Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3812
Target ID:	0
Parent PID:	4056
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2640384
MD5:	AB7D13FD2200B07C2BC9FE3B3F7CC837
Time:	06:34:10
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff67e140000
Modulesize:	2662400
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected CredGrabber	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Meduza Stealer	Stealing of Sensitive Information, Remote Access Functionality
PE file has an executable .text section and no other executable section	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

Details

Name:	https://api.ipify.org/
IP:	104.26.13.205
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

http://crl.v

unknown

https://api.ipify.org/=

unknown

Domains

Name

Malicious

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

109.172.94.66

unknown

Russian Federation

Details

IP:	109.172.94.66
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	41691
ASN name:	SUMTEL-AS-RIPEMoscowRussiaRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2674DF30000

heap

page read and write

2674E120000

direct allocation

page execute and read and write

2674C5C0000

heap

page read and write

2674C73A000

heap

page read and write

2674EAA1000

heap

page read and write

2674C625000

heap

page read and write

7FF67E3C5000

unkown

page readonly

2674C6B2000

heap

page read and write

2674E53D000

heap

page read and write

2674EA80000

heap

page read and write

2674C620000

heap

page read and write

2674EAAA000

heap

page read and write

FD0A0FB000

stack

page read and write

7FF67E3C2000

unkown

page read and write

FD09DFE000

stack

page read and write

2674C70F000

heap

page read and write

2674C4E0000

heap

page read and write

2674E02E000

heap

page read and write

2674E115000

heap

page read and write

7FF67E3B8000

unkown

page readonly

2674E363000

heap

page read and write

7FF67E17A000

unkown

page readonly

2674C711000

heap

page read and write

2674E01E000

heap

page read and write

2674C6C3000

heap

page read and write

2674ECB3000

heap

page read and write

2674C630000

heap

page read and write

FD098ED000

stack

page read and write

2674C6C1000

heap

page read and write

FD0A1FF000

stack

page read and write

7FF67E141000

unkown

page execute read

2674C6D2000

heap

page read and write

2674EA90000

heap

page read and write

2674E110000

heap

page read and write

FD09FFD000

stack

page read and write

FD09BFE000

stack

page read and write

7FF67E17A000

unkown

page readonly

2674C741000

heap

page read and write

2674E330000

heap

page read and write

2674EB90000

heap

page read and write

7FF67E3C2000

unkown

page write copy

2674C6CF000

heap

page read and write

2674C690000

heap

page read and write

2674ECF9000

heap

page read and write

FD09EFE000

stack

page read and write

FD099FE000

stack

page read and write

2674C699000

heap

page read and write

2674C73D000

heap

page read and write

2674C5F0000

heap

page read and write

2674C6A6000

heap

page read and write

FD098F7000

stack

page read and write

FD09AFE000

stack

page read and write

7FF67E140000

unkown

page readonly

2674FD10000

heap

page read and write

2674DF80000

heap

page read and write

2674C6DF000

heap

page read and write

FD09CFE000

stack

page read and write

There are 47 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe