IOC Report
MSM8C42iAN.exe

Files

File Path

Type

Category

Malicious

MSM8C42iAN.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataDqJdpmHo.txt

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataHhUnZmvD.txt

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataOebbnOVW.txt

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataWctSLmwW.txt

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataZWdrgPWC.txt

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatansgiHqmX.txt

ASCII text, with CRLF line terminators

modified

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataovGFJnlG.txt

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogqueintiseRngmeEXkkcAcRDShRzsDXooICEfirelit

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotAfUkbnDa.BMP

PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotPCPZmWJw.BMP

PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotRmCCGgAk.BMP

PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotmIUnEnEe.BMP

PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotuCjDoATa.BMP

PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotwoFBNXXE.BMP

PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotyVquSyRx.BMP

PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\cookies.db-shm

data

dropped

There are 9 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\MSM8C42iAN.exe

"C:\Users\user\Desktop\MSM8C42iAN.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2220
Target ID:	0
Parent PID:	3504
Name:	MSM8C42iAN.exe
Path:	C:\Users\user\Desktop\MSM8C42iAN.exe
Commandline:	"C:\Users\user\Desktop\MSM8C42iAN.exe"
Size:	459776
MD5:	1A170C3B6FBA79020B7C24631D25AD93
Time:	07:55:02
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	470840
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected DarkCloud	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
Sample uses string decryption to hide its real strings	AV Detection
PE file contains an invalid checksum	Data Obfuscation
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary contains paths to development resources	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\wbem\WmiPrvSE.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	6104
Target ID:	2
Parent PID:	752
Name:	WmiPrvSE.exe
Path:	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
Commandline:	C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Size:	418304
MD5:	64ACA4F48771A5BA50CD50F2410632AD
Time:	07:55:10
Date:	25/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	true
Modulebase:	0xd80000
Modulesize:	434176
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

IP

Malicious

http://showip.net/1

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=

unknown

https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115

unknown

https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://api.telegram.org/bot

unknown

https://showip.net/

unknown

https://unpkg.com/leaflet

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://showip.net/?checkip=

unknown

http://showip.net.

unknown

https://www.ecosia.org/newtab/

unknown

http://showip.net/

unknown

http://showip.net

unknown

http://showip.net4

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://showip.netll

unknown

http://schema.org

unknown

https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-KL:::user-PC\user\8.46.123.75

149.154.167.220

https://api.telegram.org/

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://www.openstreetmap.org/copyright

unknown

http://showip.netd

unknown

https://api.telegram.org/abcdefghijklmnopqrstuvwxyz

unknown

https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-SC:::user-PC\user\8.46.123.75

149.154.167.220

http://www.maxmind.com

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://showip.netpD

unknown

There are 21 hidden URLs, click here to show them.

Domains

Name

IP

Malicious

showip.net

162.55.60.2

Details

Name:	showip.net
IP:	162.55.60.2
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

s-part-0035.t-0009.t-msedge.net

13.107.246.63

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

IP

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	0
Current Path:	C:\Users\user\Desktop\MSM8C42iAN.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

162.55.60.2

showip.net

United States

Details

IP:	162.55.60.2
TargetID:	0
Current Path:	C:\Users\user\Desktop\MSM8C42iAN.exe
Country:	United States
Countrycode:	USA
ASN number:	35893
ASN name:	ACPCA
Private:	false
Domain:	showip.net

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

401000

unkown

page execute and write copy

5C1000

heap

page read and write

42A4000

heap

page read and write

5AE000

heap

page read and write

5F1000

heap

page read and write

34D6000

heap

page read and write

616000

heap

page read and write

345E000

heap

page read and write

5FF000

heap

page read and write

5E5000

heap

page read and write

605000

heap

page read and write

600000

heap

page read and write

61F000

heap

page read and write

65F000

heap

page read and write

3451000

heap

page read and write

66FC000

heap

page read and write

40F1000

heap

page read and write

688E000

heap

page read and write

60A000

heap

page read and write

5FF000

heap

page read and write

65C000

heap

page read and write

5F61000

heap

page read and write

4ABF000

heap

page read and write

5C1000

heap

page read and write

5D8000

heap

page read and write

3493000

heap

page read and write

600000

heap

page read and write

34D6000

heap

page read and write

400000

unkown

page readonly

5D6000

heap

page read and write

416F000

heap

page read and write

44A000

unkown

page readonly

3457000

heap

page read and write

5EF000

heap

page read and write

60F2000

heap

page read and write

34D6000

heap

page read and write

5D8000

heap

page read and write

467C000

heap

page read and write

60F000

heap

page read and write

348B000

heap

page read and write

3467000

heap

page read and write

5C1000

heap

page read and write

504F000

heap

page read and write

61F000

heap

page read and write

641000

heap

page read and write

5D0000

heap

page read and write

3493000

heap

page read and write

3493000

heap

page read and write

4BBD000

heap

page read and write

51D3000

heap

page read and write

60A000

heap

page read and write

3570000

remote allocation

page read and write

5D5000

heap

page read and write

3493000

heap

page read and write

5C1000

heap

page read and write

3609000

heap

page read and write

61F000

heap

page read and write

5BC000

heap

page read and write

5CB000

heap

page read and write

5CF000

heap

page read and write

5C6000

heap

page read and write

4A41000

heap

page read and write

5C7000

heap

page read and write

5043000

heap

page read and write

61F000

heap

page read and write

3463000

heap

page read and write

5E0000

heap

page read and write

57D2000

heap

page read and write

5CE000

heap

page read and write

3D20000

heap

page read and write

5F1000

heap

page read and write

42A5000

heap

page read and write

5E4000

heap

page read and write

3570000

remote allocation

page read and write

607000

heap

page read and write

5A8000

heap

page read and write

5CC000

heap

page read and write

5FC000

heap

page read and write

65C000

heap

page read and write

5C6000

heap

page read and write

5F1000

heap

page read and write

5EF000

heap

page read and write

5FF000

heap

page read and write

5FC000

heap

page read and write

4677000

heap

page read and write

5FD000

heap

page read and write

3601000

heap

page read and write

5BE000

heap

page read and write

701B000

heap

page read and write

60A000

heap

page read and write

5CA000

heap

page read and write

5D3000

heap

page read and write

5CB000

heap

page read and write

346B000

heap

page read and write

346B000

heap

page read and write

4B3E000

heap

page read and write

5BE000

heap

page read and write

5C7000

heap

page read and write

5E1000

heap

page read and write

5E2000

heap

page read and write

60E000

heap

page read and write

5965000

heap

page read and write

5FF000

heap

page read and write

5CE000

heap

page read and write

5D4000

heap

page read and write

65F000

heap

page read and write

3D26000

heap

page read and write

664000

heap

page read and write

4C41000

heap

page read and write

616000

heap

page read and write

34D6000

heap

page read and write

616000

heap

page read and write

616000

heap

page read and write

664000

heap

page read and write

605000

heap

page read and write

667000

heap

page read and write

4A40000

heap

page read and write

60A000

heap

page read and write

5F7000

heap

page read and write

42AE000

heap

page read and write

345A000

heap

page read and write

5BC000

heap

page read and write

607000

heap

page read and write

5FF000

heap

page read and write

348B000

heap

page read and write

5E2000

heap

page read and write

3451000

heap

page read and write

3466000

heap

page read and write

3570000

remote allocation

page read and write

467A000

heap

page read and write

42A4000

heap

page read and write

There are 121 hidden memdumps, click here to show them.