Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

cmd /C ""C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft""

Details

Is windows:	true
Is dropped:	false
PID:	3200
Target ID:	0
Parent PID:	5788
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd /C ""C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft""
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	03:28:46
Date:	30/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4176
Target ID:	1
Parent PID:	3200
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:28:46
Date:	30/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft"

Details

Is windows:	true
Is dropped:	false
PID:	3136
Target ID:	2
Parent PID:	3200
Name:	wscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\wscript.exe
Commandline:	"C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft"
Size:	147456
MD5:	FF00E0480075B095948000BDC66E81F0
Time:	03:28:47
Date:	30/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x820000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

s-part-0017.t-0009.t-msedge.net

13.107.246.45

Memdumps

Base Address

Regiontype

Protect

Malicious

3598000

heap

page read and write

353E000

stack

page read and write

35C3000

heap

page read and write

35B6000

heap

page read and write

35DC000

heap

page read and write

35C8000

heap

page read and write

3910000

heap

page read and write

35CB000

heap

page read and write

35C3000

heap

page read and write

35CF000

heap

page read and write

35A4000

heap

page read and write

35CB000

heap

page read and write

33E5000

heap

page read and write

35E1000

heap

page read and write

3259000

stack

page read and write

35B0000

heap

page read and write

3590000

heap

page read and write

33E0000

heap

page read and write

33C0000

heap

page read and write

335B000

stack

page read and write

35CB000

heap

page read and write

3916000

heap

page read and write

35D0000

heap

page read and write

38F0000

heap

page read and write

35CB000

heap

page read and write

391A000

heap

page read and write

34FD000

stack

page read and write

388E000

stack

page read and write

5174000

heap

page read and write

35CB000

heap

page read and write

5100000

heap

page read and write

35CB000

heap

page read and write

5170000

heap

page read and write

50F0000

heap

page read and write

378E000

stack

page read and write

35B6000

heap

page read and write

35B0000

heap

page read and write

35C7000

heap

page read and write

35C3000

heap

page read and write

6E90000

trusted library allocation

page read and write

35A7000

heap

page read and write

35C9000

heap

page read and write

33D0000

heap

page read and write

There are 33 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Processes

Domains

Memdumps