Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Copy60330548196.exe

"C:\Users\user\Desktop\Copy60330548196.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7144
Target ID:	0
Parent PID:	3504
Name:	Copy60330548196.exe
Path:	C:\Users\user\Desktop\Copy60330548196.exe
Commandline:	"C:\Users\user\Desktop\Copy60330548196.exe"
Size:	316280
MD5:	F6059B7E84DE5F51EB7C2BE5874C895E
Time:	08:37:15
Date:	05/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6d0000
Modulesize:	327680
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://98.142.254.109/ii/Meqvrjzz.wavt

unknown

http://98.142.254.109

unknown

http://98.142.254.109/ii/Meqvrjzz.wav

98.142.254.109

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

http://98.142.254.109D

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://ocsp.thawte.com0

unknown

http://98.142.254.109/ii/Meqvrjzz.wavP

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

IPs

Domain

Country

Malicious

98.142.254.109

unknown

Canada

Details

IP:	98.142.254.109
TargetID:	0
Current Path:	C:\Users\user\Desktop\Copy60330548196.exe
Country:	Canada
Countrycode:	CAN
ASN number:	30407
ASN name:	VELCOMCA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy60330548196_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2B7E000

trusted library allocation

page read and write

58ED000

stack

page read and write

5E0D000

stack

page read and write

6D2000

unkown

page readonly

2AA0000

heap

page execute and read and write

548E000

stack

page read and write

E6E000

stack

page read and write

EED000

stack

page read and write

B7E000

heap

page read and write

2BD4000

trusted library allocation

page read and write

5AAD000

stack

page read and write

BA5000

heap

page read and write

2B8C000

trusted library allocation

page read and write

DBD000

stack

page read and write

E00000

heap

page read and write

DFA000

trusted library allocation

page execute and read and write

2B72000

trusted library allocation

page read and write

DE0000

trusted library allocation

page read and write

C2D000

heap

page read and write

5E60000

heap

page read and write

7F0000

heap

page read and write

5F6D000

stack

page read and write

6D0000

unkown

page readonly

B30000

heap

page read and write

2BDC000

trusted library allocation

page read and write

2B7C000

trusted library allocation

page read and write

2B80000

trusted library allocation

page read and write

B20000

heap

page read and write

E1B000

trusted library allocation

page execute and read and write

7AC000

stack

page read and write

510C000

stack

page read and write

568E000

stack

page read and write

2AD1000

trusted library allocation

page read and write

538D000

stack

page read and write

2B8E000

trusted library allocation

page read and write

C08000

heap

page read and write

E20000

heap

page read and write

C31000

heap

page read and write

3AD1000

trusted library allocation

page read and write

E27000

heap

page read and write

E07000

heap

page read and write

EAD000

stack

page read and write

4BCE000

stack

page read and write

DF7000

trusted library allocation

page execute and read and write

2B82000

trusted library allocation

page read and write

D7E000

stack

page read and write

DD0000

trusted library allocation

page read and write

558D000

stack

page read and write

2B29000

trusted library allocation

page read and write

5E50000

heap

page read and write

51CD000

stack

page read and write

520E000

stack

page read and write

2AC0000

heap

page execute and read and write

BB2000

heap

page read and write

E17000

trusted library allocation

page execute and read and write

2A60000

trusted library allocation

page read and write

2B9C000

trusted library allocation

page read and write

6EE000

unkown

page readonly

7F5000

heap

page read and write

2AB0000

trusted library allocation

page read and write

BDE000

heap

page read and write

E12000

trusted library allocation

page read and write

2BA2000

trusted library allocation

page read and write

DD3000

trusted library allocation

page execute and read and write

2910000

trusted library allocation

page execute and read and write

5BAD000

stack

page read and write

2BC4000

trusted library allocation

page read and write

B78000

heap

page read and write

DD4000

trusted library allocation

page read and write

500D000

stack

page read and write

290E000

stack

page read and write

F2D000

stack

page read and write

2B31000

trusted library allocation

page read and write

2A30000

heap

page read and write

2B55000

trusted library allocation

page read and write

DC0000

trusted library allocation

page read and write

B98000

heap

page read and write

2A50000

trusted library allocation

page read and write

2B96000

trusted library allocation

page read and write

2BD8000

trusted library allocation

page read and write

AF8000

stack

page read and write

2BBD000

trusted library allocation

page read and write

2BDA000

trusted library allocation

page read and write

FAE000

stack

page read and write

2B4E000

trusted library allocation

page read and write

2B74000

trusted library allocation

page read and write

DDD000

trusted library allocation

page execute and read and write

B70000

heap

page read and write

2920000

heap

page read and write

2BCA000

trusted library allocation

page read and write

59EC000

stack

page read and write

F6D000

stack

page read and write

27E0000

trusted library allocation

page read and write

2B6F000

trusted library allocation

page read and write

2B37000

trusted library allocation

page read and write

282E000

stack

page read and write

2A2F000

stack

page read and write

2BCC000

trusted library allocation

page read and write

2B5C000

trusted library allocation

page read and write

There are 89 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Copy60330548196.exe

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCopy60330548196.exe

Processes

URLs

IPs

Registry

Memdumps

IOC Report
Copy60330548196.exe