Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\tcmeimnnMZ.exe

"C:\Users\user\Desktop\tcmeimnnMZ.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7432
Target ID:	0
Parent PID:	2580
Name:	tcmeimnnMZ.exe
Path:	C:\Users\user\Desktop\tcmeimnnMZ.exe
Commandline:	"C:\Users\user\Desktop\tcmeimnnMZ.exe"
Size:	182272
MD5:	B3E62E0DAF3ABE85E035558FED736E91
Time:	04:32:21
Date:	08/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x620000
Modulesize:	196608
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected KoiLoader	Data Obfuscation
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

URLs

Name

Malicious

https://kionaonline.com/modules/bonslick

unknown

Details

Name:	https://kionaonline.com/modules/bonslick
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\tcmeimnnMZ.exe
Source:	tcmeimnnMZ.exe

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

http://121.127.33.20/fermentum.php

Details

Name:	http://121.127.33.20/fermentum.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\tcmeimnnMZ.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

http://121.127.33.20/fermentum.php%temp%

unknown

Details

Name:	http://121.127.33.20/fermentum.php%temp%
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\tcmeimnnMZ.exe
Source:	tcmeimnnMZ.exe, 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

https://kionaonline.com/modules/bonslick/c

unknown

Details

Name:	https://kionaonline.com/modules/bonslick/c
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\tcmeimnnMZ.exe
Source:	tcmeimnnMZ.exe, 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

E41000

direct allocation

page execute read

EBE000

heap

page read and write

631000

unkown

page readonly

EB0000

heap

page read and write

621000

unkown

page execute read

638000

unkown

page read and write

E40000

direct allocation

page readonly

D3C000

stack

page read and write

D90000

heap

page read and write

621000

unkown

page execute read

63A000

unkown

page readonly

DDE000

stack

page read and write

EBA000

heap

page read and write

117E000

stack

page read and write

620000

unkown

page readonly

63A000

unkown

page readonly

C3C000

stack

page read and write

E20000

heap

page read and write

D80000

heap

page read and write

127F000

stack

page read and write

E4C000

direct allocation

page execute and read and write

E4B000

direct allocation

page readonly

631000

unkown

page readonly

638000

unkown

page write copy

E1E000

stack

page read and write

2B70000

heap

page read and write

620000

unkown

page readonly

There are 17 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
tcmeimnnMZ.exe

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReporttcmeimnnMZ.exe

Processes

URLs

Memdumps

IOC Report
tcmeimnnMZ.exe