Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\IMG_3322101870451.exe

"C:\Users\user\Desktop\IMG_3322101870451.exe"

Details

Is windows:	false
Is dropped:	false
PID:	8080
Target ID:	0
Parent PID:	3968
Name:	IMG_3322101870451.exe
Path:	C:\Users\user\Desktop\IMG_3322101870451.exe
Commandline:	"C:\Users\user\Desktop\IMG_3322101870451.exe"
Size:	254328
MD5:	8290AB3945CFC9355B5F18D4C4262CEE
Time:	08:37:15
Date:	05/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf20000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://185.167.61.13

unknown

http://185.167.61.13/aa/Ubeyvibl.vdfP

unknown

Details

Name:	http://185.167.61.13/aa/Ubeyvibl.vdfP
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\IMG_3322101870451.exe
Source:	IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000344C000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://185.167.61.13D

unknown

Details

Name:	http://185.167.61.13D
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\IMG_3322101870451.exe
Source:	IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000338A000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003366000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000335F000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003448000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://ocsp.thawte.com0

unknown

http://185.167.61.13/aa/Ubeyvibl.vdf

185.167.61.13

Details

Name:	http://185.167.61.13/aa/Ubeyvibl.vdf
IP:	185.167.61.13
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\IMG_3322101870451.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.167.61.13

unknown

Turkey

Details

IP:	185.167.61.13
TargetID:	0
Current Path:	C:\Users\user\Desktop\IMG_3322101870451.exe
Country:	Turkey
Countrycode:	TUR
ASN number:	197328
ASN name:	INETLTDTR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\IMG_3322101870451_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

33F2000

trusted library allocation

page read and write

1350000

heap

page read and write

31C0000

trusted library allocation

page read and write

17FE000

stack

page read and write

42C1000

trusted library allocation

page read and write

344C000

trusted library allocation

page read and write

338A000

trusted library allocation

page read and write

33C6000

trusted library allocation

page read and write

1519000

heap

page read and write

1453000

trusted library allocation

page execute and read and write

3456000

trusted library allocation

page read and write

587D000

stack

page read and write

53BE000

stack

page read and write

5730000

heap

page execute and read and write

6D10000

heap

page read and write

12FB000

stack

page read and write

3366000

trusted library allocation

page read and write

14A5000

heap

page read and write

3392000

trusted library allocation

page read and write

1377000

heap

page read and write

6460000

heap

page read and write

1454000

trusted library allocation

page read and write

147E000

heap

page read and write

3439000

trusted library allocation

page read and write

333E000

trusted library allocation

page read and write

32B7000

heap

page read and write

31BE000

stack

page read and write

1770000

trusted library allocation

page read and write

3319000

trusted library allocation

page read and write

6D00000

heap

page read and write

1470000

heap

page read and write

13A0000

heap

page read and write

6BFD000

stack

page read and write

13ED000

stack

page read and write

5D4D000

stack

page read and write

6463000

heap

page read and write

646B000

heap

page read and write

5CCE000

stack

page read and write

1800000

trusted library allocation

page execute and read and write

6471000

heap

page read and write

3379000

trusted library allocation

page read and write

337E000

trusted library allocation

page read and write

F20000

unkown

page readonly

5B8D000

stack

page read and write

5720000

heap

page read and write

5E4C000

stack

page read and write

6010000

trusted library section

page read and write

577D000

stack

page read and write

58BE000

stack

page read and write

3358000

trusted library allocation

page read and write

1757000

trusted library allocation

page execute and read and write

338C000

trusted library allocation

page read and write

1810000

heap

page read and write

1740000

trusted library allocation

page read and write

6473000

heap

page read and write

FEC000

stack

page read and write

3396000

trusted library allocation

page read and write

609E000

stack

page read and write

605D000

stack

page read and write

5F0E000

stack

page read and write

174A000

trusted library allocation

page execute and read and write

17BE000

stack

page read and write

147A000

heap

page read and write

5C88000

stack

page read and write

1746000

trusted library allocation

page execute and read and write

67DD000

stack

page read and write

335F000

trusted library allocation

page read and write

32C1000

trusted library allocation

page read and write

31E0000

trusted library allocation

page read and write

1750000

trusted library allocation

page read and write

145D000

trusted library allocation

page execute and read and write

33FA000

trusted library allocation

page read and write

59BE000

stack

page read and write

1817000

heap

page read and write

32C6000

trusted library allocation

page read and write

3448000

trusted library allocation

page read and write

3450000

trusted library allocation

page read and write

6CFC000

stack

page read and write

151E000

heap

page read and write

F22000

unkown

page readonly

3390000

trusted library allocation

page read and write

5D0E000

stack

page read and write

1440000

trusted library allocation

page read and write

600F000

stack

page read and write

173D000

stack

page read and write

66DD000

stack

page read and write

621D000

stack

page read and write

631E000

stack

page read and write

142D000

stack

page read and write

1460000

trusted library allocation

page read and write

5700000

trusted library allocation

page read and write

1370000

heap

page read and write

31F0000

heap

page execute and read and write

338E000

trusted library allocation

page read and write

175B000

trusted library allocation

page execute and read and write

14B2000

heap

page read and write

1360000

heap

page read and write

6465000

heap

page read and write

191D000

stack

page read and write

1450000

trusted library allocation

page read and write

32B0000

heap

page read and write

33BE000

trusted library allocation

page read and write

There are 92 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
IMG_3322101870451.exe

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportIMG_3322101870451.exe

Processes

URLs

IPs

Registry

Memdumps

IOC Report
IMG_3322101870451.exe