Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2944
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1853952
MD5:	BC555453E167161E80E5D71952110FB8
Time:	02:01:55
Date:	26/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3f0000
Modulesize:	4857856
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://occupy-blushi.sbs/api

172.67.187.240

Details

Name:	https://occupy-blushi.sbs/api
IP:	172.67.187.240
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
IP address seen in connection with other malware	Networking
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://occupy-blushi.sbs/api=

unknown

https://occupy-blushi.sbs/apiws~

unknown

https://occupy-blushi.sbs:443/apiyG

unknown

http://crl.micro

unknown

Details

Name:	http://crl.micro
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000003.2092494473.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://occupy-blushi.sbs:443/api

unknown

Details

Name:	https://occupy-blushi.sbs:443/api
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.2093647788.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://occupy-blushi.sbs/

unknown

Details

Name:	https://occupy-blushi.sbs/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.2093914762.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2092494473.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

occupy-blushi.sbs

172.67.187.240

Details

Name:	occupy-blushi.sbs
IP:	172.67.187.240
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

property-imper.sbs

unknown

frogs-severz.sbs

unknown

IPs

Domain

Country

Malicious

172.67.187.240

occupy-blushi.sbs

United States

Details

IP:	172.67.187.240
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	occupy-blushi.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

4AD0000

direct allocation

page read and write

4631000

heap

page read and write

33AE000

stack

page read and write

DB4000

heap

page read and write

108F000

stack

page read and write

452E000

stack

page read and write

3F0000

unkown

page read and write

4D8E000

stack

page read and write

CD9000

heap

page read and write

38AE000

stack

page read and write

4C20000

direct allocation

page execute and read and write

DB4000

heap

page read and write

3EAF000

stack

page read and write

4AC0000

direct allocation

page read and write

44EF000

stack

page read and write

2EAE000

stack

page read and write

4631000

heap

page read and write

4C60000

direct allocation

page execute and read and write

DB4000

heap

page read and write

C60000

direct allocation

page read and write

5450000

heap

page read and write

336F000

stack

page read and write

DB4000

heap

page read and write

DB4000

heap

page read and write

4640000

heap

page read and write

CB2000

heap

page read and write

C60000

direct allocation

page read and write

39AF000

stack

page read and write

C60000

direct allocation

page read and write

2D2F000

stack

page read and write

296F000

stack

page read and write

3F1000

unkown

page execute and write copy

C7E000

heap

page read and write

4631000

heap

page read and write

412F000

stack

page read and write

449000

unkown

page execute and read and write

4631000

heap

page read and write

29AC000

stack

page read and write

C60000

direct allocation

page read and write

D2F000

heap

page read and write

C70000

heap

page read and write

4631000

heap

page read and write

500F000

stack

page read and write

6B2000

unkown

page execute and read and write

42AE000

stack

page read and write

9A0000

heap

page read and write

4C5D000

stack

page read and write

DB4000

heap

page read and write

CC1000

heap

page read and write

3F0000

unkown

page readonly

88F000

unkown

page execute and write copy

C60000

direct allocation

page read and write

3FEF000

stack

page read and write

D37000

heap

page read and write

416E000

stack

page read and write

4AC0000

direct allocation

page read and write

529E000

stack

page read and write

30EF000

stack

page read and write

D4B000

heap

page read and write

DB4000

heap

page read and write

4631000

heap

page read and write

4631000

heap

page read and write

CD8000

heap

page read and write

559F000

stack

page read and write

DAE000

stack

page read and write

4C50000

direct allocation

page execute and read and write

4C50000

direct allocation

page execute and read and write

3AEF000

stack

page read and write

DB4000

heap

page read and write

D3B000

heap

page read and write

447000

unkown

page write copy

402E000

stack

page read and write

D31000

heap

page read and write

4631000

heap

page read and write

4631000

heap

page read and write

D4C000

heap

page read and write

F8E000

stack

page read and write

4C80000

direct allocation

page execute and read and write

4631000

heap

page read and write

D3B000

heap

page read and write

