Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6676
Target ID:	0
Parent PID:	4056
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1850880
MD5:	339B28FD2DBB4A572A4FC6B7207448D7
Time:	15:27:11
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd80000
Modulesize:	4829184
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://occupy-blushi.sbs/api

172.67.187.240

Details

Name:	https://occupy-blushi.sbs/api
IP:	172.67.187.240
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
IP address seen in connection with other malware	Networking
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://occupy-blushi.sbs/api_

unknown

http://crl.micro

unknown

Details

Name:	http://crl.micro
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000003.1350217159.00000000016DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1350050559.0000000001691000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://occupy-blushi.sbs/

unknown

Details

Name:	https://occupy-blushi.sbs/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000003.1350050559.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351046791.00000000016E7000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://occupy-blushi.sbs/apiUs

unknown

https://occupy-blushi.sbs/&

unknown

https://occupy-blushi.sbs/f

unknown

Domains

Name

Malicious

occupy-blushi.sbs

172.67.187.240

Details

Name:	occupy-blushi.sbs
IP:	172.67.187.240
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

property-imper.sbs

unknown

frogs-severz.sbs

unknown

IPs

Domain

Country

Malicious

172.67.187.240

occupy-blushi.sbs

United States

Details

IP:	172.67.187.240
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	occupy-blushi.sbs

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

1665000

heap

page read and write

5540000

direct allocation

page read and write

490F000

stack

page read and write

5090000

direct allocation

page read and write

107D000

unkown

page execute and read and write

454F000

stack

page read and write

1750000

heap

page read and write

5584000

direct allocation

page read and write

1754000

heap

page read and write

162A000

heap

page read and write

50A1000

heap

page read and write

1754000

heap

page read and write

56C0000

direct allocation

page execute and read and write

593D000

stack

page read and write

5BBF000

stack

page read and write

1657000

heap

page read and write

5090000

direct allocation

page read and write

494E000

stack

page read and write

107D000

unkown

page execute and write copy

5090000

direct allocation

page read and write

1754000

heap

page read and write

1671000

heap

page read and write

56F0000

direct allocation

page execute and read and write

73D00000

unkown

page readonly

16DF000

heap

page read and write

38CF000

stack

page read and write

50A1000

heap

page read and write

1754000

heap

page read and write

50A1000

heap

page read and write

37CE000

stack

page read and write

54E0000

trusted library allocation

page read and write

1754000

heap

page read and write

5090000

direct allocation

page read and write

408E000

stack

page read and write

1653000

heap

page read and write

5090000

direct allocation

page read and write

1754000

heap

page read and write

1754000

heap

page read and write

4F8E000

stack

page read and write

344D000

heap

page read and write

56C0000

direct allocation

page execute and read and write

597E000

stack

page read and write

4E4E000

stack

page read and write

1754000

heap

page read and write

54F0000

heap

page read and write

56D0000

direct allocation

page execute and read and write

F5C000

unkown

page execute and read and write

50A1000

heap

page read and write

42CF000

stack

page read and write

50A1000

heap

page read and write

1657000

heap

page read and write

DD7000

unkown

page read and write

16E2000

heap

page read and write

56A0000

direct allocation

page execute and read and write

5090000

direct allocation

page read and write

5690000

direct allocation

page execute and read and write

4E0F000

stack

page read and write

1610000

heap

page read and write

354F000

stack

page read and write

33EB000

stack

page read and write

1754000

heap

page read and write

5E7F000

stack

page read and write

468F000

stack

page read and write

1685000

heap

page read and write

D80000

unkown

page readonly

73D1F000

unkown

page readonly

165F000

heap

page read and write

DC5000

unkown

page execute and read and write

73D01000

unkown

page execute read

3430000

heap

page read and write

50A1000

heap

page read and write

1217000

unkown

page execute and read and write

D81000

unkown

page execute and read and write

5FDF000

stack

page read and write

3F0F000

stack

page read and write

16E7000

heap

page read and write

50A1000

heap

page read and write

4F4F000

stack

page read and write

5090000

direct allocation

page read and write

5530000

direct allocation

page read and write

73D1D000

unkown

page read and write

418F000

stack

page read and write

3440000

heap

page read and write

1754000

heap

page read and write

5703000

trusted library allocation

page read and write

1720000

heap

page read and write

12AB000

stack

page read and write

3A4E000

stack

page read and write

1754000

heap

page read and write

3DCF000

stack

page read and write

1754000

heap

page read and write

1754000

heap

page read and write

444E000

stack

page read and write

50A1000

heap

page read and write

3E0E000

stack

page read and write

5D0D000

stack

page read and write

1620000

heap

page read and write

50A1000

heap

page read and write

1671000

heap

page read and write

508F000

stack

page read and write

1754000

heap

page read and write

5090000

direct allocation

page read and write

186E000

stack

page read and write

165F000

heap

page read and write

50A1000

heap

page read and write

3B8E000

stack

page read and write

16F6000

heap

page read and write

13AB000

stack

page read and write

196F000

stack

page read and write

368E000

stack

page read and write

3F4E000

stack

page read and write

50A1000

heap

page read and write

56CD000

stack

page read and write

1754000

heap

page read and write

16E7000

heap

page read and write

6060000

heap

page read and write

1AAF000

stack

page read and write

3B4F000

stack

page read and write

5530000

direct allocation

page read and write

3447000

heap

page read and write

4BCE000

stack

page read and write

50A1000

heap

page read and write

342E000

stack

page read and write

16DC000

heap

page read and write

56C0000

direct allocation

page execute and read and write

DD9000

unkown

page execute and read and write

1667000

heap

page read and write

378F000

stack

page read and write

50A0000

heap

page read and write

56E0000

direct allocation

page execute and read and write

1039000

unkown

page execute and read and write

5BC0000

remote allocation

page read and write

16E2000

heap

page read and write

106E000

unkown

page execute and read and write

3A0F000

stack

page read and write

480E000

stack

page read and write

1691000

heap

page read and write

557C000

stack

page read and write

50A1000

heap

page read and write

50B0000

heap

page read and write

5090000

direct allocation

page read and write

430E000

stack

page read and write

47CF000

stack

page read and write

440F000

stack

page read and write

1754000

heap

page read and write

19AE000

stack

page read and write

56C0000

direct allocation

page execute and read and write

50A1000

heap

page read and write

4B8F000

stack

page read and write

D80000

unkown

page read and write

56B0000

direct allocation

page execute and read and write

50A1000

heap

page read and write

4D0E000

stack

page read and write

16E7000

heap

page read and write

16F1000

heap

page read and write

5A7E000

stack

page read and write

5090000

direct allocation

page read and write

3CCE000

stack

page read and write

50A1000

heap

page read and write

1754000

heap

page read and write

32AE000

stack

page read and write

1665000

heap

page read and write

1685000

heap

page read and write

390E000

stack

page read and write

5530000

direct allocation

page read and write

1667000

heap

page read and write

567F000

stack

page read and write

404F000

stack

page read and write

4A8E000

stack

page read and write

1065000

unkown

page execute and read and write

107E000

unkown

page execute and write copy

5ABE000

stack

page read and write

4A4F000

stack

page read and write

33AF000

stack

page read and write

50A1000

heap

page read and write

583D000

stack

page read and write

5090000

direct allocation

page read and write

D81000

unkown

page execute and write copy

16F7000

heap

page read and write

56C0000

direct allocation

page execute and read and write

57FD000

stack

page read and write

5090000

direct allocation

page read and write

1754000

heap

page read and write

50A1000

heap

page read and write

46CE000

stack

page read and write

16F8000

heap

page read and write

5BC0000

remote allocation

page read and write

50A1000

heap

page read and write

56C0000

direct allocation

page execute and read and write

458E000

stack

page read and write

1218000

unkown

page execute and write copy

5D7E000

stack

page read and write

16E2000

heap

page read and write

5BC0000

remote allocation

page read and write

5EDE000

stack

page read and write

3C8F000

stack

page read and write

50A1000

heap

page read and write

1754000

heap

page read and write

1754000

heap

page read and write

4CCF000

stack

page read and write

73D16000

unkown

page readonly

162E000

heap

page read and write

1691000

heap

page read and write

364F000

stack

page read and write

5090000

direct allocation

page read and write

5090000

direct allocation

page read and write

DD7000

unkown

page write copy

41CE000

stack

page read and write

5C0E000

stack

page read and write

16E7000

heap

page read and write

There are 200 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe