Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\re.exe

"C:\Users\user\Desktop\re.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7644
Target ID:	0
Parent PID:	4084
Name:	re.exe
Path:	C:\Users\user\Desktop\re.exe
Commandline:	"C:\Users\user\Desktop\re.exe"
Size:	19968
MD5:	DD22CB80ECEF115E6F102DB1FC33B99B
Time:	01:48:01
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff633a60000
Modulesize:	53248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7652
Target ID:	1
Parent PID:	7644
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	01:48:01
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

87.120.113.125

unknown

Bulgaria

Details

IP:	87.120.113.125
TargetID:	0
Current Path:	C:\Users\user\Desktop\re.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	25206
ASN name:	UNACS-AS-BG8000BurgasBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

204C92AA000

heap

page read and write

204C93B0000

heap

page read and write

7FF633A61000

unkown

page execute read

7FF633A61000

unkown

page execute read

7FF633A64000

unkown

page readonly

7FF633A63000

unkown

page write copy

7FF633A6B000

unkown

page readonly

7FF633A6B000

unkown

page readonly

7FF633A60000

unkown

page readonly

7FF633A60000

unkown

page readonly

7FF633A63000

unkown

page write copy

5CDADFD000

stack

page read and write

204C9490000

heap

page read and write

7FF633A64000

unkown

page readonly

7FF633A68000

unkown

page write copy

7FF633A68000

unkown

page read and write

204C92A0000

heap

page read and write

There are 7 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
re.exe

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportre.exe

Processes

IPs

Memdumps

IOC Report
re.exe