Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

GIYUCke96G.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	5.506337696486408
Filename:	GIYUCke96G.exe
Filesize:	2983936
MD5:	63ba5ec400ebbe6af65441f442652faa
SHA1:	3b8807f8124c0e0d8c8cd816f9a7bc30476fbf5c
SHA256:	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9
SHA512:	e240e9e07d88908057bba587e32ef1499d0c2d235eed61f1e996ce8959e1c323068ad483a96a7010ea0050440e12a0d82782e79baa186e880e4727452f3a4baf
SSDEEP:	49152:2mVZpRE5HFjH4MLMmcX17+kSmn75+dEsgY5OK:fgvFcXV3cJ5
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............n...n...n...m...n...k...n...j...n.Gek...n.Gej...n.Gem...n...o...n...o...n..em...n...n...n.vfk...n.vf....n.vfl...n.Rich..n

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GIYUCke96G.exe_4f8fc75c7ae03519ba32df973fcbeda86d1ecbbb_135d818b_9064d5b3-0f98-489e-9c5d-f62a688a6a9c\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GIYUCke96G.exe_4f8fc75c7ae03519ba32df973fcbeda86d1ecbbb_135d818b_9064d5b3-0f98-489e-9c5d-f62a688a6a9c\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.745139971575256
Encrypted:	false
Ssdeep:	96:AtF1t44FzGsycqhsoa7JnuQXIDcQNc6dcEjcw3eM+HbHg/TgJ3YOZUXOyKnhfHNI:A3t4qzGxu0zZZa1j/yzuiFSZ24lO8I
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD900.tmp.dmp

Mini DuMP crash report, 15 streams, Fri May 24 03:25:24 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD900.tmp.dmp
Category:	dropped
Dump:	WERD900.tmp.dmp.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Fri May 24 03:25:24 2024, 0x1205a4 type
Entropy:	2.652347589422294
Encrypted:	false
Ssdeep:	3072:fqqSyxQf7GmTWZikG9e4vvYTFpCPxLHk9EMG6h1HOE1t:fqTGAWCvMqHtMG/E1
Size:	295220
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBFF.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBFF.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERDBFF.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.708714771647923
Encrypted:	false
Ssdeep:	192:R6l7wVeJ17cRRBQ6YEIsE2SzgmfYVTprV89bXngfUq9m:R6lXJZcRRBQ6YEzE2SzgmfYWXgfUZ
Size:	8570
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCBB.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCBB.tmp.xml
Category:	dropped
Dump:	WERDCBB.tmp.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.515548037207879
Encrypted:	false
Ssdeep:	48:cvIwWl8zsWJg771I9xmWpW8VY375Ym8M4JdzFuPyq85YqhZko+Pfd:uIjfsI7+n7VEoJ+Pyoo+nd
Size:	4752
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.42205093861428
Encrypted:	false
Ssdeep:	6144:qSvfpi6ceLP/9skLmb0OT3WSPHaJG8nAgeMZMMhA2fX4WABlEnNX0uhiTw:ZvloT3W+EZMM6DFyh03w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\GIYUCke96G.exe

"C:\Users\user\Desktop\GIYUCke96G.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2724
Target ID:	0
Parent PID:	1028
Name:	GIYUCke96G.exe
Path:	C:\Users\user\Desktop\GIYUCke96G.exe
Commandline:	"C:\Users\user\Desktop\GIYUCke96G.exe"
Size:	2983936
MD5:	63BA5EC400EBBE6AF65441F442652FAA
Time:	23:25:22
Date:	23/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000000
Modulesize:	3031040
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2724 -s 396

Details

Is windows:	true
Is dropped:	false
PID:	3664
Target ID:	4
Parent PID:	2724
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2724 -s 396
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	23:25:23
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff69d980000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown