Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

X3wHy1PMMl.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X3wHy1PMMl.exe_6fb70a6b89a1fcb85aae6e66dbf2a80fdba22e5_0823464b_4ef544fd-0f3a-45a5-bb27-c9a520d1a7f8\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X3wHy1PMMl.exe_752a80b92e4080208fdb25f4d516950dc99_0823464b_b4369cab-eb03-4b3f-8375-36451f3f54a4\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD925.tmp.dmp

Mini DuMP crash report, 14 streams, Mon May 27 01:02:56 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD974.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9B4.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB29.tmp.dmp

Mini DuMP crash report, 14 streams, Mon May 27 01:02:56 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB68.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB88.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\X3wHy1PMMl.exe

"C:\Users\user\Desktop\X3wHy1PMMl.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6220
Target ID:	0
Parent PID:	1028
Name:	X3wHy1PMMl.exe
Path:	C:\Users\user\Desktop\X3wHy1PMMl.exe
Commandline:	"C:\Users\user\Desktop\X3wHy1PMMl.exe"
Size:	50176
MD5:	48CE1BD3CBE33CE89D634155C6B278DE
Time:	21:02:55
Date:	26/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	151552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 228

Details

Is windows:	true
Is dropped:	false
PID:	2200
Target ID:	3
Parent PID:	6220
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 228
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	21:02:56
Date:	26/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xaa0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 236

Details

Is windows:	true
Is dropped:	false
PID:	5752
Target ID:	6
Parent PID:	6220
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 236
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	21:02:56
Date:	26/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xaa0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown