Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Copy10330520PDF.exe

"C:\Users\user\Desktop\Copy10330520PDF.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7488
Target ID:	0
Parent PID:	2592
Name:	Copy10330520PDF.exe
Path:	C:\Users\user\Desktop\Copy10330520PDF.exe
Commandline:	"C:\Users\user\Desktop\Copy10330520PDF.exe"
Size:	210808
MD5:	54CE77B9385FD7750D737F5AF323AB34
Time:	08:37:20
Date:	05/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x960000
Modulesize:	221184
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://98.142.254.109

unknown

Details

Name:	http://98.142.254.109
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Copy10330520PDF.exe
Source:	Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E26000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

http://98.142.254.109/ii/Kpcwtduh.mp4t

unknown

http://98.142.254.109D

unknown

Details

Name:	http://98.142.254.109D
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Copy10330520PDF.exe
Source:	Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E26000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://98.142.254.109/ii/Kpcwtduh.mp40

unknown

http://98.142.254.109/ii/Kpcwtduh.mp4P

unknown

Details

Name:	http://98.142.254.109/ii/Kpcwtduh.mp4P
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Copy10330520PDF.exe
Source:	Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E38000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, Copy10330520PDF.exe, 00000000.00000002.3844939876.0000000002E26000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ocsp.thawte.com0

unknown

http://98.142.254.109/ii/Kpcwtduh.mp4

98.142.254.109

Details

Name:	http://98.142.254.109/ii/Kpcwtduh.mp4
IP:	98.142.254.109
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\Copy10330520PDF.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

98.142.254.109

unknown

Canada

Details

IP:	98.142.254.109
TargetID:	0
Current Path:	C:\Users\user\Desktop\Copy10330520PDF.exe
Country:	Canada
Countrycode:	CAN
ASN number:	30407
ASN name:	VELCOMCA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Copy10330520PDF_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

FED000

heap

page read and write

2E5C000

trusted library allocation

page read and write

FCE000

heap

page read and write

570F000

stack

page read and write

2E0F000

trusted library allocation

page read and write

102E000

heap

page read and write

2E64000

trusted library allocation

page read and write

12A7000

trusted library allocation

page execute and read and write

2DC6000

trusted library allocation

page read and write

52AE000

stack

page read and write

2E6A000

trusted library allocation

page read and write

134E000

stack

page read and write

114D000

stack

page read and write

12E0000

trusted library allocation

page execute and read and write

2E6C000

trusted library allocation

page read and write

12D0000

trusted library allocation

page read and write

D38000

stack

page read and write

2D71000

trusted library allocation

page read and write

544D000

stack

page read and write

64A0000

heap

page read and write

E80000

heap

page read and write

2DEE000

trusted library allocation

page read and write

2E38000

trusted library allocation

page read and write

D90000

heap

page read and write

11CE000

stack

page read and write

F85000

heap

page read and write

12BB000

trusted library allocation

page execute and read and write

1284000

trusted library allocation

page read and write

548E000

stack

page read and write

3D71000

trusted library allocation

page read and write

540E000

stack

page read and write

2DC3000

trusted library allocation

page read and write

EDD000

stack

page read and write

2E78000

trusted library allocation

page read and write

2DFC000

trusted library allocation

page read and write

60CD000

stack

page read and write

F5A000

heap

page read and write

2E1E000

trusted library allocation

page read and write

2D60000

heap

page execute and read and write

5E20000

trusted library allocation

page read and write

2E52000

trusted library allocation

page read and write

2D50000

trusted library allocation

page read and write

620D000

stack

page read and write

FF0000

heap

page read and write

6490000

heap

page read and write

138E000

stack

page read and write

F1E000

stack

page read and write

1283000

trusted library allocation

page execute and read and write

962000

unkown

page readonly

1290000

trusted library allocation

page read and write

128D000

trusted library allocation

page execute and read and write

1300000

heap

page read and write

E70000

heap

page read and write

12F0000

trusted library allocation

page read and write

F92000

heap

page read and write

2DF5000

trusted library allocation

page read and write

960000

unkown

page readonly

610D000

stack

page read and write

118E000

stack

page read and write

5B5D000

stack

page read and write

2E59000

trusted library allocation

page read and write

2DDA000

trusted library allocation

page read and write

2E74000

trusted library allocation

page read and write

C3C000

stack

page read and write

12B0000

trusted library allocation

page read and write

964000

unkown

page readonly

F5E000

heap

page read and write

2E1A000

trusted library allocation

page read and write

560D000

stack

page read and write

2E7C000

trusted library allocation

page read and write

2DD7000

trusted library allocation

page read and write

5C5C000

stack

page read and write

4E6E000

stack

page read and write

13C0000

heap

page read and write

E90000

heap

page read and write

13C7000

heap

page read and write

1028000

heap

page read and write

F50000

heap

page read and write

2E26000

trusted library allocation

page read and write

E75000

heap

page read and write

2C6E000

stack

page read and write

5FCD000

stack

page read and write

FC3000

heap

page read and write

5300000

heap

page execute and read and write

1270000

trusted library allocation

page read and write

2E7E000

trusted library allocation

page read and write

1280000

trusted library allocation

page read and write

2E7A000

trusted library allocation

page read and write

12A0000

trusted library allocation

page read and write

52EE000

stack

page read and write

12AA000

trusted library allocation

page execute and read and write

2DCE000

trusted library allocation

page read and write

12B7000

trusted library allocation

page execute and read and write

E87000

heap

page read and write

F30000

heap

page read and write

1030000

heap

page read and write

There are 86 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Copy10330520PDF.exe

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCopy10330520PDF.exe

Processes

URLs

IPs

Registry

Memdumps

IOC Report
Copy10330520PDF.exe