Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4152
Target ID:	1
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	33280
MD5:	CE69D13CB31832EBAD71933900D35458
Time:	10:30:14
Date:	27/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe80000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

68.178.207.33

Details

Name:	68.178.207.33
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000001.00000002.4631644230.0000000003181000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

68.178.207.33

unknown

United States

Details

IP:	68.178.207.33
TargetID:	1
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	26496
ASN name:	AS-26496-GO-DADDY-COM-LLCUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

E82000

unkown

page readonly

3181000

trusted library allocation

page read and write

14B3000

trusted library allocation

page read and write

1C74A000

stack

page read and write

1220000

heap

page read and write

13C8000

heap

page read and write

14F0000

heap

page execute and read and write

12D0000

heap

page read and write

12B0000

trusted library allocation

page read and write

1BF0F000

stack

page read and write

7FFD33CD0000

trusted library allocation

page read and write

1311000

heap

page read and write

12DC000

heap

page read and write

1C64C000

stack

page read and write

7FFD33BEC000

trusted library allocation

page execute and read and write

1C340000

heap

page read and write

1318E000

trusted library allocation

page read and write

1C14F000

heap

page read and write

7FFD33C50000

trusted library allocation

page execute and read and write

18D0000

heap

page read and write

317E000

stack

page read and write

7FFD33CE1000

trusted library allocation

page read and write

1392000

heap

page read and write

12D6000

heap

page read and write

13188000

trusted library allocation

page read and write

166E000

stack

page read and write

7FFD33B50000

trusted library allocation

page read and write

14B0000

trusted library allocation

page read and write

7FFD33B30000

trusted library allocation

page read and write

1C44C000

stack

page read and write

7FFD33B4D000

trusted library allocation

page execute and read and write

E80000

unkown

page readonly

130F000

heap

page read and write

18D5000

heap

page read and write

1BE00000

heap

page execute and read and write

7FFD33BF0000

trusted library allocation

page execute and read and write

7FFD33B33000

trusted library allocation

page execute and read and write

1240000

heap

page read and write

133D000

heap

page read and write

1313000

heap

page read and write

1560000

heap

page read and write

7FFD33B8C000

trusted library allocation

page execute and read and write

1210000

heap

page read and write

14C0000

heap

page read and write

1B505000

heap

page read and write

1343000

heap

page read and write

7FFD33B5D000

trusted library allocation

page execute and read and write

1565000

heap

page read and write

1C16A000

heap

page read and write

1C00E000

stack

page read and write

FC4000

stack

page read and write

7FFD33B54000

trusted library allocation

page read and write

1300000

heap

page read and write

12F3000

heap

page read and write

1B1B0000

trusted library allocation

page read and write

1BC00000

heap

page read and write

1BBCE000

stack

page read and write

186B000

stack

page read and write

1B70D000

stack

page read and write

7FFD33C16000

trusted library allocation

page execute and read and write

13181000

trusted library allocation

page read and write

1C15A000

heap

page read and write

7FFD33BE0000

trusted library allocation

page read and write

1C10E000

stack

page read and write

1870000

heap

page read and write

7FF45A5E0000

trusted library allocation

page execute and read and write

7FFD33B3D000

trusted library allocation

page execute and read and write

1BC03000

heap

page read and write

1260000

heap

page read and write

12FC000

heap

page read and write

1C110000

heap

page read and write

14A0000

trusted library allocation

page read and write

7FFD33B34000

trusted library allocation

page read and write

1BB8E000

stack

page read and write

1BD04000

stack

page read and write

1BB4A000

stack

page read and write

1C94C000

stack

page read and write

E80000

unkown

page readonly

7FFD33BE6000

trusted library allocation

page read and write

1C124000

heap

page read and write

7FFD33B42000

trusted library allocation

page read and write

7FFD33B40000

trusted library allocation

page read and write

176D000

stack

page read and write

There are 73 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

IPs

Memdumps

IOC Report
file.exe