Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\pDxGUuWkQt.exe

"C:\Users\user\Desktop\pDxGUuWkQt.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5356
Target ID:	0
Parent PID:	4084
Name:	pDxGUuWkQt.exe
Path:	C:\Users\user\Desktop\pDxGUuWkQt.exe
Commandline:	"C:\Users\user\Desktop\pDxGUuWkQt.exe"
Size:	11264
MD5:	CA40AFFC3D86CEEFD70F1E95425BE406
Time:	06:43:38
Date:	30/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d9200000
Modulesize:	49152
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Communication To Uncommon Destination Ports	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4032
Target ID:	5
Parent PID:	5356
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	06:44:03
Date:	30/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://120.46.149.112:8888/safekey

120.46.149.112

Details

Name:	http://120.46.149.112:8888/safekey
IP:	120.46.149.112
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\pDxGUuWkQt.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

http://120.46.149.112/&=c

unknown

http://120.46.149.112:8888/safekeyfn

unknown

http://120.46.149.112:8888/safekey9n%

unknown

IPs

Domain

Country

Malicious

120.46.149.112

unknown

China

Details

IP:	120.46.149.112
TargetID:	0
Current Path:	C:\Users\user\Desktop\pDxGUuWkQt.exe
Country:	China
Countrycode:	CHN
ASN number:	4847
ASN name:	CNIX-APChinaNetworksInter-ExchangeCN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2E994FF000

stack

page read and write

2E990FE000

stack

page read and write

174B96E0000

heap

page read and write

2E995FD000

stack

page read and write

2E996F8000

stack

page read and write

174B96B0000

heap

page read and write

7FF7D9201000

unkown

page execute read

2E993FE000

stack

page read and write

174B976C000

heap

page read and write

2E996FA000

stack

page read and write

2E98EFA000

stack

page read and write

174B97BB000

heap

page read and write

7FF7D9201000

unkown

page execute read

7FF7D9203000

unkown

page read and write

2E991FE000

stack

page read and write

2E992FF000

stack

page read and write

7FF7D9209000

unkown

page readonly

174B9760000

heap

page read and write

7FF7D9200000

unkown

page readonly

7FF7D9200000

unkown

page readonly

174B97C3000

heap

page read and write

7FF7D9209000

unkown

page readonly

174B97E6000

heap

page read and write

7FF7D9202000

unkown

page readonly

174B9720000

heap

page read and write

174B9725000

heap

page read and write

2E98FFE000

stack

page read and write

174B97DE000

heap

page read and write

174B96C0000

heap

page read and write

7FF7D9202000

unkown

page readonly

There are 20 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
pDxGUuWkQt.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportpDxGUuWkQt.exe

Processes

URLs

IPs

Memdumps

IOC Report
pDxGUuWkQt.exe