38B000

stack

page read and write

2C2E000

stack

page read and write

DB4000

heap

page read and write

435000

unkown

page execute and read and write

DB4000

heap

page read and write

322F000

stack

page read and write

4631000

heap

page read and write

426F000

stack

page read and write

3C2F000

stack

page read and write

9B0000

heap

page read and write

CE4000

heap

page read and write

4A80000

heap

page read and write

4C40000

direct allocation

page execute and read and write

34EE000

stack

page read and write

C60000

direct allocation

page read and write

39EE000

stack

page read and write

C60000

direct allocation

page read and write

2AEE000

stack

page read and write

D35000

heap

page read and write

5150000

remote allocation

page read and write

6F2000

unkown

page execute and read and write

CE4000

heap

page read and write

DB4000

heap

page read and write

C60000

direct allocation

page read and write

3D6F000

stack

page read and write

4631000

heap

page read and write

2BEF000

stack

page read and write

2AAF000

stack

page read and write

D46000

heap

page read and write

35EF000

stack

page read and write

DB4000

heap

page read and write

2FEE000

stack

page read and write

D38000

heap

page read and write

C60000

direct allocation

page read and write

DB4000

heap

page read and write

3DAE000

stack

page read and write

4C50000

direct allocation

page execute and read and write

CB0000

heap

page read and write

DB4000

heap

page read and write

4631000

heap

page read and write

286E000

stack

page read and write

3F1000

unkown

page execute and read and write

DB4000

heap

page read and write

376E000

stack

page read and write

3EEE000

stack

page read and write

4C30000

direct allocation

page execute and read and write

CDA000

heap

page read and write

2FAF000

stack

page read and write

386F000

stack

page read and write

C60000

direct allocation

page read and write

C60000

direct allocation

page read and write

D49000

heap

page read and write

4B14000

direct allocation

page read and write

DB4000

heap

page read and write

DB4000

heap

page read and write

9F0000

heap

page read and write

C60000

direct allocation

page read and write

4DCD000

stack

page read and write

4B0C000

stack

page read and write

4C50000

direct allocation

page execute and read and write

5150000

remote allocation

page read and write

549E000

stack

page read and write

34AF000

stack

page read and write

C3D000

stack

page read and write

2D6E000

stack

page read and write

4631000

heap

page read and write

D3B000

heap

page read and write

540F000

stack

page read and write

4C50000

direct allocation

page execute and read and write

4631000

heap

page read and write

362E000

stack

page read and write

5D5000

unkown

page execute and read and write

4631000

heap

page read and write

6F2000

unkown

page execute and write copy

DB4000

heap

page read and write

372F000

stack

page read and write

4630000

heap

page read and write

3C6E000

stack

page read and write

514F000

stack

page read and write

CA8000

heap

page read and write

6DC000

unkown

page execute and read and write

5150000

remote allocation

page read and write

4C92000

trusted library allocation

page read and write

4C70000

direct allocation

page execute and read and write

4C50000

direct allocation

page execute and read and write

43EE000

stack

page read and write

519D000

stack

page read and write

6F3000

unkown

page execute and write copy

9FD000

heap

page read and write

99B000

stack

page read and write

4631000

heap

page read and write

4631000

heap

page read and write

4730000

trusted library allocation

page read and write

504E000

stack

page read and write

C50000

heap

page read and write

43AF000

stack

page read and write

312E000

stack

page read and write

462F000

stack

page read and write

C60000

direct allocation

page read and write

530E000

stack

page read and write

2E6F000

stack

page read and write

DB4000

heap

page read and write

3B2E000

stack

page read and write

88E000

unkown

page execute and read and write

4631000

heap

page read and write

6E3000

unkown

page execute and read and write

DB0000

heap

page read and write

4631000

heap

page read and write

D35000

heap

page read and write

C7A000

heap

page read and write

4F0E000

stack

page read and write

4ECD000

stack

page read and write

9F7000

heap

page read and write

CB8000

heap

page read and write

4C0F000

stack

page read and write

4AC0000

direct allocation

page read and write

326E000

stack

page read and write

C60000

direct allocation

page read and write

D4B000

heap

page read and write

447000

unkown

page read and write

DB4000

heap

page read and write

There are 191 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe