Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7280
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1857024
MD5:	3E4C006936E63898C8BD8C4ABA82DB63
Time:	10:21:02
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xdc0000
Modulesize:	4837376
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://occupy-blushi.sbs/api

104.21.7.169

Details

Name:	https://occupy-blushi.sbs/api
IP:	104.21.7.169
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://property-imper.sbs:443/api

unknown

Details

Name:	https://property-imper.sbs:443/api
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000003.1754419700.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755453214.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://occupy-blushi.sbs/apistg

unknown

Details

Name:	https://occupy-blushi.sbs/apistg
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000003.1754688414.000000000146D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://occupy-blushi.sbs/Y

unknown

Details

Name:	https://occupy-blushi.sbs/Y
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://occupy-blushi.sbs:443/api

unknown

https://occupy-blushi.sbs/

unknown

Details

Name:	https://occupy-blushi.sbs/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://occupy-blushi.sbs/apih

unknown

https://occupy-blushi.sbs/Q

unknown

Details

Name:	https://occupy-blushi.sbs/Q
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://occupy-blushi.sbs/a

unknown

Details

Name:	https://occupy-blushi.sbs/a
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000003.1754676441.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754419700.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1755603560.0000000001469000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

occupy-blushi.sbs

104.21.7.169

Details

Name:	occupy-blushi.sbs
IP:	104.21.7.169
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

property-imper.sbs

unknown

frogs-severz.sbs

unknown

IPs

Domain

Country

Malicious

104.21.7.169

occupy-blushi.sbs

United States

Details

IP:	104.21.7.169
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	occupy-blushi.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

456F000

stack

page read and write

32EE000

stack

page read and write

5190000

direct allocation

page execute and read and write

1409000

heap

page read and write

1461000

heap

page read and write

51B0000

direct allocation

page execute and read and write

13E6000

heap

page read and write

3A2F000

stack

page read and write

146D000

heap

page read and write

5180000

direct allocation

page execute and read and write

3E2E000

stack

page read and write

46EE000

stack

page read and write

506B000

stack

page read and write

37AF000

stack

page read and write

392E000

stack

page read and write

4BB1000

heap

page read and write

2FAD000

heap

page read and write

1409000

heap

page read and write

D15000

heap

page read and write

159E000

stack

page read and write

D6E000

stack

page read and write

52EC000

stack

page read and write

51FA000

trusted library allocation

page read and write

4BB1000

heap

page read and write

1390000

direct allocation

page read and write

10A5000

unkown

page execute and read and write

13E3000

heap

page read and write

1469000

heap

page read and write

107E000

unkown

page execute and read and write

1259000

unkown

page execute and read and write

4BB1000

heap

page read and write

446E000

stack

page read and write

13FC000

heap

page read and write

145E000

heap

page read and write

E05000

unkown

page execute and read and write

146E000

heap

page read and write

51B0000

direct allocation

page execute and read and write

10BD000

unkown

page execute and write copy

4BB0000

heap

page read and write

3DEF000

stack

page read and write

556E000

stack

page read and write

136E000

stack

page read and write

E17000

unkown

page read and write

3CAF000

stack

page read and write

2F90000

direct allocation

page read and write

4BB1000

heap

page read and write

1465000

heap

page read and write

13D4000

heap

page read and write

4BB1000

heap

page read and write

1390000

direct allocation

page read and write

1476000

heap

page read and write

4BB1000

heap

page read and write

125A000

unkown

page execute and write copy

10AE000

unkown

page execute and read and write

CFE000

stack

page read and write

3B6F000

stack

page read and write

3BAE000

stack

page read and write

5074000

direct allocation

page read and write

53ED000

stack

page read and write

13FC000

heap

page read and write

13AA000

heap

page read and write

496E000

stack

page read and write

342E000

stack

page read and write

10BE000

unkown

page execute and write copy

5690000

remote allocation

page read and write

356E000

stack

page read and write

C50000

heap

page read and write

13E6000

heap

page read and write

46AF000

stack

page read and write

1390000

direct allocation

page read and write

3A6E000

stack

page read and write

C40000

heap

page read and write

2FA0000

heap

page read and write

1390000

direct allocation

page read and write

51B0000

direct allocation

page execute and read and write

9DB000

stack

page read and write

DC0000

unkown

page readonly

45AE000

stack

page read and write

13D9000

heap

page read and write

4FF0000

trusted library allocation

page read and write

38EF000

stack

page read and write

4BAF000

stack

page read and write

13F3000

heap

page read and write

5AE0000

heap

page read and write

1390000

direct allocation

page read and write

169F000

stack

page read and write

DC0000

unkown

page read and write

4BB1000

heap

page read and write

1471000

heap

page read and write

2F90000

direct allocation

page read and write

40AE000

stack

page read and write

41AF000

stack

page read and write

1390000

direct allocation

page read and write

51A0000

direct allocation

page execute and read and write

542D000

stack

page read and write

56FE000

stack

page read and write

4BB1000

heap

page read and write

1390000

direct allocation

page read and write

1476000

heap

page read and write

1465000

heap

page read and write

1390000

direct allocation

page read and write

4BB1000

heap

page read and write

1390000

direct allocation

page read and write

482E000

stack

page read and write

36AE000

stack

page read and write

13F3000

heap

page read and write

51D0000

direct allocation

page execute and read and write

4A6F000

stack

page read and write

4BB1000

heap

page read and write

1370000

heap

page read and write

30AF000

stack

page read and write

CBE000

stack

page read and write

E19000

unkown

page execute and read and write

51C0000

direct allocation

page execute and read and write

59AE000

stack

page read and write

47EF000

stack

page read and write

432E000

stack

page read and write

51B0000

direct allocation

page execute and read and write

DC1000

unkown

page execute and write copy

4BB1000

heap

page read and write

516F000

stack

page read and write

FA1000

unkown

page execute and read and write

13A0000

heap

page read and write

13E3000

heap

page read and write

3F6E000

stack

page read and write

1390000

direct allocation

page read and write

3F2F000

stack

page read and write

13E9000

heap

page read and write

41ED000

stack

page read and write

4BB1000

heap

page read and write

552F000

stack

page read and write

4BB1000

heap

page read and write

492F000

stack

page read and write

566F000

stack

page read and write

51E0000

direct allocation

page execute and read and write

352F000

stack

page read and write

4BB1000

heap

page read and write

1390000

direct allocation

page read and write

141A000

heap

page read and write

32AF000

stack

page read and write

146F000

heap

page read and write

141A000

heap

page read and write

1469000

heap

page read and write

2F90000

direct allocation

page read and write

51B0000

direct allocation

page execute and read and write

4BB1000

heap

page read and write

1469000

heap

page read and write

8DB000

stack

page read and write

406F000

stack

page read and write

D10000

heap

page read and write

33EF000

stack

page read and write

2FA7000

heap

page read and write

3CEE000

stack

page read and write

DB0000

heap

page read and write

442F000

stack

page read and write

1471000

heap

page read and write

DC1000

unkown

page execute and read and write

4BB1000

heap

page read and write

13E9000

heap

page read and write

4BB1000

heap

page read and write

13D9000

heap

page read and write

1469000

heap

page read and write

2F7E000

stack

page read and write

4BB1000

heap

page read and write

4BC1000

heap

page read and write

5690000

remote allocation

page read and write

1390000

direct allocation

page read and write

E17000

unkown

page write copy

42EE000

stack

page read and write

51B0000

direct allocation

page execute and read and write

1474000

heap

page read and write

502D000

stack

page read and write

51BD000

stack

page read and write

13AE000

heap

page read and write

1465000

heap

page read and write

1390000

direct allocation

page read and write

DAB000

stack

page read and write

4BB1000

heap

page read and write

1476000

heap

page read and write

4BB1000

heap

page read and write

4BB1000

heap

page read and write

5690000

remote allocation

page read and write

2F3F000

stack

page read and write

57FF000

stack

page read and write

1390000

direct allocation

page read and write

366F000

stack

page read and write

5AAF000

stack

page read and write

583E000

stack

page read and write

4BB1000

heap

page read and write

10BD000

unkown

page execute and read and write

31AF000

stack

page read and write

593F000

stack

page read and write

37EE000

stack

page read and write

4AAE000

stack

page read and write

5030000

direct allocation

page read and write

There are 185 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe