Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4268
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2944000
MD5:	4CC039AC299C83B717D9CA4CC319A298
Time:	23:21:01
Date:	24/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5f0000
Modulesize:	3186688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://spirittunek.store/api

unknown

bathdoomgaz.store

studennotediw.store

clearancek.site

dissapoiznw.store

https://licendfilteo.site/api

unknown

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

spirittunek.store

licendfilteo.site

eaglepawnoy.store

mobbipenju.store

https://steamcommunity.com/my/wishlist/

unknown

https://player.vimeo.com

unknown

https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://help.steampowered.com/en/

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://www.gstatic.cn/recaptcha/

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX

unknown

https://recaptcha.net/recaptcha/;

unknown

https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://steamcommunity.com/discussions/

unknown

https://www.youtube.com

unknown

https://www.google.com

unknown

https://store.steampowered.com/stats/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis

unknown

https://studennotediw.store/apiN

unknown

https://medal.tv

unknown

https://broadcast.st.dl.eccdnx.com

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://steamcommunity.com/?

unknown

https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1

unknown

https://s.ytimg.com;

unknown

https://steamcommunity.com/workshop/

unknown

https://login.steampowered.com/

unknown

https://store.steampowered.com/legal/

unknown

https://steam.tv/

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX

unknown

https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&

unknown

https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli

unknown

https://steamcommunity.com/i

unknown

https://store.steampowered.com/points/shop/

unknown

https://recaptcha.net

unknown

https://store.steampowered.com/

unknown

https://clearancek.site/api

unknown

https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e

unknown

https://steamcommunity.com/profiles/76561199724331900_

unknown

https://steamcommunity.com

unknown

https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&

unknown

https://sketchfab.com

unknown

https://lv.queniujq.cn

unknown

https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C42cb6563c5fec81

unknown

https://www.youtube.com/

unknown

http://127.0.0.1:27060

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://www.google.com/recaptcha/

unknown

https://checkout.steampowered.com/

unknown

https://help.steampowered.com/

unknown

https://api.steampowered.com/

unknown

https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b

unknown

http://store.steampowered.com/account/cookiepreferences/

unknown

https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://store.steampowered.com/mobile

unknown

https://steamcommunity.com/

unknown

https://store.steampowered.com/;

unknown

https://store.steampowered.com/about/

unknown

https://community.cloudflare.steamstatic.com/

unknown

There are 78 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

Details

Name:	steamcommunity.com
IP:	104.102.49.254
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Found strings which match to known social media urls	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

eaglepawnoy.store

unknown

Details

Name:	eaglepawnoy.store
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

bathdoomgaz.store

unknown

Details

Name:	bathdoomgaz.store
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

spirittunek.store

unknown

Details

Name:	spirittunek.store
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

licendfilteo.site

unknown

Details

Name:	licendfilteo.site
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

studennotediw.store

unknown

Details

Name:	studennotediw.store
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mobbipenju.store

unknown

Details

Name:	mobbipenju.store
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

clearancek.site

unknown

Details

Name:	clearancek.site
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

dissapoiznw.store

unknown

Details

Name:	dissapoiznw.store
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

5F1000

unkown

page execute and read and write

82E000

unkown

page execute and write copy

47BF000

stack

page read and write

7AB000

unkown

page execute and read and write

1590000

direct allocation

page read and write

559E000

stack

page read and write

1484000

heap

page read and write

407E000

stack

page read and write

4E01000

heap

page read and write

417F000

stack

page read and write

5280000

remote allocation

page read and write

4E01000

heap

page read and write

5410000

direct allocation

page execute and read and write

1639000

heap

page read and write

493E000

stack

page read and write

1641000

heap

page read and write

541D000

stack

page read and write

33BF000

stack

page read and write

1484000

heap

page read and write

157E000

stack

page read and write

1484000

heap

page read and write

1484000

heap

page read and write

453E000

stack

page read and write

189F000

stack

page read and write

15E5000

heap

page read and write

848000

unkown

page execute and write copy

806000

unkown

page execute and write copy

1480000

heap

page read and write

313F000

stack

page read and write

1622000

heap

page read and write

560C000

trusted library allocation

page read and write

1590000

direct allocation

page read and write

7D5000

unkown

page execute and write copy

1530000

heap

page read and write

5410000

direct allocation

page execute and read and write

3A3E000

stack

page read and write

86A000

unkown

page execute and read and write

1537000

heap

page read and write

42FE000

stack

page read and write

15A0000

heap

page read and write

4E01000

heap

page read and write

874000

unkown

page execute and read and write

1635000

heap

page read and write

5F1000

unkown

page execute and write copy

4E01000

heap

page read and write

1641000

heap

page read and write

39FF000

stack

page read and write

1590000

direct allocation

page read and write

14CE000

stack

page read and write

4CFE000

stack

page read and write

8F6000

unkown

page execute and write copy

5410000

direct allocation

page execute and read and write

15AE000

heap

page read and write

86B000

unkown

page execute and write copy

1641000

heap

page read and write

84A000

unkown

page execute and read and write

1590000

direct allocation

page read and write

1484000

heap

page read and write

47FE000

stack

page read and write

1590000

direct allocation

page read and write

595D000

stack

page read and write

457E000

stack

page read and write

1484000

heap

page read and write

591F000

stack

page read and write

4CBF000

stack

page read and write

8E0000

unkown

page execute and read and write

1590000

direct allocation

page read and write

5240000

heap

page read and write

8E7000

unkown

page execute and write copy

8CF000

unkown

page execute and write copy

1624000

heap

page read and write

5280000

remote allocation

page read and write

817000

unkown

page execute and read and write

7C8000

unkown

page execute and read and write

5290000

direct allocation

page read and write

569D000

stack

page read and write

150E000

stack

page read and write

15E3000

heap

page read and write

53CF000

stack

page read and write

650000

unkown

page execute and write copy

1484000

heap

page read and write

859000

unkown

page execute and write copy

1590000

direct allocation

page read and write

5706000

trusted library allocation

page read and write

1590000

direct allocation

page read and write

5709000

trusted library allocation

page read and write

5716000

trusted library allocation

page read and write

34FF000

stack

page read and write

3B3F000

stack

page read and write

1625000

heap

page read and write

5290000

direct allocation

page read and write

4E00000

heap

page read and write

897000

unkown

page execute and write copy

5F0000

unkown

page read and write

1590000

direct allocation

page read and write

4E01000

heap

page read and write

15EE000

heap

page read and write

403F000

stack

page read and write

5280000

remote allocation

page read and write

5430000

direct allocation

page execute and read and write

5A5E000

stack

page read and write

3CBE000

stack

page read and write

3C7F000

stack

page read and write

4A3F000

stack

page read and write

15E1000

heap

page read and write

7F0000

unkown

page execute and read and write

1484000

heap

page read and write

8E7000

unkown

page execute and write copy

1484000

heap

page read and write

32BE000

stack

page read and write

167A000

heap

page read and write

1590000

direct allocation

page read and write

4E01000

heap

page read and write

4A7E000

stack

page read and write

3EFF000

stack

page read and write

4E01000

heap

page read and write

353E000

stack

page read and write

33FE000

stack

page read and write

5290000

direct allocation

page read and write

15D8000

heap

page read and write

1370000

heap

page read and write

317B000

stack

page read and write

4E01000

heap

page read and write

1484000

heap

page read and write

5410000

direct allocation

page execute and read and write

898000

unkown

page execute and read and write

7D6000

unkown

page execute and read and write

1484000

heap

page read and write

65C000

unkown

page execute and write copy

7AD000

unkown

page execute and write copy

1484000

heap

page read and write

1484000

heap

page read and write

1484000

heap

page read and write

4DFF000

stack

page read and write

53F0000

direct allocation

page execute and read and write

3F3E000

stack

page read and write

5F0000

unkown

page readonly

5420000

direct allocation

page execute and read and write

5460000

trusted library allocation

page read and write

8DF000

unkown

page execute and write copy

4F00000

trusted library allocation

page read and write

581E000

stack

page read and write

179F000

stack

page read and write

847000

unkown

page execute and read and write

7F2000

unkown

page execute and write copy

5BCF000

stack

page read and write

5410000

direct allocation

page execute and read and write

3B7E000

stack

page read and write

41BE000

stack

page read and write

1580000

heap

page read and write

1484000

heap

page read and write

571E000

trusted library allocation

page read and write

1603000

heap

page read and write

1674000

heap

page read and write

85A000

unkown

page execute and read and write

363F000

stack

page read and write

367E000

stack

page read and write

5ACE000

stack

page read and write

861000

unkown

page execute and write copy

80F000

unkown

page execute and write copy

835000

unkown

page execute and read and write

8DF000

unkown

page execute and write copy

1636000

heap

page read and write

57DE000

stack

page read and write

866000

unkown

page execute and read and write

1590000

direct allocation

page read and write

1484000

heap

page read and write

8D2000

unkown

page execute and write copy

38FE000

stack

page read and write

8F7000

unkown

page execute and write copy

1484000

heap

page read and write

37BE000

stack

page read and write

53E0000

direct allocation

page execute and read and write

4B7F000

stack

page read and write

38BF000

stack

page read and write

1484000

heap

page read and write

8F6000

unkown

page execute and read and write

807000

unkown

page execute and read and write

1590000

direct allocation

page read and write

867000

unkown

page execute and write copy

123C000

stack

page read and write

43FF000

stack

page read and write

1590000

direct allocation

page read and write

1484000

heap

page read and write

3DBF000

stack

page read and write

650000

unkown

page execute and read and write

7DA000

unkown

page execute and write copy

1484000

heap

page read and write

88C000

unkown

page execute and read and write

48FF000

stack

page read and write

3DFE000

stack

page read and write

5450000

direct allocation

page execute and read and write

4E01000

heap

page read and write

56DE000

stack

page read and write

572C000

trusted library allocation

page read and write

4BBE000

stack

page read and write

1638000

heap

page read and write

46BE000

stack

page read and write

5400000

direct allocation

page execute and read and write

1484000

heap

page read and write

1484000

heap

page read and write

377F000

stack

page read and write

443D000

stack

page read and write

1590000

direct allocation

page read and write

5410000

direct allocation

page execute and read and write

327F000

stack

page read and write

467F000

stack

page read and write

842000

unkown

page execute and write copy

8B3000

unkown

page execute and read and write

1484000

heap

page read and write

1484000

heap

page read and write

555D000

stack

page read and write

88A000

unkown

page execute and write copy

1484000

heap

page read and write

7EE000

unkown

page execute and write copy

1600000

heap

page read and write

133D000

stack

page read and write

1450000

heap

page read and write

15AA000

heap

page read and write

5440000

direct allocation

page execute and read and write

7DC000

unkown

page execute and read and write

8E1000

unkown

page execute and write copy

52CE000

stack

page read and write

7F3000

unkown

page execute and read and write

42BF000

stack

page read and write

There are 215 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe