Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6152
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	39936
MD5:	FEEFFE6B4EC91B7313A0F0C3A2BC9850
Time:	06:32:58
Date:	22/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb20000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

87.120.113.179

Details

Name:	87.120.113.179
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.4523082843.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

87.120.113.179

unknown

Bulgaria

Details

IP:	87.120.113.179
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	25206
ASN name:	UNACS-AS-BG8000BurgasBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

B22000

unkown

page readonly

2FE1000

trusted library allocation

page read and write

1046000

heap

page read and write

12FF1000

trusted library allocation

page read and write

7FF848D50000

trusted library allocation

page read and write

2E67000

heap

page read and write

10AD000

heap

page read and write

1140000

trusted library allocation

page read and write

1BD74000

stack

page read and write

1B45D000

stack

page read and write

2E50000

heap

page read and write

1150000

trusted library allocation

page read and write

1C0F5000

heap

page read and write

1C112000

heap

page read and write

1C098000

heap

page read and write

1BF7E000

stack

page read and write

2E2E000

stack

page read and write

7FF848D8C000

trusted library allocation

page execute and read and write

7FF848F00000

trusted library allocation

page execute and read and write

132C000

stack

page read and write

B20000

unkown

page readonly

7FF848D4D000

trusted library allocation

page execute and read and write

1BB74000

stack

page read and write

1C119000

heap

page read and write

1C96C000

stack

page read and write

1020000

trusted library allocation

page read and write

1B840000

heap

page read and write

1153000

trusted library allocation

page read and write

7FF848D33000

trusted library allocation

page execute and read and write

1C115000

heap

page read and write

1118000

heap

page read and write

11A0000

heap

page read and write

1C36D000

stack

page read and write

1C07D000

stack

page read and write

7FF848EF0000

trusted library allocation

page execute and read and write

7FF848DEC000

trusted library allocation

page execute and read and write

1225000

heap

page read and write

BE0000

heap

page read and write

1B995000

stack

page read and write

1B893000

heap

page read and write

1C080000

heap

page read and write

142F000

stack

page read and write

1B010000

trusted library allocation

page read and write

1100000

heap

page read and write

7FF848D34000

trusted library allocation

page read and write

104C000

heap

page read and write

7FF848E16000

trusted library allocation

page execute and read and write

B20000

unkown

page readonly

7FF848DE0000

trusted library allocation

page read and write

1C56F000

stack

page read and write

1B890000

heap

page read and write

BB0000

heap

page read and write

7FF848DE6000

trusted library allocation

page read and write

1585000

heap

page read and write

1C86C000

stack

page read and write

2FD0000

heap

page execute and read and write

1C11E000

heap

page read and write

1220000

heap

page read and write

7FF848D5B000

trusted library allocation

page execute and read and write

1104000

heap

page read and write

1C0D4000

heap

page read and write

7FF848D30000

trusted library allocation

page read and write

12FE1000

trusted library allocation

page read and write

1084000

heap

page read and write

1BA70000

heap

page execute and read and write

7FF848E50000

trusted library allocation

page execute and read and write

FD0000

heap

page read and write

7FF848D40000

trusted library allocation

page read and write

BC0000

heap

page read and write

1580000

heap

page read and write

7FF848D54000

trusted library allocation

page read and write

1C121000

heap

page read and write

7FF848D3D000

trusted library allocation

page execute and read and write

7FF848ED0000

trusted library allocation

page read and write

1B7DE000

stack

page read and write

EF1000

stack

page read and write

7FF848EE0000

trusted library allocation

page read and write

1BC7A000

stack

page read and write

7FF488050000

trusted library allocation

page execute and read and write

7FF848D5D000

trusted library allocation

page execute and read and write

1BE7E000

stack

page read and write

7FF848DF0000

trusted library allocation

page execute and read and write

2FAE000

stack

page read and write

7FF848D42000

trusted library allocation

page read and write

1C134000

heap

page read and write

1081000

heap

page read and write

1C12B000

heap

page read and write

152B000

stack

page read and write

106C000

heap

page read and write

1040000

heap

page read and write

1C76A000

stack

page read and write

There are 81 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

IPs

Memdumps

IOC Report
file.exe