Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\test2.exe

"C:\Users\user\Desktop\test2.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4468
Target ID:	0
Parent PID:	4084
Name:	test2.exe
Path:	C:\Users\user\Desktop\test2.exe
Commandline:	"C:\Users\user\Desktop\test2.exe"
Size:	303616
MD5:	396EF18C45676B0074E41DC2212E06D3
Time:	10:15:19
Date:	19/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xdb0000
Modulesize:	327680
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

158.247.200.45

Details

Name:	158.247.200.45
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\test2.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

IPs

Domain

Country

Malicious

158.247.200.45

unknown

United States

Details

IP:	158.247.200.45
TargetID:	0
Current Path:	C:\Users\user\Desktop\test2.exe
Country:	United States
Countrycode:	USA
ASN number:	26133
ASN name:	FEWPBUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

DB2000

unkown

page readonly

12A0000

heap

page read and write

7FFB4AD93000

trusted library allocation

page execute and read and write

1280000

heap

page read and write

1523000

trusted library allocation

page read and write

7FFB4ADBD000

trusted library allocation

page execute and read and write

1520000

trusted library allocation

page read and write

314E000

stack

page read and write

1BC75000

stack

page read and write

17B5000

heap

page read and write

1134000

stack

page read and write

136F000

heap

page read and write

1535000

heap

page read and write

2FD0000

heap

page read and write

13153000

trusted library allocation

page read and write

7FFB4ADA2000

trusted library allocation

page read and write

1180000

heap

page read and write

DB0000

unkown

page readonly

13D7000

heap

page read and write

7FFB4AE40000

trusted library allocation

page read and write

7FFB4ADAD000

trusted library allocation

page execute and read and write

17B0000

heap

page read and write

7FF41AF10000

trusted library allocation

page execute and read and write

7FFB4ADA0000

trusted library allocation

page read and write

7FFB4AEB0000

trusted library allocation

page execute and read and write

7FFB4ADEC000

trusted library allocation

page execute and read and write

13C1000

heap

page read and write

DB0000

unkown

page readonly

1BB1A000

stack

page read and write

1333000

heap

page read and write

1344000

heap

page read and write

1371000

heap

page read and write

1341000

heap

page read and write

1336000

heap

page read and write

132C000

heap

page read and write

13151000

trusted library allocation

page read and write

3151000

trusted library allocation

page read and write

1B6DD000

stack

page read and write

7FFB4AD94000

trusted library allocation

page read and write

130C000

heap

page read and write

14FE000

stack

page read and write

1306000

heap

page read and write

7FFB4AD9D000

trusted library allocation

page execute and read and write

1375000

heap

page read and write

7FFB4ADB0000

trusted library allocation

page read and write

1BB70000

heap

page execute and read and write

1510000

trusted library allocation

page read and write

1300000

heap

page read and write

1530000

heap

page read and write

1260000

heap

page read and write

7FFB4AE76000

trusted library allocation

page execute and read and write

13D5000

heap

page read and write

7FFB4AF30000

trusted library allocation

page read and write

7FFB4AE4C000

trusted library allocation

page execute and read and write

1B180000

trusted library allocation

page read and write

7FFB4AE50000

trusted library allocation

page execute and read and write

17A0000

heap

page read and write

1331000

heap

page read and write

13158000

trusted library allocation

page read and write

3040000

heap

page execute and read and write

1B4D4000

heap

page read and write

12F0000

trusted library allocation

page read and write

There are 52 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
test2.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporttest2.exe

Processes

URLs

IPs

Memdumps

IOC Report
test2.exe