Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/2024-10-03/6vlqsq0ea94qi8rth4tp24je96k0dmndp8mrv081/4800d67e9c2c9b1c9b33e5072a3a4d3590a0f2a7c85332a08f56f93ba90730df?response-content-disposition=attachment%3B%20filename%3D%2215009518.tif%22%3B%20filename%2A%3DUTF-8%27%2715009518.tif&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QBKQZ3X6K%2F20241004%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241004T130300Z&X-Amz-Expires=20166&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEI3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDbW0ksT3kpFTNmdUCSlFAfWS8tve21ITgXdvedLvrBsAiEAjwTn8R9LuIHi9v2IUGcvynJ3u75fZePpg%2Fb7j8YBKfwqiAQI1v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDAaDG9BVYOPBSHu6TCrcA9jgSDwvR9kC3YEyJ%2BUj76%2B7ozV3IRDwuyAxYIRLInLLpzpFae%2BG7%2FN6hZIYntHvG0RTeaQu8gqTH9RMNxceYkMtryExakSeTn6EyV0rGw1nrz2nnuB%2BvQv2tBhO5g%2FDVEKGIAkBHGXqzCn7l8sitWAQGOFLntTEo8BRSSxLlZhyFKa6r0DTJWA2HRoAMXhvc3e0H%2BZGBW5HnLqIrE6mXeNgar8r7Ix3qP8bgDuIgWYB7BFixCDXcARA6UNqlB9JpI%2BNOzUzOr0g0AWnhyxmqUWBAPUtN2GsQIj%2F5NWAcXL7IJmnBVnmjPE3cIE19Z0sPyPwecimhXPV%2F3452vlugUGuyA%2BUCpqO6E0uatRty3%2FJWz5PcMFLXAopfdfO7IsOTk15zFHXOajtRqzCHv%2BIdRY2SnMY%2Bj5M%2BR88dqdl0%2FxMG%2BUGX5ApvpElUc3M5tH3Jy6fFHsSCBXVkBMt6jnBZWvJ%2BjWo%2BndZwoGdolsb9RuxU6LebmB8OguaOjxxF1r%2F23i5GLeyKLN8YLjUskJC56144IEpXs8YyGkpPsWw%2BEW2kK86Pa5d%2BtwXe9IioLos6ixB2GhVujVEx%2FpUEs%2FZT588Z76kuoFvhwHWwJQIHEh%2F4gtLz%2F3fGY7%2BAhKuMOrD%2F7cGOqUBFB1cCMjdqrpYzbQJl2m6RTmIUSrbFcnAuWFndE8tYoIxIeSc76oacoRCg3jQ4gXh3OQ9iaQuEBSG75w4RLP2uhktT%2BYfgY7mvU0ELQrSRvY6pIle4m6GIQmDHmtX1PTKRLZeS%2Fw2IGtJclWysxcCoXM155PfDM3KgcZhcxplk6YDOxky4u541EsuhZhklnOgutd%2FWYe2whdvHI4RzpQa9k8KEhDi&X-Amz-SignedHeaders=host&X-Amz-Signature=ece90186affc7b0a60310ade8e3c5cdb107dc9de5c37bc91dd97a78b3d4097d0" > cmdline.out 2>&1

Details

Is windows:	true
Is dropped:	false
PID:	7768
Target ID:	0
Parent PID:	4676
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/2024-10-03/6vlqsq0ea94qi8rth4tp24je96k0dmndp8mrv081/4800d67e9c2c9b1c9b33e5072a3a4d3590a0f2a7c85332a08f56f93ba90730df?response-content-disposition=attachment%3B%20filename%3D%2215009518.tif%22%3B%20filename%2A%3DUTF-8%27%2715009518.tif&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QBKQZ3X6K%2F20241004%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241004T130300Z&X-Amz-Expires=20166&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEI3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDbW0ksT3kpFTNmdUCSlFAfWS8tve21ITgXdvedLvrBsAiEAjwTn8R9LuIHi9v2IUGcvynJ3u75fZePpg%2Fb7j8YBKfwqiAQI1v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDAaDG9BVYOPBSHu6TCrcA9jgSDwvR9kC3YEyJ%2BUj76%2B7ozV3IRDwuyAxYIRLInLLpzpFae%2BG7%2FN6hZIYntHvG0RTeaQu8gqTH9RMNxceYkMtryExakSeTn6EyV0rGw1nrz2nnuB%2BvQv2tBhO5g%2FDVEKGIAkBHGXqzCn7l8sitWAQGOFLntTEo8BRSSxLlZhyFKa6r0DTJWA2HRoAMXhvc3e0H%2BZGBW5HnLqIrE6mXeNgar8r7Ix3qP8bgDuIgWYB7BFixCDXcARA6UNqlB9JpI%2BNOzUzOr0g0AWnhyxmqUWBAPUtN2GsQIj%2F5NWAcXL7IJmnBVnmjPE3cIE19Z0sPyPwecimhXPV%2F3452vlugUGuyA%2BUCpqO6E0uatRty3%2FJWz5PcMFLXAopfdfO7IsOTk15zFHXOajtRqzCHv%2BIdRY2SnMY%2Bj5M%2BR88dqdl0%2FxMG%2BUGX5ApvpElUc3M5tH3Jy6fFHsSCBXVkBMt6jnBZWvJ%2BjWo%2BndZwoGdolsb9RuxU6LebmB8OguaOjxxF1r%2F23i5GLeyKLN8YLjUskJC56144IEpXs8YyGkpPsWw%2BEW2kK86Pa5d%2BtwXe9IioLos6ixB2GhVujVEx%2FpUEs%2FZT588Z76kuoFvhwHWwJQIHEh%2F4gtLz%2F3fGY7%2BAhKuMOrD%2F7cGOqUBFB1cCMjdqrpYzbQJl2m6RTmIUSrbFcnAuWFndE8tYoIxIeSc76oacoRCg3jQ4gXh3OQ9iaQuEBSG75w4RLP2uhktT%2BYfgY7mvU0ELQrSRvY6pIle4m6GIQmDHmtX1PTKRLZeS%2Fw2IGtJclWysxcCoXM155PfDM3KgcZhcxplk6YDOxky4u541EsuhZhklnOgutd%2FWYe2whdvHI4RzpQa9k8KEhDi&X-Amz-SignedHeaders=host&X-Amz-Signature=ece90186affc7b0a60310ade8e3c5cdb107dc9de5c37bc91dd97a78b3d4097d0" > cmdline.out 2>&1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	09:05:52
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd70000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7780
Target ID:	1
Parent PID:	7768
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:05:52
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff620390000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\wget.exe

wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/2024-10-03/6vlqsq0ea94qi8rth4tp24je96k0dmndp8mrv081/4800d67e9c2c9b1c9b33e5072a3a4d3590a0f2a7c85332a08f56f93ba90730df?response-content-disposition=attachment%3B%20filename%3D%2215009518.tif%22%3B%20filename%2A%3DUTF-8%27%2715009518.tif&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QBKQZ3X6K%2F20241004%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241004T130300Z&X-Amz-Expires=20166&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEI3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDbW0ksT3kpFTNmdUCSlFAfWS8tve21ITgXdvedLvrBsAiEAjwTn8R9LuIHi9v2IUGcvynJ3u75fZePpg%2Fb7j8YBKfwqiAQI1v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDAaDG9BVYOPBSHu6TCrcA9jgSDwvR9kC3YEyJ%2BUj76%2B7ozV3IRDwuyAxYIRLInLLpzpFae%2BG7%2FN6hZIYntHvG0RTeaQu8gqTH9RMNxceYkMtryExakSeTn6EyV0rGw1nrz2nnuB%2BvQv2tBhO5g%2FDVEKGIAkBHGXqzCn7l8sitWAQGOFLntTEo8BRSSxLlZhyFKa6r0DTJWA2HRoAMXhvc3e0H%2BZGBW5HnLqIrE6mXeNgar8r7Ix3qP8bgDuIgWYB7BFixCDXcARA6UNqlB9JpI%2BNOzUzOr0g0AWnhyxmqUWBAPUtN2GsQIj%2F5NWAcXL7IJmnBVnmjPE3cIE19Z0sPyPwecimhXPV%2F3452vlugUGuyA%2BUCpqO6E0uatRty3%2FJWz5PcMFLXAopfdfO7IsOTk15zFHXOajtRqzCHv%2BIdRY2SnMY%2Bj5M%2BR88dqdl0%2FxMG%2BUGX5ApvpElUc3M5tH3Jy6fFHsSCBXVkBMt6jnBZWvJ%2BjWo%2BndZwoGdolsb9RuxU6LebmB8OguaOjxxF1r%2F23i5GLeyKLN8YLjUskJC56144IEpXs8YyGkpPsWw%2BEW2kK86Pa5d%2BtwXe9IioLos6ixB2GhVujVEx%2FpUEs%2FZT588Z76kuoFvhwHWwJQIHEh%2F4gtLz%2F3fGY7%2BAhKuMOrD%2F7cGOqUBFB1cCMjdqrpYzbQJl2m6RTmIUSrbFcnAuWFndE8tYoIxIeSc76oacoRCg3jQ4gXh3OQ9iaQuEBSG75w4RLP2uhktT%2BYfgY7mvU0ELQrSRvY6pIle4m6GIQmDHmtX1PTKRLZeS%2Fw2IGtJclWysxcCoXM155PfDM3KgcZhcxplk6YDOxky4u541EsuhZhklnOgutd%2FWYe2whdvHI4RzpQa9k8KEhDi&X-Amz-SignedHeaders=host&X-Amz-Signature=ece90186affc7b0a60310ade8e3c5cdb107dc9de5c37bc91dd97a78b3d4097d0"

Details

Is windows:	true
Is dropped:	false
PID:	7864
Target ID:	2
Parent PID:	7768
Name:	wget.exe
Path:	C:\Windows\SysWOW64\wget.exe
Commandline:	wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/2024-10-03/6vlqsq0ea94qi8rth4tp24je96k0dmndp8mrv081/4800d67e9c2c9b1c9b33e5072a3a4d3590a0f2a7c85332a08f56f93ba90730df?response-content-disposition=attachment%3B%20filename%3D%2215009518.tif%22%3B%20filename%2A%3DUTF-8%27%2715009518.tif&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QBKQZ3X6K%2F20241004%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241004T130300Z&X-Amz-Expires=20166&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEI3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDbW0ksT3kpFTNmdUCSlFAfWS8tve21ITgXdvedLvrBsAiEAjwTn8R9LuIHi9v2IUGcvynJ3u75fZePpg%2Fb7j8YBKfwqiAQI1v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDAaDG9BVYOPBSHu6TCrcA9jgSDwvR9kC3YEyJ%2BUj76%2B7ozV3IRDwuyAxYIRLInLLpzpFae%2BG7%2FN6hZIYntHvG0RTeaQu8gqTH9RMNxceYkMtryExakSeTn6EyV0rGw1nrz2nnuB%2BvQv2tBhO5g%2FDVEKGIAkBHGXqzCn7l8sitWAQGOFLntTEo8BRSSxLlZhyFKa6r0DTJWA2HRoAMXhvc3e0H%2BZGBW5HnLqIrE6mXeNgar8r7Ix3qP8bgDuIgWYB7BFixCDXcARA6UNqlB9JpI%2BNOzUzOr0g0AWnhyxmqUWBAPUtN2GsQIj%2F5NWAcXL7IJmnBVnmjPE3cIE19Z0sPyPwecimhXPV%2F3452vlugUGuyA%2BUCpqO6E0uatRty3%2FJWz5PcMFLXAopfdfO7IsOTk15zFHXOajtRqzCHv%2BIdRY2SnMY%2Bj5M%2BR88dqdl0%2FxMG%2BUGX5ApvpElUc3M5tH3Jy6fFHsSCBXVkBMt6jnBZWvJ%2BjWo%2BndZwoGdolsb9RuxU6LebmB8OguaOjxxF1r%2F23i5GLeyKLN8YLjUskJC56144IEpXs8YyGkpPsWw%2BEW2kK86Pa5d%2BtwXe9IioLos6ixB2GhVujVEx%2FpUEs%2FZT588Z76kuoFvhwHWwJQIHEh%2F4gtLz%2F3fGY7%2BAhKuMOrD%2F7cGOqUBFB1cCMjdqrpYzbQJl2m6RTmIUSrbFcnAuWFndE8tYoIxIeSc76oacoRCg3jQ4gXh3OQ9iaQuEBSG75w4RLP2uhktT%2BYfgY7mvU0ELQrSRvY6pIle4m6GIQmDHmtX1PTKRLZeS%2Fw2IGtJclWysxcCoXM155PfDM3KgcZhcxplk6YDOxky4u541EsuhZhklnOgutd%2FWYe2whdvHI4RzpQa9k8KEhDi&X-Amz-SignedHeaders=host&X-Amz-Signature=ece90186affc7b0a60310ade8e3c5cdb107dc9de5c37bc91dd97a78b3d4097d0"
Size:	3895184
MD5:	3DADB6E2ECE9C4B3E1E322E617658B60
Time:	09:05:52
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	3956736
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/2024-10-03/6vlqsq0ea94qi8rth4tp24je96k0dmndp8mrv081/4800d67e9c2c9b1c9b33e5072a3a4d3590a0f2a7c85332a08f56f93ba90730df?response-content-disposition=attachment%3B%20filename%3D%2215009518.tif%22%3B%20filename%2A%3DUTF-8%27%2715009518.tif&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QBKQZ3X6K%2F20241004%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241004T130300Z&X-Amz-Expires=20166&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEI3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIDbW0ksT3kpFTNmdUCSlFAfWS8tve21ITgXdvedLvrBsAiEAjwTn8R9LuIHi9v2IUGcvynJ3u75fZePpg%2Fb7j8YBKfwqiAQI1v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDAaDG9BVYOPBSHu6TCrcA9jgSDwvR9kC3YEyJ%2BUj76%2B7ozV3IRDwuyAxYIRLInLLpzpFae%2BG7%2FN6hZIYntHvG0RTeaQu8gqTH9RMNxceYkMtryExakSeTn6EyV0rGw1nrz2nnuB%2BvQv2tBhO5g%2FDVEKGIAkBHGXqzCn7l8sitWAQGOFLntTEo8BRSSxLlZhyFKa6r0DTJWA2HRoAMXhvc3e0H%2BZGBW5HnLqIrE6mXeNgar8r7Ix3qP8bgDuIgWYB7BFixCDXcARA6UNqlB9JpI%2BNOzUzOr0g0AWnhyxmqUWBAPUtN2GsQIj%2F5NWAcXL7IJmnBVnmjPE3cIE19Z0sPyPwecimhXPV%2F3452vlugUGuyA%2BUCpqO6E0uatRty3%2FJWz5PcMFLXAopfdfO7IsOTk15zFHXOajtRqzCHv%2BIdRY2SnMY%2Bj5M%2BR88dqdl0%2FxMG%2BUGX5ApvpElUc3M5tH3Jy6fFHsSCBXVkBMt6jnBZWvJ%2BjWo%2BndZwoGdolsb9RuxU6LebmB8OguaOjxxF1r%2F23i5GLeyKLN8YLjUskJC56144IEpXs8YyGkpPsWw%2BEW2kK86Pa5d%2BtwXe9IioLos6ixB2GhVujVEx%2FpUEs%2FZT588Z76kuoFvhwHWwJQIHEh%2F4gtLz%2F3fGY7%2BAhKuMOrD%2F7cGOqUBFB1cCMjdqrpYzbQJl2m6RTmIUSrbFcnAuWFndE8tYoIxIeSc76oacoRCg3jQ4gXh3OQ9iaQuEBSG75w4RLP2uhktT%2BYfgY7mvU0ELQrSRvY6pIle4m6GIQmDHmtX1PTKRLZeS%2Fw2IGtJclWysxcCoXM155PfDM3KgcZhcxplk6YDOxky4u541EsuhZhklnOgutd%2FWYe2whdvHI4RzpQa9k8KEhDi&X-Amz-SignedHeaders=host&X-Amz-Signature=ece90186affc7b0a60310ade8e3c5cdb107dc9de5c37bc91dd97a78b3d4097d0

Details

Filetype:

URL

Filename:

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion
Very long command line found	System Summary	Command and Scripting Interpreter
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Downloads files from webservers via HTTP	Networking	Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses HTTPS	Networking	Encrypted Channel
Uses an in-process (OLE) Automation server	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/202

unknown

Details

Name:	https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/202
TargetID:	-1
From Memory:	true
Source:	wget.exe, 00000002.00000002.1399223662.0000000002B22000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1399087579.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.1399271092.0000000002B5B000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Domains

Name

Malicious

s3-w.us-east-1.amazonaws.com

52.217.68.220

15.164.165.52.in-addr.arpa

unknown

phisher-parts-production-us-east-1.s3.amazonaws.com

unknown

Details

Name:	phisher-parts-production-us-east-1.s3.amazonaws.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

52.217.68.220

s3-w.us-east-1.amazonaws.com

United States

Details

IP:	52.217.68.220
TargetID:	2
Current Path:	C:\Windows\SysWOW64\wget.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	s3-w.us-east-1.amazonaws.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2B46000

heap

page read and write

100000

heap

page read and write

1C0000

heap

page read and write

2B15000

heap

page read and write

A30000

heap

page read and write

2B12000

heap

page read and write

150000

heap

page read and write

2B1F000

heap

page read and write

1AE000

stack

page read and write

2E0F000

stack

page read and write

102F000

stack

page read and write

2E40000

heap

page read and write

2B5B000

heap

page read and write

A36000

heap

page read and write

9B000

stack

page read and write

1D0000

heap

page read and write

2B4A000

heap

page read and write

2B5B000

heap

page read and write

14E000

stack

page read and write

A0E000

stack

page read and write

160000

heap

page read and write

2B56000

heap

page read and write

2B13000

heap

page read and write

2B10000

heap

page read and write

2B22000

heap

page read and write

2B52000

heap

page read and write

2B4E000

heap

page read and write

A60000

heap

page read and write

E2F000

stack

page read and write

167000

heap

page read and write

A6A000

heap

page read and write

2B56000

heap

page read and write

9CC000

stack

page read and write

2B11000

heap

page read and write

2B5B000

heap

page read and write

There are 25 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Files

Processes

URLs

Domains

IPs

Memdumps