Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Payload.exe

"C:\Users\user\Desktop\Payload.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2660
Target ID:	0
Parent PID:	4040
Name:	Payload.exe
Path:	C:\Users\user\Desktop\Payload.exe
Commandline:	"C:\Users\user\Desktop\Payload.exe"
Size:	55808
MD5:	E3250BA3E962DDF90560E00C92659CF9
Time:	11:18:16
Date:	23/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x350000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://pastebin.com/raw/???

unknown

Domains

Name

Malicious

size-ingredients.gl.at.ply.gg

147.185.221.27

Details

Name:	size-ingredients.gl.at.ply.gg
IP:	147.185.221.27
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.27

size-ingredients.gl.at.ply.gg

United States

Details

IP:	147.185.221.27
TargetID:	0
Current Path:	C:\Users\user\Desktop\Payload.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	size-ingredients.gl.at.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\a1cb840a8f8b330a9629751db128f43f

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

352000

unkown

page readonly

2A7D000

trusted library allocation

page read and write

360000

unkown

page readonly

8F0000

heap

page read and write

B5A000

trusted library allocation

page execute and read and write

4C7C000

stack

page read and write

B6A000

trusted library allocation

page execute and read and write

2BB1000

trusted library allocation

page read and write

B50000

trusted library allocation

page read and write

4D30000

unclassified section

page read and write

3FA000

stack

page read and write

BC0000

heap

page read and write

865000

heap

page read and write

4BF0000

heap

page read and write

4C3B000

stack

page read and write

860000

heap

page read and write

4CB9000

stack

page read and write

6F6000

stack

page read and write

B52000

trusted library allocation

page execute and read and write

4D20000

trusted library allocation

page execute and read and write

F60000

heap

page read and write

4B10000

trusted library allocation

page read and write

350000

unkown

page readonly

2A12000

trusted library allocation

page read and write

B8B000

trusted library allocation

page execute and read and write

49FE000

stack

page read and write

2A35000

trusted library allocation

page read and write

95E000

heap

page read and write

4B20000

trusted library allocation

page execute and read and write

8AE000

stack

page read and write

D0E000

stack

page read and write

B90000

heap

page read and write

B82000

trusted library allocation

page read and write

4BDD000

stack

page read and write

4B30000

trusted library allocation

page read and write

B7A000

trusted library allocation

page execute and read and write

4BE0000

trusted library allocation

page read and write

840000

heap

page read and write

4AFE000

stack

page read and write

8FE000

heap

page read and write

B87000

trusted library allocation

page execute and read and write

29C1000

trusted library allocation

page read and write

92F000

heap

page read and write

DC0000

heap

page read and write

D18000

trusted library allocation

page read and write

B3A000

trusted library allocation

page execute and read and write

AEE000

stack

page read and write

267F000

stack

page read and write

8F8000

heap

page read and write

760000

heap

page read and write

B5C000

trusted library allocation

page execute and read and write

B20000

trusted library allocation

page read and write

B32000

trusted library allocation

page execute and read and write

B40000

heap

page execute and read and write

B67000

trusted library allocation

page execute and read and write

2A59000

trusted library allocation

page read and write

39C1000

trusted library allocation

page read and write

B72000

trusted library allocation

page execute and read and write

There are 48 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Payload.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPayload.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Payload.exe