Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\demon.exe

"C:\Users\user\Desktop\demon.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5596
Target ID:	0
Parent PID:	1028
Name:	demon.exe
Path:	C:\Users\user\Desktop\demon.exe
Commandline:	"C:\Users\user\Desktop\demon.exe"
Size:	102400
MD5:	C8CBAD944550F18E550725F69EDF5553
Time:	01:46:58
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7c5e80000
Modulesize:	122880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Havoc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Havoc	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

URLs

Name

Malicious

https://87.120.113.125/2

unknown

https://87.120.113.125/Q

unknown

https://87.120.113.125:443/X

unknown

https://87.120.113.125/Pw

unknown

https://87.120.113.125/

unknown

https://87.120.113.125/H

unknown

https://87.120.113.125/g

unknown

https://87.120.113.125/F

unknown

https://87.120.113.125/%

unknown

https://87.120.113.125:443/

unknown

IPs

Domain

Country

Malicious

87.120.113.125

unknown

Bulgaria

Details

IP:	87.120.113.125
TargetID:	0
Current Path:	C:\Users\user\Desktop\demon.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	25206
ASN name:	UNACS-AS-BG8000BurgasBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF7C5E9A000

unkown

page readonly

19756FB5000

heap

page read and write

19756E40000

heap

page read and write

7FF7C5E80000

unkown

page readonly

19756FC0000

heap

page read and write

19756F30000

heap

page read and write

7FF7C5E80000

unkown

page readonly

3BE19FC000

stack

page read and write

19756F65000

heap

page read and write

19757090000

remote allocation

page read and write

3BE1DFE000

stack

page read and write

19756F8A000

heap

page read and write

19757050000

heap

page read and write

19757030000

heap

page read and write

3BE21FE000

stack

page read and write

19757090000

remote allocation

page read and write

19756F3B000

heap

page read and write

19756F63000

heap

page read and write

7FF7C5E81000

unkown

page execute read

19756FC7000

heap

page read and write

19756F36000

heap

page read and write

7FF7C5E81000

unkown

page execute read

19756F5D000

heap

page read and write

3BE13FC000

stack

page read and write

19756F9D000

heap

page read and write

19757090000

remote allocation

page read and write

19756FB7000

heap

page read and write

7FF7C5E99000

unkown

page write copy

7FF7C5E9A000

unkown

page readonly

19756F68000

heap

page read and write

19756F6C000

heap

page read and write

7FF7C5E9D000

unkown

page readonly

19756F8F000

heap

page read and write

19756FAD000

heap

page read and write

7FF7C5E99000

unkown

page read and write

197571D5000

heap

page read and write

7FF7C5E9D000

unkown

page readonly

3BE1BFD000

stack

page read and write

197571D0000

heap

page read and write

There are 29 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
demon.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportdemon.exe

Processes

URLs

IPs

Memdumps

IOC Report
demon.exe