Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xxx.exe

"C:\Users\user\Desktop\xxx.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2420
Target ID:	0
Parent PID:	4004
Name:	xxx.exe
Path:	C:\Users\user\Desktop\xxx.exe
Commandline:	"C:\Users\user\Desktop\xxx.exe"
Size:	59192
MD5:	708ADEF6DA5AC2FFEE5F01F277560749
Time:	07:27:02
Date:	16/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	77824
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3160
Target ID:	1
Parent PID:	2420
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:27:02
Date:	16/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://156.245.12.57:8000/999.html

156.245.12.57

Details

Name:	http://156.245.12.57:8000/999.html
IP:	156.245.12.57
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\xxx.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

http://156.245.12.57/

unknown

http://156.245.12.57:8000/999.html:

unknown

http://156.245.12.57:8000/999.html)

unknown

http://156.245.12.57/nes

unknown

IPs

Domain

Country

Malicious

156.245.12.57

unknown

Seychelles

Details

IP:	156.245.12.57
TargetID:	0
Current Path:	C:\Users\user\Desktop\xxx.exe
Country:	Seychelles
Countrycode:	SYC
ASN number:	133199
ASN name:	SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

405000

unkown

page readonly

400000

unkown

page readonly

28CF000

stack

page read and write

80000

heap

page read and write

6F0000

heap

page read and write

401000

unkown

page execute read

762000

heap

page read and write

2ECF000

stack

page read and write

412000

unkown

page readonly

722000

heap

page read and write

9EE000

stack

page read and write

160000

heap

page read and write

6FC000

heap

page read and write

400000

unkown

page readonly

40D000

unkown

page readonly

412000

unkown

page readonly

77F000

heap

page read and write

2ACF000

stack

page read and write

405000

unkown

page readonly

61A000

stack

page read and write

1D0000

heap

page read and write

401000

unkown

page execute read

238E000

stack

page read and write

1D5000

heap

page read and write

6F6000

heap

page read and write

749000

heap

page read and write

2CCE000

stack

page read and write

180000

heap

page read and write

409000

unkown

page write copy

40D000

unkown

page readonly

30C8000

stack

page read and write

409000

unkown

page read and write

32CD000

stack

page read and write

702000

heap

page read and write

There are 24 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xxx.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportxxx.exe

Processes

URLs

IPs

Memdumps

IOC Report
xxx.exe