Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\7R4CQlalZQ.exe

"C:\Users\user\Desktop\7R4CQlalZQ.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2828
Target ID:	0
Parent PID:	1028
Name:	7R4CQlalZQ.exe
Path:	C:\Users\user\Desktop\7R4CQlalZQ.exe
Commandline:	"C:\Users\user\Desktop\7R4CQlalZQ.exe"
Size:	33280
MD5:	490CEAB952ABD5B62925E15F4B7AA533
Time:	02:14:55
Date:	08/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd30000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

193.233.255.34

Details

Name:	193.233.255.34
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\7R4CQlalZQ.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

IPs

Domain

Country

Malicious

193.233.255.34

unknown

Russian Federation

Details

IP:	193.233.255.34
TargetID:	0
Current Path:	C:\Users\user\Desktop\7R4CQlalZQ.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

D32000

unkown

page readonly

3241000

trusted library allocation

page read and write

12C3000

heap

page read and write

147E000

stack

page read and write

133F000

heap

page read and write

1C004000

heap

page read and write

7FF848D60000

trusted library allocation

page read and write

10F4000

stack

page read and write

7FF848E46000

trusted library allocation

page execute and read and write

DC0000

heap

page read and write

304F000

stack

page read and write

1BD9E000

stack

page read and write

7FF848D64000

trusted library allocation

page read and write

7FF848D72000

trusted library allocation

page read and write

1C48C000

stack

page read and write

13241000

trusted library allocation

page read and write

1270000

trusted library allocation

page read and write

1C032000

heap

page read and write

1C58C000

stack

page read and write

1C03D000

heap

page read and write

7FF848E20000

trusted library allocation

page execute and read and write

7FF848D70000

trusted library allocation

page read and write

1BF9D000

stack

page read and write

7FF848DBC000

trusted library allocation

page execute and read and write

1620000

heap

page read and write

176B000

stack

page read and write

12EF000

heap

page read and write

1660000

heap

page read and write

7FF848D63000

trusted library allocation

page execute and read and write

7FF848E16000

trusted library allocation

page read and write

1BFA0000

heap

page read and write

3080000

heap

page read and write

1273000

trusted library allocation

page read and write

12C0000

heap

page read and write

7FF848D6D000

trusted library allocation

page execute and read and write

1324E000

trusted library allocation

page read and write

7FF848D7D000

trusted library allocation

page execute and read and write

D30000

unkown

page readonly

309F000

heap

page read and write

12ED000

heap

page read and write

7FF848D80000

trusted library allocation

page read and write

300F000

stack

page read and write

1286000

heap

page read and write

1C68A000

stack

page read and write

1BAFA000

stack

page read and write

7FF848F00000

trusted library allocation

page read and write

1240000

trusted library allocation

page read and write

157D000

stack

page read and write

1B270000

trusted library allocation

page read and write

7FF848E10000

trusted library allocation

page read and write

1600000

heap

page read and write

1C018000

heap

page read and write

DD0000

heap

page read and write

31EE000

stack

page read and write

13248000

trusted library allocation

page read and write

1225000

heap

page read and write

1280000

heap

page read and write

12AB000

heap

page read and write

1665000

heap

page read and write

7FF848E1C000

trusted library allocation

page execute and read and write

1BB90000

heap

page read and write

1BB93000

heap

page read and write

7FF848F11000

trusted library allocation

page read and write

7FF49B180000

trusted library allocation

page execute and read and write

1BFCD000

heap

page read and write

3230000

heap

page execute and read and write

1BFB4000

heap

page read and write

7FF848E80000

trusted library allocation

page execute and read and write

D30000

unkown

page readonly

1C021000

heap

page read and write

7FF848D84000

trusted library allocation

page read and write

12B2000

heap

page read and write

1C043000

heap

page read and write

1260000

trusted library allocation

page read and write

11D0000

heap

page read and write

11F0000

heap

page read and write

1220000

heap

page read and write

1B6BD000

stack

page read and write

1BC94000

stack

page read and write

1610000

heap

page execute and read and write

7FF848D8D000

trusted library allocation

page execute and read and write

There are 71 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
7R4CQlalZQ.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report7R4CQlalZQ.exe

Processes

URLs

IPs

Memdumps

IOC Report
7R4CQlalZQ.exe