10000

heap

page read and write

7FFD34520000

trusted library allocation

page execute and read and write

12643000

trusted library allocation

page read and write

7FFD34580000

trusted library allocation

page execute and read and write

98B000

heap

page read and write

7FFD34510000

trusted library allocation

page read and write

164E000

stack

page read and write

24096150000

heap

page read and write

7FFD3448D000

trusted library allocation

page execute and read and write

1B00C000

stack

page read and write

1C1AE000

stack

page read and write

13E8000

heap

page read and write

11F0000

heap

page read and write

1C30C000

stack

page read and write

7FFD34463000

trusted library allocation

page execute and read and write

1BEE3000

heap

page read and write

CD0000

heap

page read and write

7FFD3460D000

trusted library allocation

page read and write

337F000

trusted library allocation

page read and write

115B000

stack

page read and write

24095DC0000

heap

page read and write

7F0000

heap

page read and write

8B6000

heap

page read and write

DC0000

heap

page read and write

1BEE0000

heap

page read and write

7FFD3446D000

trusted library allocation

page execute and read and write

920000

heap

page read and write

12F0000

heap

page read and write

12FC3000

trusted library allocation

page read and write

C5E000

stack

page read and write

2FC1000

trusted library allocation

page read and write

B55000

heap

page read and write

1C1B0000

heap

page execute and read and write

C70000

unkown

page readonly

1B10E000

stack

page read and write

338C000

trusted library allocation

page read and write

AAF000

stack

page read and write

1BF63000

heap

page read and write

1B636000

heap

page read and write

1BF25000

heap

page read and write

1BF6C000

heap

page read and write

1410000

heap

page read and write

128EB000

trusted library allocation

page read and write

12FC000

heap

page read and write

7FFD34470000

trusted library allocation

page read and write

DE0000

heap

page read and write

13097000

trusted library allocation

page read and write

7FFD344BC000

trusted library allocation

page execute and read and write

1B98B000

stack

page read and write

1BC8E000

stack

page read and write

37AF000

stack

page read and write

2F1E000

stack

page read and write

7FFD3446D000

trusted library allocation

page execute and read and write

143E000

stack

page read and write

3D0000

heap

page read and write

7FFD34460000

trusted library allocation

page read and write

1B20E000

stack

page read and write

2F60000

heap

page read and write

135E000

heap

page read and write

30EC000

stack

page read and write

1540000

heap

page read and write

2F80000

heap

page read and write

3E5E000

stack

page read and write

1ABCD000

stack

page read and write

1BB8E000

stack

page read and write

C2ADB8B000

stack

page read and write

12E0000

heap

page read and write

7FFD34604000

trusted library allocation

page read and write

12F0000

heap

page read and write

153E000

stack

page read and write

137E000

stack

page read and write

7FF477E90000

trusted library allocation

page execute and read and write

322D000

stack

page read and write

152E000

stack

page read and write

1BF65000

heap

page read and write

12729000

trusted library allocation

page read and write

7FFD344BC000

trusted library allocation

page execute and read and write

11D0000

heap

page read and write

13D0000

heap

page read and write

850000

trusted library allocation

page read and write

24095DE4000

heap

page read and write

1B80E000

stack

page read and write

1C160000

trusted library allocation

page read and write

2F30000

heap

page execute and read and write

157E000

stack

page read and write

C72000

unkown

page readonly

985000

heap

page read and write

1C70E000

stack

page read and write

24096155000

heap

page read and write

332F000

stack

page read and write

118C000

stack

page read and write

2772000

trusted library allocation

page read and write

135C000

heap

page read and write

1B610000

heap

page read and write

16CF000

stack

page read and write

471000

remote allocation

page execute and read and write

6F2000

stack

page read and write

1320000

heap

page read and write

1C0EE000

stack

page read and write

1BA8D000

stack

page read and write

8BC000

heap

page read and write

1B40E000

stack

page read and write

478000

remote allocation

page execute and read and write

7FFD34600000

trusted library allocation

page read and write

1C60E000

stack

page read and write

1BEE8000

heap

page read and write

1C40B000

stack

page read and write

126A9000

trusted library allocation

page read and write

24095D60000

heap

page read and write

31EF000

stack

page read and write

12DE000

stack

page read and write

7FFD3447D000

trusted library allocation

page execute and read and write

12F6000

heap

page read and write

13C6000

heap

page read and write

7FFD34462000

trusted library allocation

page read and write

12641000

trusted library allocation

page read and write

7FFD34479000

trusted library allocation

page read and write

142B000

heap

page read and write

7FFD34546000

trusted library allocation

page execute and read and write

2F70000

heap

page read and write

2530000

heap

page execute and read and write

1B30E000

stack

page read and write

7FFD34474000

trusted library allocation

page read and write

7FFD34520000

trusted library allocation

page execute and read and write

108C000

stack

page read and write

7FFD34580000

trusted library allocation

page execute and read and write

12FC1000

trusted library allocation

page read and write

167E000

stack

page read and write

13F0000

heap

page read and write

C2ADEFF000

unkown

page read and write

1290000

heap

page read and write

1324000

heap

page read and write

8DD000

heap

page read and write

474000

remote allocation

page execute and read and write

7FFD34546000

trusted library allocation

page execute and read and write

8E6000

heap

page read and write

7FFD3451C000

trusted library allocation

page execute and read and write

1B60E000

stack

page read and write

1295000

heap

page read and write

8F4000

heap

page read and write

131A000

heap

page read and write

961000

heap

page read and write

7FFD34470000

trusted library allocation

page read and write

7FFD34616000

trusted library allocation

page read and write

1BD8E000

stack

page read and write

30AF000

stack

page read and write

1B50E000

stack

page read and write

7FFD34464000

trusted library allocation

page read and write

14E0000

heap

page read and write

12EF000

stack

page read and write

1438000

heap

page read and write

1450000

heap

page read and write

10F2000

stack

page read and write

12649000

trusted library allocation

page read and write

1BE8E000

stack

page read and write

24095DCA000

heap

page read and write

1331000

heap

page read and write

14D0000

heap

page read and write

1281B000

trusted library allocation

page read and write

C70000

unkown

page readonly

12FC9000

trusted library allocation

page read and write

7FFD34606000

trusted library allocation

page read and write

1C130000

trusted library section

page read and write

12669000

trusted library allocation

page read and write

7FFD34610000

trusted library allocation

page read and write

7FFD3451C000

trusted library allocation

page execute and read and write

There are 220 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
41DLTjkmOm.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report41DLTjkmOm.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
41DLTjkmOm.exe