Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Setup.exe

"C:\Users\user\Desktop\Setup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7284
Target ID:	0
Parent PID:	2580
Name:	Setup.exe
Path:	C:\Users\user\Desktop\Setup.exe
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Size:	334848
MD5:	65C7267DC7781FD73CF0D2853B644C06
Time:	09:34:57
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x530000
Modulesize:	385024
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

URLs

Name

Malicious

servicedny.site

Details

Name:	servicedny.site
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Setup.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

goalyfeastz.site

Details

Name:	goalyfeastz.site
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Setup.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

contemteny.site

Details

Name:	contemteny.site
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Setup.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

faulteyotk.site

Details

Name:	faulteyotk.site
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Setup.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

drinkyresule.cyou

Details

Name:	drinkyresule.cyou
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Setup.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

opposezmny.site

Details

Name:	opposezmny.site
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Setup.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

seallysl.site

Details

Name:	seallysl.site
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Setup.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

dilemmadu.site

Details

Name:	dilemmadu.site
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Setup.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

authorisev.site

Details

Name:	authorisev.site
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Setup.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

Memdumps

Base Address

Regiontype

Protect

Malicious

D80000

heap

page read and write

1250000

heap

page read and write

57F000

unkown

page read and write

147A000

heap

page read and write

531000

unkown

page execute read

D70000

heap

page read and write

144B000

heap

page read and write

145D000

heap

page read and write

579000

unkown

page write copy

1475000

heap

page read and write

D1C000

stack

page read and write

531000

unkown

page execute read

576000

unkown

page readonly

530000

unkown

page readonly

2D40000

heap

page read and write

576000

unkown

page readonly

589000

unkown

page readonly

579000

unkown

page write copy

DF0000

heap

page read and write

1440000

heap

page read and write

589000

unkown

page readonly

530000

unkown

page readonly

10FC000

stack

page read and write

There are 13 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Setup.exe

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSetup.exe

Processes

URLs

Memdumps

IOC Report
Setup.exe