Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

mluxGOTw1e.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.464068278316323
Filename:	mluxGOTw1e.exe
Filesize:	311808
MD5:	e516d0f273821697860cb7e606aa531e
SHA1:	28eda2de9a7acaad4fe4abc5ee927948e94d07de
SHA256:	26e5c31684960235c5ca7963770edc5488533b3fd58de9ffc46f3d297228ec3b
SHA512:	eeaca4835bd55813971ac5bd08d808508be31587eb251e7ffcc341174cff41ee1c0c415a90c79e4fb4a686a9ca8b727d1c5321b1ec46b0f7b9e45416c20ff2ef
SSDEEP:	3072:FF3HAXuHm+WAEBDNNv+5M4qfY7naxiEHlN5WImrclZFmSlSu9huyqKo8wuIOvmlN:FtZudLhjhMzWCbh2Y+HbTWMH9O1BNI
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...,..f.........."............................@.............................0............`........................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Early bird code injection technique detected	HIPS / PFW / Operating System Protection Evasion
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Hijacks the control flow in another process	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Queues an APC in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality to call native functions	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Contains functionality to register its own exception handler	Anti Debugging
PE file has an executable .text section and no other executable section	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

\Device\ConDrv

ASCII text

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\mluxGOTw1e.exe
Type:	ASCII text
Entropy:	4.933587194429315
Encrypted:	false
Ssdeep:	12:NF+lDB5G7hV1cTZDQN+GISEXQkg2nWxktjXYHAWXXQkqP2axoEbsgkvmr6aAedXc:NF+lD7G7NwZs+G7hkg2nXYTwkqP26Lba
Size:	754
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected generic Shellcode Injector	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log
Category:	dropped
Dump:	notepad.exe.log.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\System32\notepad.exe
Type:	CSV text
Entropy:	5.380476433908377
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
Size:	654
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\mluxGOTw1e.exe

"C:\Users\user\Desktop\mluxGOTw1e.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2140
Target ID:	0
Parent PID:	4056
Name:	mluxGOTw1e.exe
Path:	C:\Users\user\Desktop\mluxGOTw1e.exe
Commandline:	"C:\Users\user\Desktop\mluxGOTw1e.exe"
Size:	311808
MD5:	E516D0F273821697860CB7E606AA531E
Time:	02:49:19
Date:	26/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7494f0000
Modulesize:	339968
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected generic Shellcode Injector	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\notepad.exe

Details

Is windows:	true
Is dropped:	false
PID:	6544
Target ID:	3
Parent PID:	4056
Name:	notepad.exe
Path:	C:\Windows\System32\notepad.exe
Commandline:	C:\Windows\System32\notepad.exe
Size:	201216
MD5:	27F71B12CB585541885A31BE22F61C83
Time:	02:49:19
Date:	26/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff711430000
Modulesize:	229376
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Early bird code injection technique detected	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queues an APC in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2724
Target ID:	1
Parent PID:	2140
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	02:49:19
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://pastebin.com/raw/zcGavZvr

Details

Name:	https://pastebin.com/raw/zcGavZvr
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\mluxGOTw1e.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF74951D000

unkown

page readonly

2DE317A1000

trusted library allocation

page read and write

2DE31470000

trusted library section

page read and write

7FF74951D000

unkown

page readonly

7FFAAC4E0000

trusted library allocation

page read and write

2DE417AE000

trusted library allocation

page read and write

7FFAAC5D5000

trusted library allocation

page read and write

7DF404600000

trusted library allocation

page execute and read and write

F72D77E000

stack

page read and write

2DE2FAC4000

heap

page read and write

2DE314A0000

trusted library allocation

page read and write

2DE314B0000

trusted library allocation

page read and write

2DE313F0000

heap

page read and write

2DE315A5000

heap

page read and write

F72D67E000

stack

page read and write

F72D8FF000

stack

page read and write

2DE2FB61000

heap

page read and write

7FFAAC5E8000

trusted library allocation

page execute and read and write

7DF404610000

trusted library allocation

page execute and read and write

7FFAAC4F0000

trusted library allocation

page execute and read and write

2DE31490000

trusted library allocation

page read and write

181238FC000

heap

page read and write

2DE2FB4C000

heap

page read and write

181239F0000

unkown

page read and write

2DE2F9E0000

heap

page read and write

2DE2FB4E000

heap

page read and write

7FF749533000

unkown

page readonly

2DE31490000

trusted library allocation

page read and write

2DE2FAFE000

heap

page read and write

2DE314A0000

trusted library allocation

page read and write

7FFAAC433000

trusted library allocation

page execute and read and write

2DE417A9000

trusted library allocation

page read and write

2DE31490000

trusted library allocation

page read and write

7FF74952F000

unkown

page readonly

F72D7FD000

stack

page read and write

2DE2FA90000

heap

page read and write

7FFAAC43D000

trusted library allocation

page execute and read and write

2DE2FA88000

heap

page read and write

2DE417A1000

trusted library allocation

page read and write

2DE314A0000

trusted library allocation

page read and write

7FFAAC516000

trusted library allocation

page execute and read and write

F72D97F000

stack

page read and write

2DE2FAD3000

heap

page read and write

2DE2FAD0000

heap

page read and write

7FF7494F0000

unkown

page readonly

7FFAAC5DD000

trusted library allocation

page execute and read and write

2DE2F9F0000

heap

page read and write

2DE31493000

trusted library allocation

page read and write

2DE2FAD8000

heap

page read and write

2DE31585000

heap

page read and write

2DE2FB4C000

heap

page read and write

181238F9000

heap

page read and write

7FFAAC610000

trusted library allocation

page execute and read and write

7DF4045F0000

trusted library allocation

page execute and read and write

2DE2FAD0000

heap

page read and write

2DE314A0000

trusted library allocation

page read and write

2DE317C4000

trusted library allocation

page read and write

2DE2FB48000

heap

page read and write

F72D6FF000

stack

page read and write

2DE31440000

heap

page readonly

181238F0000

heap

page read and write

2DE31493000

trusted library allocation

page read and write

7FFAAC550000

trusted library allocation

page execute and read and write

2DE2FB42000

heap

page read and write

2DE31480000

trusted library allocation

page read and write

2DE2FB63000

heap

page read and write

2DE31493000

trusted library allocation

page read and write

7FFAAC5E0000

trusted library allocation

page read and write

2DE31490000

trusted library allocation

page read and write

2DE31580000

heap

page read and write

2DE31490000

trusted library allocation

page read and write

2DE31790000

heap

page execute and read and write

2DE31493000

trusted library allocation

page read and write

2DE31483000

trusted library allocation

page read and write

2DE2FAD3000

heap

page read and write

7FF749532000

unkown

page write copy

F72D9FE000

stack

page read and write

7FFAAC445000

trusted library allocation

page read and write

7FF74951F000

unkown

page write copy

2DE2FB53000

heap

page read and write

18123770000

heap

page read and write

2DE2FABA000

heap

page read and write

2DE31430000

trusted library allocation

page read and write

7FF7494F0000

unkown

page readonly

F72D87E000

stack

page read and write

18123850000

heap

page read and write

2DE314A0000

trusted library allocation

page read and write

2DE2FAC2000

heap

page read and write

2DE2FB15000

heap

page read and write

2DE2FB61000

heap

page read and write

2DE49E61000

heap

page read and write

2DE31499000

trusted library allocation

page read and write

2018B7A000

stack

page read and write

2DE31450000

trusted library allocation

page read and write

7FF7494F1000

unkown

page execute read

7FFAAC5F0000

trusted library allocation

page read and write

7FFAAC434000

trusted library allocation

page read and write

F72D30F000

stack

page read and write

2DE2FAC4000

heap

page read and write

2DE2FA80000

heap

page read and write

7FFAAC602000

trusted library allocation

page read and write

7FFAAC5D0000

trusted library allocation

page read and write

7FFAAC440000

trusted library allocation

page read and write

2DE2FAC2000

heap

page read and write

7FFAAC5D2000

trusted library allocation

page read and write

F72D39E000

stack

page read and write

2DE2FA30000

heap

page read and write

2DE2FABA000

heap

page read and write

2DE2FB38000

heap

page read and write

7FFAAC432000

trusted library allocation

page read and write

2DE31410000

trusted library allocation

page read and write

2DE2FB48000

heap

page read and write

2DE2FB49000

heap

page read and write

2DE2FB4E000

heap

page read and write

7FF749533000

unkown

page readonly

2DE315A0000

heap

page read and write

2DE31460000

trusted library allocation

page read and write

2DE49FD0000

heap

page execute and read and write

7FF7494F1000

unkown

page execute read

2DE2FB49000

heap

page read and write

7FFAAC600000

trusted library allocation

page read and write

2DE2F9C0000

unkown

page execute read

2DE314B0000

trusted library allocation

page read and write

2DE49E60000

heap

page read and write

2DE31490000

trusted library allocation

page read and write

2DE314D0000

heap

page read and write

2DE2FAD8000

heap

page read and write

2DE2FB15000

heap

page read and write

7FF74952F000

unkown

page readonly

2DE2FAFE000

heap

page read and write

There are 120 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mluxGOTw1e.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportmluxGOTw1e.exe

Files

Processes

URLs

Memdumps

IOC Report
mluxGOTw1e.exe