Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\VALUESearch.exe

"C:\Users\user\Desktop\VALUESearch.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3092
Target ID:	0
Parent PID:	1028
Name:	VALUESearch.exe
Path:	C:\Users\user\Desktop\VALUESearch.exe
Commandline:	"C:\Users\user\Desktop\VALUESearch.exe"
Size:	3837952
MD5:	BF8E1EDFD9C8B66F2056D400A532E53D
Time:	14:44:26
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc00000
Modulesize:	3895296
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE file contains executable resources (Code or Archives)	System Summary
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sigma detected: Office Autorun Keys Modification	System Summary
Sigma detected: Potential Persistence Via Visual Studio Tools for Office	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://valuesearch.co.kr/8

unknown

https://valuesearch.co.kr/files/publish/VALUESearchUpdater.exe

unknown

https://valuesearch.co.kr:443/files/publish/xlllibver.txt

unknown

https://valuesearch.co.kr/files/publish/xlllibver.txt

3.39.130.246

Details

Name:	https://valuesearch.co.kr/files/publish/xlllibver.txt
IP:	3.39.130.246
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\VALUESearch.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://valuesearch.co.kr/files/publish/

unknown

Domains

Name

Malicious

valuesearch.co.kr

3.39.130.246

Details

Name:	valuesearch.co.kr
IP:	3.39.130.246
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

3.39.130.246

valuesearch.co.kr

United States

Details

IP:	3.39.130.246
TargetID:	0
Current Path:	C:\Users\user\Desktop\VALUESearch.exe
Country:	United States
Countrycode:	USA
ASN number:	8987
ASN name:	AMAZONEXPANSIONGB
Private:	false
Domain:	valuesearch.co.kr

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Excel\Addins\VALUESearch.XLL

LibraryVersion

Memdumps

Base Address

Regiontype

Protect

Malicious

AFB000

heap

page read and write

556000

stack

page read and write

B15000

heap

page read and write

2DB9000

direct allocation

page read and write

323F000

stack

page read and write

2D20000

direct allocation

page read and write

30F5000

heap

page read and write

B20000

heap

page read and write

B01000

heap

page read and write

EE7000

unkown

page read and write

2D58000

direct allocation

page read and write

2D41000

direct allocation

page read and write

2E09000

direct allocation

page read and write

2D78000

direct allocation

page read and write

B02000

heap

page read and write

B14000

heap

page read and write

B00000

heap

page read and write

2D86000

direct allocation

page read and write

B25000

heap

page read and write

AFA000

heap

page read and write

2D4E000

direct allocation

page read and write

1230000

heap

page read and write

5E0000

heap

page read and write

B0B000

heap

page read and write

B25000

heap

page read and write

2DF2000

direct allocation

page read and write

2DEB000

direct allocation

page read and write

B01000

heap

page read and write

2D70000

direct allocation

page read and write

EE5000

unkown

page write copy

AC0000

heap

page read and write

EEE000

unkown

page read and write

B24000

heap

page read and write

2D9B000

direct allocation

page read and write

11C0000

heap

page read and write

4F60000

heap

page read and write

2E02000

direct allocation

page read and write

B01000

heap

page read and write

2D63000

direct allocation

page read and write

2DD5000

direct allocation

page read and write

EFE000

unkown

page readonly

A90000

heap

page read and write

B01000

heap

page read and write

AB0000

heap

page read and write

AC7000

heap

page read and write

2E3C000

direct allocation

page read and write

AA0000

direct allocation

page execute and read and write

2E18000

direct allocation

page read and write

C00000

unkown

page readonly

337F000

stack

page read and write

308D000

stack

page read and write

2DC0000

direct allocation

page read and write

2D8F000

direct allocation

page read and write

EE5000

unkown

page read and write

304E000

stack

page read and write

EFD000

unkown

page read and write

5B0000

heap

page read and write

B0B000

heap

page read and write

B0A000

heap

page read and write

2DDD000

direct allocation

page read and write

5D0000

heap

page read and write

2E4A000

direct allocation

page read and write

2DFB000

direct allocation

page read and write

2DE4000

direct allocation

page read and write

2E51000

direct allocation

page read and write

121D000

stack

page read and write

30B0000

remote allocation

page read and write

2E43000

direct allocation

page read and write

36FD000

stack

page read and write

B07000

heap

page read and write

2DCE000

direct allocation

page read and write

F00000

unkown

page readonly

B00000

heap

page read and write

2E2D000

direct allocation

page read and write

EF6000

unkown

page read and write

1236000

heap

page read and write

AB3000

heap

page read and write

34D8000

direct allocation

page read and write

327E000

stack

page read and write

2E10000

direct allocation

page read and write

AFC000

heap

page read and write

313E000

stack

page read and write

30F0000

heap

page read and write

2D56000

direct allocation

page read and write

EF1000

unkown

page read and write

30B0000

remote allocation

page read and write

B00000

heap

page read and write

EF9000

unkown

page write copy

2E58000

direct allocation

page read and write

B1C000

heap

page read and write

30E0000

heap

page read and write

2D26000

direct allocation

page read and write

2E1F000

direct allocation

page read and write

B0A000

heap

page read and write

B00000

heap

page read and write

2E26000

direct allocation

page read and write

2E34000

direct allocation

page read and write

AF5000

heap

page read and write

B16000

heap

page read and write

B1B000

heap

page read and write

2D37000

direct allocation

page read and write

AFE000

heap

page read and write

8FB000

stack

page read and write

2DAA000

direct allocation

page read and write

4F70000

heap

page read and write

30B0000

remote allocation

page read and write

5B5000

heap

page read and write

C01000

unkown

page execute read

B0D000

heap

page read and write

AFC000

heap

page read and write

There are 100 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
VALUESearch.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportVALUESearch.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
VALUESearch.exe