Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

cmd /C ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline""

Details

Is windows:	true
Is dropped:	false
PID:	7588
Target ID:	0
Parent PID:	744
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd /C ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline""
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	19:47:46
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Dot net compiler compiles file from suspicious location	Data Obfuscation
Sigma detected: Dynamic .NET Compilation Via Csc.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline"

Details

Is windows:	true
Is dropped:	false
PID:	7672
Target ID:	2
Parent PID:	7588
Name:	csc.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user1\AppData\Local\Temp\5adbfgrl.cmdline"
Size:	2759232
MD5:	F65B029562077B648A6A5F6A1AA76A66
Time:	19:47:46
Date:	01/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff665c60000
Modulesize:	2781184
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Dot net compiler compiles file from suspicious location	Data Obfuscation
Compiles C# or VB.Net code	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Dynamic .NET Compilation Via Csc.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7628
Target ID:	1
Parent PID:	7588
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	19:47:46
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

25F89EB0000

heap

page read and write

25F89F90000

heap

page read and write

25F8A077000

heap

page read and write

CB885FE000

stack

page read and write

25F8A340000

heap

page read and write

25F89FB0000

heap

page read and write

CB883FC000

stack

page read and write

CB887FF000

stack

page read and write

25F8A070000

heap

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Processes

Memdumps