Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

w7kdnBzGat.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.073071814296369
Filename:	w7kdnBzGat.exe
Filesize:	779264
MD5:	b4ffec30abb0de7d297eb9b20b7c02e3
SHA1:	d76f4e95865dbf8291ba2a073b56941cd0f0f822
SHA256:	3d0b4757cc7790b45bcf440913e3e82bdf5107dc103fd2f392461dc59ee0a6db
SHA512:	9f244a905f26966f9f099f15a57ef74e8449a31d8e9fd22fcd8c916a8c3b31e73602a6e40e744a2c59938dc1c05771c39d3cbf09f45b4e44b589cfd1a38272c1
SSDEEP:	12288:UtASL4Dwt7jcpgn3MhGSt5j9C5WTn6WHsLErFsbqGBuG97GWHrSxZrcuJm1w:UtASL4DWjcpgn3M4qPkWTn6WHsLEgDlj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..sV..sV..sV...U..sV...S.csV...R..sV...R..sV...U..sV...W..sV..sW..sV...S..sV.:._..sV.:.T..sV.Rich.sV........................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	System Time Discovery Process Discovery Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
One or more processes crash	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to modify the execution of threads in other processes		Security Software Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Might use command line arguments	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w7kdnBzGat.exe_3c8c512cf549e9ce237cc88c2aab5759f36d91_ed2726f5_58e1a148-72c3-4395-902b-3ee4fba2d5b4\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w7kdnBzGat.exe_3c8c512cf549e9ce237cc88c2aab5759f36d91_ed2726f5_58e1a148-72c3-4395-902b-3ee4fba2d5b4\Report.wer
Category:	dropped
Dump:	Report.wer.8.dr
ID:	dr_3
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.6762783464580949
Encrypted:	false
Ssdeep:	192:WXnseF3ese/WreVredl0aTlQeKeHjSzuiFYZ24IO8aeVex:ast/WCVCdGaTlx7HjSzuiFYY4IO8L8x
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD38.tmp.dmp

Mini DuMP crash report, 14 streams, Mon May 27 12:53:07 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD38.tmp.dmp
Category:	dropped
Dump:	WERFD38.tmp.dmp.8.dr
ID:	dr_0
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Mon May 27 12:53:07 2024, 0x1205a4 type
Entropy:	1.747656862174382
Encrypted:	false
Ssdeep:	96:5480sm+RAiQDkKOe9i7ywwQp3CAq5k+rD3Hy3JIyMlsQ0dv4WIkWI7IIUdnaCsIk:lNe9OaU1+rD3+qgudnaCsIoN
Size:	33904
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD87.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD87.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERFD87.tmp.WERInternalMetadata.xml.8.dr
ID:	dr_1
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6938770319895466
Encrypted:	false
Ssdeep:	192:R6l7wVeJ4eSs6L6YEIFSU9RdzgmfYedeiXf7pDO89bWbKsf+3wjm:R6lXJZJ6L6YEqSU9Rdzgmf5EiXfpWbpW
Size:	8402
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDD6.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDD6.tmp.xml
Category:	dropped
Dump:	WERFDD6.tmp.xml.8.dr
ID:	dr_2
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.451402737810149
Encrypted:	false
Ssdeep:	96:uIjf3I7AoKe7VSJ/EZ6ZtKMZ6ZNtqznMKMud:uIDYRl7okOZONQMNE
Size:	4680
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.8.dr
ID:	dr_4
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.42156960752149
Encrypted:	false
Ssdeep:	6144:CSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNm0uhiTw:RvloTMW+EZMM6DFyY03w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\w7kdnBzGat.exe

"C:\Users\user\Desktop\w7kdnBzGat.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4288
Target ID:	0
Parent PID:	1028
Name:	w7kdnBzGat.exe
Path:	C:\Users\user\Desktop\w7kdnBzGat.exe
Commandline:	"C:\Users\user\Desktop\w7kdnBzGat.exe"
Size:	779264
MD5:	B4FFEC30ABB0DE7D297EB9B20B7C02E3
Time:	08:52:58
Date:	27/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x4a0000
Modulesize:	794624
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	408
Target ID:	1
Parent PID:	4288
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	08:52:58
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc50000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Mars stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit

Details

Is windows:	true
Is dropped:	false
PID:	6164
Target ID:	3
Parent PID:	408
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	08:53:01
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6656
Target ID:	4
Parent PID:	6164
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:53:01
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Details

Is windows:	true
Is dropped:	false
PID:	6592
Target ID:	5
Parent PID:	6164
Name:	timeout.exe
Path:	C:\Windows\SysWOW64\timeout.exe
Commandline:	timeout /t 5
Size:	25088
MD5:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Time:	08:53:01
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa30000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 268

Details

Is windows:	true
Is dropped:	false
PID:	4796
Target ID:	8
Parent PID:	4288
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 268
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	08:53:07
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xef0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://23.88.106.134/84bad7132df89fd7/sqlite3.dll

23.88.106.134

Details

Name:	http://23.88.106.134/84bad7132df89fd7/sqlite3.dll
IP:	23.88.106.134
TargetID:	1
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://23.88.106.134/c73eed764cc59dcb.php

23.88.106.134

Details

Name:	http://23.88.106.134/c73eed764cc59dcb.php
IP:	23.88.106.134
TargetID:	1
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://23.88.106.134

unknown

Details

Name:	http://23.88.106.134
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	RegAsm.exe, 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

http://upx.sf.net

unknown

http://23.88.106.134/c73eed764cc59dcb.php.0//EN

unknown

Details

Name:	http://23.88.106.134/c73eed764cc59dcb.php.0//EN
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	RegAsm.exe, 00000001.00000002.2034339347.0000000000550000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034339347.000000000054D000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://23.88.106.134/c73eed764cc59dcb.phpxKr

unknown

http://23.88.106.134/c73eed764cc59dcb.phpininit.exe

unknown

IPs

Domain

Country

Malicious

23.88.106.134

unknown

United States

Details

IP:	23.88.106.134
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	18978
ASN name:	ENZUINC-US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking