Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7252
Target ID:	0
Parent PID:	4056
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1868800
MD5:	D74BC004988E4677EA02431279DA1A2A
Time:	05:38:18
Date:	22/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x350000
Modulesize:	4853760
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://cook-rain.sbs/

unknown

Details

Name:	https://cook-rain.sbs/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.1340288171.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

p10tgrace.sbs

Details

Name:	p10tgrace.sbs
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extractor
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

p3ar11fter.sbs

Details

Name:	p3ar11fter.sbs
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extractor
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

https://cook-rain.sbs/api

104.21.66.38

Details

Name:	https://cook-rain.sbs/api
IP:	104.21.66.38
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
IP address seen in connection with other malware	Networking
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://cook-rain.sbs/api-

unknown

https://cook-rain.sbs/apiIO

unknown

peepburry828.sbs

Details

Name:	peepburry828.sbs
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extractor
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

processhol.sbs

Details

Name:	processhol.sbs
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extractor
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection

Domains

Name

Malicious

cook-rain.sbs

104.21.66.38

Details

Name:	cook-rain.sbs
IP:	104.21.66.38
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.21.66.38

cook-rain.sbs

United States

Details

IP:	104.21.66.38
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	cook-rain.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

351000

unkown

page execute and read and write

E94000

heap

page read and write

1000000

heap

page read and write

2EAE000

stack

page read and write

E20000

heap

page read and write

48B1000

heap

page read and write

E94000

heap

page read and write

362E000

stack

page read and write

E94000

heap

page read and write

F70000

direct allocation

page read and write

104C000

heap

page read and write

E94000

heap

page read and write

E94000

heap

page read and write

60B000

unkown

page execute and read and write

585E000

stack

page read and write

350000

unkown

page read and write

FE7000

heap

page read and write

E94000

heap

page read and write

1062000

heap

page read and write

F70000

direct allocation

page read and write

48B1000

heap

page read and write

2BE0000

heap

page read and write

557E000

stack

page read and write

F70000

direct allocation

page read and write

48B1000

heap

page read and write

3DAE000

stack

page read and write

E94000

heap

page read and write

2E6F000

stack

page read and write

E94000

heap

page read and write

350000

unkown

page readonly

10BE000

stack

page read and write

F70000

direct allocation

page read and write

402E000

stack

page read and write

462F000

stack

page read and write

48B1000

heap

page read and write

52CE000

stack

page read and write

73CF0000

unkown

page readonly

105F000

heap

page read and write

43AF000

stack

page read and write

567E000

stack

page read and write

4EA0000

direct allocation

page execute and read and write

7EE000

unkown

page execute and write copy

47AE000

stack

page read and write

3C6E000

stack

page read and write

44EF000

stack

page read and write

E94000

heap

page read and write

73D06000

unkown

page readonly

48B1000

heap

page read and write

64F000

unkown

page execute and write copy

39AF000

stack

page read and write

322F000

stack

page read and write

466E000

stack

page read and write

E90000

heap

page read and write

326E000

stack

page read and write

E94000

heap

page read and write

FD1000

heap

page read and write

596E000

stack

page read and write

4D50000

direct allocation

page read and write

F70000

direct allocation

page read and write

48B1000

heap

page read and write

64E000

unkown

page execute and write copy

11BE000

stack

page read and write

518E000

stack

page read and write

F80000

heap

page read and write

48B1000

heap

page read and write

500D000

stack

page read and write

E94000

heap

page read and write

543E000

stack

page read and write

53D0000

remote allocation

page read and write

ABB000

stack

page read and write

376E000

stack

page read and write

48B1000

heap

page read and write

3D6F000

stack

page read and write

2ADE000

stack

page read and write

2FEE000

stack

page read and write

F70000

direct allocation

page read and write

1049000

heap

page read and write

E80000

heap

page read and write

4ED0000

direct allocation

page execute and read and write

4EE0000

direct allocation

page execute and read and write

57EF000

stack

