Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe

"C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6704
Target ID:	0
Parent PID:	3084
Name:	25FC004658_Femetagershusenes.exe
Path:	C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe
Commandline:	"C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe"
Size:	615450
MD5:	77221F5F2A4984872389759B83446A62
Time:	23:16:25
Date:	27/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	462848
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe

"C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5000
Target ID:	5
Parent PID:	6704
Name:	IMCCPHR.exe
Path:	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
Commandline:	"C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe"
Size:	395776
MD5:	69A21227EB75F9100BAFD6CE573A1DC0
Time:	23:19:09
Date:	27/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x770000
Modulesize:	409600
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

parosh.didns.ru

https://www.dropbox.com/service_worker.js

unknown

https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/6t

unknown

https://paper.dropbox.com/

unknown

https://www.hellofax.com/

unknown

https://pal-test.adyen.com

unknown

https://paper.dropbox.com/cloud-docs/edit

unknown

https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/

unknown

https://app.hellosign.com/

unknown

https://www.dropbox.com/S

unknown

https://www.hellosign.com/

unknown

https://instructorledlearning.dropboxbusiness.com/

unknown

https://www.dropbox.com/

unknown

https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/R

unknown

https://www.dropbox.com/pithos/

unknown

https://sales.dropboxbusiness.com/

unknown

https://photos.dropbox.com/

unknown

https://a.sprig.com/

unknown

https://www.docsend.com/

unknown

https://www.dropbox.com/scl/fi/0jhi0626x7zqfgid1v9te/UjzebvskPbXnryFB92.bin?rlkey=65dc2nu7arz5szq4ev

unknown

https://www.dropbox.com/encrypted_folder_download/service_worker.js

unknown

http://geoplugin.net/json.gp/C

unknown

https://navi.dropbox.jp/

unknown

https://www.dropbox.com/static/api/

unknown

https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/cd/0/get/CmsIyjcNSqE9pfci-uOQ5iPpUwth

unknown

https://www.dropboxstatic.com/static/

unknown

https://www.dropbox.com/csp_log?policy_name=metaserver-dynamic

unknown

https://officeapps-df.live.com

unknown

https://api.login.yahoo.com/

unknown

https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/7

unknown

https://login.yahoo.com/

unknown

https://docsend.com/

unknown

https://www.dropbox.com/playlist/

unknown

https://onedrive.live.com/picker

unknown

https://showcase.dropbox.com/

unknown

https://www.dropbox.com/static/serviceworker/

unknown

https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/(

unknown

https://www.dropbox.com/scl/fi/0jhi0626x7zqfgid1v9te/UjzebvskPbXnryFB92.bin?rlkey=65dc2nu7arz5szq4evadjxcxz&st=xm70zo43&dl=1

162.125.6.18

http://nsis.sf.net/NSIS_ErrorError

unknown

https://www.dropbox.com/v/s/playlist/

unknown

https://docs.sandbox.google.com/document/fsip/

unknown

https://docs.sandbox.google.com/spreadsheets/fsip/

unknown

https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/rtK

unknown

https://apis.google.com/js/

unknown

https://docs.google.com/document/fsip/

unknown

https://help.dropbox.com/

unknown

https://docs.google.com/presentation/fsip/

unknown

https://canny.io/sdk.js

unknown

https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/

unknown

https://selfguidedlearning.dropboxbusiness.com/

unknown

https://docs.sandbox.google.com/presentation/fsip/

unknown

https://dl-web.dropbox.com/

unknown

https://help.dropbox.coKh$

unknown

https://app.hellofax.com/

unknown

https://cfl.dropboxstatic.com/static/

unknown

https://www.paypal.com/sdk/js

unknown

https://docs.google.com/spreadsheets/fsip/

unknown

https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist

unknown

There are 48 hidden URLs, click here to show them.

Domains

Name

Malicious

uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com

unknown

Details

Name:	uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

edge-block-www-env.dropbox-dns.com

162.125.6.15

www-env.dropbox-dns.com

162.125.6.18

Details

Name:	www-env.dropbox-dns.com
IP:	162.125.6.18
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

www.dropbox.com

unknown

Details

Name:	www.dropbox.com
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found strings which match to known social media urls	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

162.125.6.15

edge-block-www-env.dropbox-dns.com

United States

Details

IP:	162.125.6.15
TargetID:	5
Current Path:	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
Country:	United States
Countrycode:	USA
ASN number:	19679
ASN name:	DROPBOXUS
Private:	false
Domain:	edge-block-www-env.dropbox-dns.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

162.125.6.18

www-env.dropbox-dns.com

United States

Details

IP:	162.125.6.18
TargetID:	5
Current Path:	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
Country:	United States
Countrycode:	USA
ASN number:	19679
ASN name:	DROPBOXUS
Private:	false
Domain:	www-env.dropbox-dns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Omsadlings

