Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\7f3c2473d1e6.exe

"C:\Users\user\Desktop\7f3c2473d1e6.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5660
Target ID:	0
Parent PID:	2580
Name:	7f3c2473d1e6.exe
Path:	C:\Users\user\Desktop\7f3c2473d1e6.exe
Commandline:	"C:\Users\user\Desktop\7f3c2473d1e6.exe"
Size:	563712
MD5:	33F127E35338687A1A64F67FA6ED3B9A
Time:	09:44:14
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb50000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7012
Target ID:	1
Parent PID:	5660
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	09:44:14
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7e0000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\ProgramData\HDBGDHDAEC.exe

"C:\ProgramData\HDBGDHDAEC.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4476
Target ID:	8
Parent PID:	7012
Name:	HDBGDHDAEC.exe
Path:	C:\ProgramData\HDBGDHDAEC.exe
Commandline:	"C:\ProgramData\HDBGDHDAEC.exe"
Size:	530432
MD5:	6C7D97AE1B013C0B5ABA8CA2186FDA7E
Time:	09:44:59
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa40000
Modulesize:	548864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6824
Target ID:	9
Parent PID:	4476
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	09:44:59
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x720000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 272

Details

Is windows:	true
Is dropped:	false
PID:	6112
Target ID:	4
Parent PID:	5660
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 272
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	09:44:14
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x690000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 272

Details

Is windows:	true
Is dropped:	false
PID:	2500
Target ID:	11
Parent PID:	4476
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 272
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	09:44:59
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x690000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCGHJEBGHJKE" & exit

Details

Is windows:	true
Is dropped:	false
PID:	7136
Target ID:	13
Parent PID:	7012
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCGHJEBGHJKE" & exit
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	09:45:33
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6680
Target ID:	14
Parent PID:	7136
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:45:33
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Details

Is windows:	true
Is dropped:	false
PID:	6016
Target ID:	15
Parent PID:	7136
Name:	timeout.exe
Path:	C:\Windows\SysWOW64\timeout.exe
Commandline:	timeout /t 10
Size:	25088
MD5:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Time:	09:45:33
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x670000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://feelystroll.buzz/api

104.21.0.152

http://proxy.johnmccrea.com//vcruntime140.dll

141.98.233.156

studennotediw.stor

http://proxy.johnmccrea.com//softokn3.dll

141.98.233.156

http://proxy.johnmccrea.com//nss3.dll

141.98.233.156

http://proxy.johnmccrea.com//mozglue.dll

141.98.233.156

spirittunek.stor

https://spirittunek.store/api

188.114.96.3

https://steamcommunity.com/profiles/76561199780418869

http://proxy.johnmccrea.com//msvcp140.dll

141.98.233.156

eaglepawnoy.stor

clearancek.site

mobbipenju.stor

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

licendfilteo.site

http://cowod.hopto.org/

45.132.206.251

http://proxy.johnmccrea.com//sql.dll

141.98.233.156

http://proxy.johnmccrea.com/

141.98.233.156

https://clearancek.site/api

188.114.97.3

https://dissapoiznw.store/api

188.114.96.3

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

https://studennotediw.store/api

188.114.96.3

https://mobbipenju.store/api

104.21.69.130

https://bathdoomgaz.store/api

188.114.97.3

http://proxy.johnmccrea.com//freebl3.dll

141.98.233.156

https://eaglepawnoy.store/api

172.67.156.136

bathdoomgaz.stor

dissapoiznw.stor

https://duckduckgo.com/chrome_newtab

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF

unknown

http://proxy.johnmccrea.com/ontent-Disposition:

unknown

https://duckduckgo.com/ac/?q=

unknown

http://cowod.hopto.org.com/data;

unknown

http://cowod.hopto.org

unknown

https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.

unknown

https://clearancek.site/D~k

unknown

http://cowod.hoptoCBGHCAA

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

unknown

http://proxy.johnmccrea.com/C

unknown

http://cowod.hopto.BGHCAA

unknown

http://cowod.hopto.org_DEBUG.zip/c

unknown

https://spirittunek.store/

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe

unknown

http://proxy.johnmccrea.com//freebl3.dll4

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi

unknown

http://cowod.hopto.

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install

unknown

http://cowod.DGHDGCBGHCAA

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://proxy.johnmccrea.com/gfdsgrewgdsfadsahttps://steamcommunity.com/profiles/76561199780418869u55

unknown

http://cowod.hopto

unknown

http://cowod.hopto.org/M

unknown

http://proxy.johnmccrea.com//mozglue.dllD

unknown

http://cowod.hopto.orgEGC

unknown

http://proxy.johnmccrea.com//nss3.dllV

unknown

http://proxy.johnmccrea.com//msvcp140.dllX

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94

unknown

http://jask.powerforxes.shop/ldms/a43486128347.exe1kkkkoken

unknown

http://www.sqlite.org/copyright.html.

unknown

https://feelystroll.buzz/R_

unknown

https://t.me/ae5ed

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://feelystroll.buzz/

unknown

https://mozilla.org0/

unknown

https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://feelystroll.buzz//

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta

unknown

http://upx.sf.net

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe

unknown

https://www.ecosia.org/newtab/

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

http://jask.powerforxes.shop/ldms/a43486128347.exerm-data;

unknown

https://feelystroll.buzz/0

unknown

https://support.mozilla.org

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples

unknown

http://cowod.hopto.org854c41ac1nt-Disposition:

unknown

https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.

unknown

https://studennotediw.store/dT

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://jask.powerforxes.shop/ldms/a43486128347.exe

147.45.44.104

https://clearancek.site/apis

unknown

There are 80 hidden URLs, click here to show them.

Domains

Name

Malicious

feelystroll.buzz

104.21.0.152

cowod.hopto.org

45.132.206.251

bathdoomgaz.store

188.114.97.3

spirittunek.store

188.114.96.3

studennotediw.store

188.114.96.3

mobbipenju.store

104.21.69.130

steamcommunity.com

104.102.49.254

eaglepawnoy.store

172.67.156.136

clearancek.site

188.114.97.3

dissapoiznw.store

188.114.96.3

proxy.johnmccrea.com

141.98.233.156

licendfilteo.site

unknown

fp2e7a.wpc.phicdn.net

192.229.221.95

jask.powerforxes.shop

147.45.44.104

s-part-0032.t-0009.t-msedge.net

13.107.246.60

There are 5 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

172.67.156.136

eaglepawnoy.store

United States

Details

IP:	172.67.156.136
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	eaglepawnoy.store

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

141.98.233.156

proxy.johnmccrea.com

Russian Federation

Details

IP:	141.98.233.156
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	41011
ASN name:	CH-NET-ASRO
Private:	false
Domain:	proxy.johnmccrea.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary

188.114.97.3

bathdoomgaz.store

European Union

Details

IP:	188.114.97.3
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	bathdoomgaz.store

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.21.0.152

feelystroll.buzz

United States

Details

IP:	104.21.0.152
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	feelystroll.buzz

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.21.69.130

mobbipenju.store

United States

Details

IP:	104.21.69.130
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	mobbipenju.store

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.96.3

spirittunek.store

European Union

Details

IP:	188.114.96.3
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	spirittunek.store

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

45.132.206.251

cowod.hopto.org

Russian Federation

Details

IP:	45.132.206.251
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	59731
ASN name:	LIFELINK-ASRU
Private:	false
Domain:	cowod.hopto.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

147.45.44.104

jask.powerforxes.shop

Russian Federation

Details

IP:	147.45.44.104
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false
Domain:	jask.powerforxes.shop

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking