Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\3lH2EWD4wU.exe

"C:\Users\user\Desktop\3lH2EWD4wU.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2264
Target ID:	0
Parent PID:	4004
Name:	3lH2EWD4wU.exe
Path:	C:\Users\user\Desktop\3lH2EWD4wU.exe
Commandline:	"C:\Users\user\Desktop\3lH2EWD4wU.exe"
Size:	738435
MD5:	2F9C0BA283506D8333E4F59B29FBEBA3
Time:	09:17:05
Date:	29/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	290816
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Powershell drops PE file	System Summary	PowerShell
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Sigma detected: Potential Binary Or Script Dropper Via PowerShell	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) "

Details

Is windows:	true
Is dropped:	false
PID:	6688
Target ID:	2
Parent PID:	2264
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) "
Size:	433152
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Time:	09:17:06
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xfd0000
Modulesize:	446464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Suspicious powershell command line found	Data Obfuscation	PowerShell
Sigma detected: Potential Binary Or Script Dropper Via PowerShell	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4488
Target ID:	8
Parent PID:	6688
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	09:18:06
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4b0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Early bird code injection technique detected	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queues an APC in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3872
Target ID:	3
Parent PID:	6688
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:17:06
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.bookinginfo.asia/R

unknown

http://nsis.sf.net/NSIS_Error

unknown

https://www.bookinginfo.asia/pkeZmGiUuTK20.bin~Y

unknown

https://www.bookinginfo.asia/mP

unknown

https://www.bookinginfo.asia/.asia:443)

unknown

https://www.bookinginfo.asia/pkeZmGiUuTK20.binv

unknown

https://www.bookinginfo.asia/rP

unknown

https://www.bookinginfo.asia/www.bookinginfo.asia5

unknown

https://www.bookinginfo.asia/pkeZmGiUuTK20.bin;

unknown

https://www.bookinginfo.asia/n

unknown

https://www.bookinginfo.asia/Win64;

unknown

https://www.bookinginfo.asia/:P

unknown

https://www.bookinginfo.asia/pkeZmGiUuTK20.bin1

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

https://www.bookinginfo.asia/www.bookinginfo.asia

unknown

https://www.bookinginfo.asia/dP

unknown

https://www.bookinginfo.asia/

unknown

https://www.bookinginfo.asia/pkeZmGiUuTK20.bineYQ

unknown

https://www.bookinginfo.asia/pkeZmGiUuTK20.bin

unknown

https://www.bookinginfo.asia/pkeZmGiUuTK20.bin)

unknown

https://www.bookinginfo.asia/pkeZmGiUuTK20.binJ

unknown

There are 11 hidden URLs, click here to show them.

Domains

Name

Malicious

www.bookinginfo.asia

unknown

Details

Name:	www.bookinginfo.asia
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\dissentieringernes\Bilassistenters

soyuz

Memdumps

Base Address

Regiontype

Protect

Malicious

7D74000

remote allocation

page execute and read and write

8AC6000

heap

page read and write

8CF0000

direct allocation

page read and write

23A50000

direct allocation

page read and write

223E000

stack

page read and write

2400000

heap

page read and write

53E000

stack

page read and write

23AD0000

direct allocation

page read and write

4B74000

remote allocation

page execute and read and write

4F0000

heap

page read and write

401000

unkown

page execute read

8A50000

direct allocation

page read and write

4E0000

heap

page read and write

5CE000

heap

page read and write

5F74000

remote allocation

page execute and read and write

8A60000

heap

page read and write

23AA0000

direct allocation

page read and write

8AE8000

heap

page read and write

25B4000

heap

page read and write

23A90000

direct allocation

page read and write

430000

unkown

page read and write

8D10000

heap

page read and write

42C000

unkown

page read and write

23A40000

direct allocation

page read and write

408000

unkown

page readonly

4174000

remote allocation

page execute and read and write

23FCD000

stack

page read and write

43E000

unkown

page read and write

440000

unkown

page readonly

2B7A000

stack

page read and write

85F000

stack

page read and write

88B0000

heap

page read and write

5E4000

heap

page read and write

25B0000

heap

page read and write

2530000

heap

page read and write

98000

stack

page read and write

A5F000

stack

page read and write

23A70000

direct allocation

page read and write

23F8D000

stack

page read and write

8AD0000

heap

page read and write

5D2000

heap

page read and write

2404E000

stack

page read and write

240DE000

stack

page read and write

23E30000

heap

page read and write

8774000

remote allocation

page execute and read and write

2BE0000

heap

page read and write

400000

unkown

page readonly

23AC0000

direct allocation

page read and write

5C4000

heap

page read and write

23F4D000

stack

page read and write

49E000

stack

page read and write

4060000

remote allocation

page execute and read and write

8820000

heap

page read and write

2540000

heap

page read and write

440000

unkown

page readonly

23F0D000

stack

page read and write

23E8E000

stack

page read and write

2408F000

stack

page read and write

400000

unkown

page readonly

40A000

unkown

page read and write

2411D000

stack

page read and write

4E5000

heap

page read and write

5574000

remote allocation

page execute and read and write

23A80000

direct allocation

page read and write

88B5000

heap

page read and write

23ECF000

stack

page read and write

7374000

remote allocation

page execute and read and write

8A6A000

heap

page read and write

450000

heap

page read and write

4DE000

stack

page read and write

401000

unkown

page execute read

570000

heap

page read and write

6974000

remote allocation

page execute and read and write

23AB0000

direct allocation

page read and write

250F000

stack

page read and write

590000

heap

page read and write

2BF0000

heap

page readonly

5C1000

heap

page read and write

2270000

heap

page read and write

23BE000

stack

page read and write

95F000

stack

page read and write

19A000

stack

page read and write

408000

unkown

page readonly

8D00000

direct allocation

page read and write

88A0000

direct allocation

page read and write

40A000

unkown

page write copy

2275000

heap

page read and write

23A60000

direct allocation

page read and write

435000

unkown

page read and write

237F000

stack

page read and write

2B3C000

stack

page read and write

598000

heap

page read and write

There are 82 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
3lH2EWD4wU.exe

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report3lH2EWD4wU.exe

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
3lH2EWD4wU.exe