Details

TargetID:	5
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value name:	Omsadlings
Value data:	C:\Users\user\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_CURRENT_USER\febervildelser\Uninstall\Koma204

colorifics

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

8A4C000

direct allocation

page execute and read and write

AA30000

trusted library allocation

page read and write

760C000

remote allocation

page execute and read and write

389DF000

stack

page read and write

2450000

heap

page read and write

490000

direct allocation

page read and write

9122000

heap

page read and write

31A0000

heap

page read and write

8F60000

direct allocation

page read and write

408000

unkown

page readonly

9020000

direct allocation

page read and write

10000000

unkown

page readonly

38B1D000

stack

page read and write

9030000

direct allocation

page read and write

4260000

remote allocation

page execute and read and write

4D0000

direct allocation

page read and write

38D2E000

stack

page read and write

8FC5000

heap

page read and write

38D6F000

stack

page read and write

9170000

direct allocation

page read and write

3899E000

stack

page read and write

20D0000

heap

page read and write

770000

direct allocation

page read and write

38ADE000

stack

page read and write

9040000

direct allocation

page read and write

800C000

remote allocation

page execute and read and write

10001000

unkown

page execute read

913A000

heap

page read and write

9129000

heap

page read and write

38C4E000

stack

page read and write

9180000

direct allocation

page read and write

2280000

heap

page read and write

408000

unkown

page readonly

9129000

heap

page read and write

90E6000

heap

page read and write

913A000

heap

page read and write

8E70000

heap

page read and write

38BF0000

heap

page read and write

9141000

heap

page read and write

510000

heap

page read and write

560000

heap

page read and write

8F70000

direct allocation

page read and write

4E0C000

remote allocation

page execute and read and write

40A000

unkown

page write copy

9010000

direct allocation

page read and write

9108000

heap

page read and write

9121000

heap

page read and write

500000

direct allocation

page read and write

91FE000

stack

page read and write

3740000

trusted library allocation

page read and write

9270000

heap

page read and write

2289000

heap

page read and write

550000

heap

page read and write

90E5000

heap

page read and write

580C000

remote allocation

page execute and read and write

5AD000

heap

page read and write

8FC0000

heap

page read and write

90B7000

heap

page read and write

9070000

heap

page read and write

42D000

unkown

page read and write

944C000

direct allocation

page execute and read and write

8A0C000

remote allocation

page execute and read and write

400000

unkown

page readonly

9141000

heap

page read and write

456000

unkown

page readonly

6C4C000

direct allocation

page execute and read and write

9122000

heap

page read and write

401000

unkown

page execute read

8FE0000

direct allocation

page read and write

6C0C000

remote allocation

page execute and read and write

923E000

stack

page read and write

760000

direct allocation

page read and write

9078000

heap

page read and write

5A9000

heap

page read and write

8F80000

direct allocation

page read and write

38CF0000

remote allocation

page read and write

620C000

remote allocation

page execute and read and write

624C000

direct allocation

page execute and read and write

4A0000

direct allocation

page read and write

5B1000

heap

page read and write

440C000

remote allocation

page execute and read and write

90E9000

heap

page read and write

764C000

direct allocation

page execute and read and write

90D2000

heap

page read and write

584C000

direct allocation

page execute and read and write

8F90000

heap

page read and write

98000

stack

page read and write

38C8F000

stack

page read and write

9129000

heap

page read and write

9108000

heap

page read and write

8DFC000

stack

page read and write

790000

direct allocation

page read and write

456000

unkown

page readonly

2270000

heap

page read and write

38B5C000

stack

page read and write

5CD000

heap

page read and write

400000

unkown

page readonly

38A1E000

stack

page read and write

8FD0000

direct allocation

page read and write

592000

heap

page read and write

480000

heap

page read and write

36B0000

heap

page read and write

804C000

direct allocation

page execute and read and write

2274000

heap

page read and write

42B000

unkown

page read and write

8FF0000

direct allocation

page read and write

38B9E000

stack

page read and write

4B0000

direct allocation

page read and write

427000

unkown

page read and write

91B0000

direct allocation

page read and write

31EC000

stack

page read and write

27AB000

heap

page read and write

9129000

heap

page read and write

435000

unkown

page read and write

32EC000

stack

page read and write

9000000

direct allocation

page read and write

19A000

stack

page read and write

9142000

heap

page read and write

422000

unkown

page read and write

8FB0000

heap

page readonly

90E5000

heap

page read and write

38BDF000

stack

page read and write

7B0000

direct allocation

page read and write

10003000

unkown

page readonly

AA20000

trusted library allocation

page read and write

740000

direct allocation

page read and write

4E0000

direct allocation

page read and write

9E4C000

direct allocation

page execute and read and write

595000

heap

page read and write

56A0000

direct allocation

page execute and read and write

730000

direct allocation

page read and write

780000

direct allocation

page read and write

4C0000

direct allocation

page read and write

4F0000

direct allocation

page read and write

555000

heap

page read and write

9124000

heap

page read and write

38A9D000

stack

page read and write

7A0000

direct allocation

page read and write

90DE000

heap

page read and write

59A000

heap

page read and write

9060000

direct allocation

page read and write

454000

unkown

page read and write

8E3B000

stack

page read and write

38A5F000

stack

page read and write

10012000

trusted library allocation

page read and write

10005000

unkown

page readonly

38CF0000

remote allocation

page read and write

5D5000

heap

page read and write

750000

direct allocation

page read and write

5C7000

heap

page read and write

40A000

unkown

page read and write

2285000

heap

page read and write

38CF0000

remote allocation

page read and write

9108000

heap

page read and write

401000

unkown

page execute read

568000

heap

page read and write

8F50000

direct allocation

page read and write

There are 147 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
25FC004658_Femetagershusenes.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report25FC004658_Femetagershusenes.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
25FC004658_Femetagershusenes.exe