Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\m8ufsTLLOU.exe

"C:\Users\user\Desktop\m8ufsTLLOU.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6812
Target ID:	0
Parent PID:	2580
Name:	m8ufsTLLOU.exe
Path:	C:\Users\user\Desktop\m8ufsTLLOU.exe
Commandline:	"C:\Users\user\Desktop\m8ufsTLLOU.exe"
Size:	73802
MD5:	A94BC986375EBA0F2B06F3729A2FD7D6
Time:	12:01:59
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	90112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Metasploit Payload	Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

C:\Windows\SysWOW64\cmd.exe

cmd

Details

Is windows:	true
Is dropped:	false
PID:	1352
Target ID:	1
Parent PID:	6812
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	12:01:59
Date:	20/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5924
Target ID:	2
Parent PID:	1352
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:01:59
Date:	20/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.apache.org/licenses/LICEN

unknown

http://www.apache.org/

unknown

http://www.zeustech.net/

unknown

IPs

Domain

Country

Malicious

188.166.177.132

unknown

Netherlands

Details

IP:	188.166.177.132
TargetID:	0
Current Path:	C:\Users\user\Desktop\m8ufsTLLOU.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	14061
ASN name:	DIGITALOCEAN-ASNUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

500000

direct allocation

page execute and read and write

28CF000

unkown

page read and write

40C000

unkown

page readonly

9D000

stack

page read and write

70A000

heap

page read and write

4F0000

heap

page read and write

23FA000

stack

page read and write

415000

unkown

page readonly

56E000

stack

page read and write

6B0000

heap

page read and write

401000

unkown

page execute read

22FD000

stack

page read and write

19D000

stack

page read and write

6AE000

stack

page read and write

415000

unkown

page readonly

400000

unkown

page readonly

8FF000

stack

page read and write

27BE000

stack

page read and write

2B0F000

stack

page read and write

2660000

heap

page read and write

520000

heap

page read and write

525000

heap

page read and write

28D0000

heap

page read and write

40C000

unkown

page readonly

700000

heap

page read and write

277E000

unkown

page read and write

40D000

unkown

page write copy

27C0000

heap

page read and write

1F0000

heap

page read and write

2CA0000

heap

page read and write

291C000

heap

page read and write

2910000

heap

page read and write

401000

unkown

page execute read

66F000

stack

page read and write

40D000

unkown

page write copy

980000

heap

page read and write

70E000

heap

page read and write

23FE000

stack

page read and write

400000

unkown

page readonly

There are 29 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
m8ufsTLLOU.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportm8ufsTLLOU.exe

Processes

URLs

IPs

Memdumps

IOC Report
m8ufsTLLOU.exe