page read and write

64E000

unkown

page execute and read and write

BBB000

stack

page read and write

452E000

stack

page read and write

2BDF000

stack

page read and write

F70000

direct allocation

page read and write

E94000

heap

page read and write

48B1000

heap

page read and write

33AE000

stack

page read and write

4D94000

direct allocation

page read and write

E94000

heap

page read and write

336F000

stack

page read and write

3FEE000

stack

page read and write

56EE000

stack

page read and write

E94000

heap

page read and write

53CE000

stack

page read and write

F70000

direct allocation

page read and write

48B1000

heap

page read and write

48AF000

stack

page read and write

4D00000

heap

page read and write

2D6E000

stack

page read and write

48B1000

heap

page read and write

12FE000

stack

page read and write

11FE000

stack

page read and write

F70000

direct allocation

page read and write

73D0F000

unkown

page readonly

4EF0000

direct allocation

page execute and read and write

5860000

heap

page read and write

2BED000

heap

page read and write

4ED0000

direct allocation

page execute and read and write

3B2E000

stack

page read and write

2FAF000

stack

page read and write

553F000

stack

page read and write

E94000

heap

page read and write

E30000

heap

page read and write

4ED0000

direct allocation

page execute and read and write

F70000

direct allocation

page read and write

FBF000

heap

page read and write

E94000

heap

page read and write

351000

unkown

page execute and write copy

3A7000

unkown

page read and write

1044000

heap

page read and write

48B1000

heap

page read and write

49B0000

trusted library allocation

page read and write

4E8F000

stack

page read and write

38AE000

stack

page read and write

1053000

heap

page read and write

528F000

stack

page read and write

395000

unkown

page execute and read and write

504E000

stack

page read and write

39EE000

stack

page read and write

48B1000

heap

page read and write

34EE000

stack

page read and write

3EEE000

stack

page read and write

48B1000

heap

page read and write

E94000

heap

page read and write

E94000

heap

page read and write

4D40000

direct allocation

page read and write

4F17000

trusted library allocation

page read and write

1002000

heap

page read and write

2D2F000

stack

page read and write

1061000

heap

page read and write

312E000

stack

page read and write

372F000

stack

page read and write

53D0000

remote allocation

page read and write

4D40000

direct allocation

page read and write

30EF000

stack

page read and write

53D0000

remote allocation

page read and write

638000

unkown

page execute and read and write

34AF000

stack

page read and write

4ED0000

direct allocation

page execute and read and write

F8A000

heap

page read and write

48B1000

heap

page read and write

73D0D000

unkown

page read and write

3A9000

unkown

page execute and read and write

1046000

heap

page read and write

412F000

stack

page read and write

4D40000

direct allocation

page read and write

FF3000

heap

page read and write

73CF1000

unkown

page execute read

4F00000

direct allocation

page execute and read and write

42AE000

stack

page read and write

52C000

unkown

page execute and read and write

F70000

direct allocation

page read and write

7ED000

unkown

page execute and read and write

48B1000

heap

page read and write

48B0000

heap

page read and write

476F000

stack

page read and write

E94000

heap

page read and write

F8E000

heap

page read and write

3AEF000

stack

page read and write

4EDD000

stack

page read and write

514D000

stack

page read and write

3EAF000

stack

page read and write

4EC0000

direct allocation

page execute and read and write

F70000

direct allocation

page read and write

386F000

stack

page read and write

48B1000

heap

page read and write

48B1000

heap

page read and write

FC8000

heap

page read and write

1045000

heap

page read and write

43EE000

stack

page read and write

104C000

heap

page read and write

426F000

stack

page read and write

F70000

direct allocation

page read and write

4EB0000

direct allocation

page execute and read and write

2BE7000

heap

page read and write

48B1000

heap

page read and write

4ED0000

direct allocation

page execute and read and write

E94000

heap

page read and write

35EF000

stack

page read and write

FB7000

heap

page read and write

63F000

unkown

page execute and read and write

3A7000

unkown

page write copy

3C2F000

stack

page read and write

416E000

stack

page read and write

4ED0000

direct allocation

page execute and read and write

105A000

heap

page read and write

1053000

heap

page read and write

F70000

direct allocation

page read and write

4D8C000

stack

page read and write

2C2C000

stack

page read and write

There are 192 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe