Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

BDQfYL99b2.exe

PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	4.854329136763004
Filename:	BDQfYL99b2.exe
Filesize:	3397673
MD5:	a2dcc2e9dd81e3a5f6440ed7027a86da
SHA1:	3518e330ef6c682445bed81d6ae4e167b003ae4b
SHA256:	3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c
SHA512:	974da06cf41da5d6e65bf834394ec0e478df55745c922cc7d5b3f8ec6501b1dff5a0b866b8c53c01519f53bee1bf7aeec54e1e6515b105d24f7f5c4a2ec97d9e
SSDEEP:	24576:Q785OVnJmAZaTGTFh98WK3vFLkjKsxnerYU:958BI0FhiKj7nerYU
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X.f.........."...0.................. ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API File and Directory Discovery
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	File and Directory Discovery
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Process Discovery
Enables debug privileges	Anti Debugging
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools
Binary contains paths to development resources	System Summary	Access Token Manipulation
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Public key (encryption) found	Cryptography	Account Discovery System Owner/User Discovery Archive Collected Data
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BDQfYL99b2.exe_7bbe5769bc74a17327a538bebd597bc1fc5fff7_5d7df1a8_a3bb7f14-0094-4484-b8c1-c1187a5af28d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BDQfYL99b2.exe_7bbe5769bc74a17327a538bebd597bc1fc5fff7_5d7df1a8_a3bb7f14-0094-4484-b8c1-c1187a5af28d\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.0511747411361483
Encrypted:	false
Ssdeep:	192:RuygQ0Ack+i0VeWphaWxey+XfzuiFfZ24lO8K:yQ0AcpVBphaGkXfzuiFfY4lO8K
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E1.tmp.dmp

Mini DuMP crash report, 16 streams, Wed Jul 3 16:23:49 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E1.tmp.dmp
Category:	dropped
Dump:	WER4E1.tmp.dmp.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Wed Jul 3 16:23:49 2024, 0x1205a4 type
Entropy:	3.330822188410937
Encrypted:	false
Ssdeep:	3072:JyG1+l8W0u82FLcm1CCq6Fv3+vn+D8m4lIVxzcSk:JyGcbq6Fv3Q+oad
Size:	418192
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER697.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER697.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER697.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.710969356968757
Encrypted:	false
Ssdeep:	192:R6l7wVeJWSb6Y2D3igmfZLH0oprH89bZB0f0snzm:R6lXJbb6Yqigmf1kZifk
Size:	8818
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C7.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C7.tmp.xml
Category:	dropped
Dump:	WER6C7.tmp.xml.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.518270633933075
Encrypted:	false
Ssdeep:	48:cvIwWl8zsNXJg771I9FSWpW8VYZvYm8M4J382EE6Fwfjyq8vo2EEk1E8tNCd:uIjfzI7yz7VVJ/JPjW7JkyECd
Size:	4824
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

JSON data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json
Category:	dropped
Dump:	json[1].json.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
Type:	JSON data
Entropy:	5.013811273052389
Encrypted:	false
Ssdeep:	12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
Size:	962
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.469059449419846
Encrypted:	false
Ssdeep:	6144:EzZfpi6ceLPx9skLmb0fuZWSP3aJG8nAgeiJRMMhA2zX4WABluuNjjDH5S:qZHtuZWOKnMM6bFpBj4
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\BDQfYL99b2.exe

"C:\Users\user\Desktop\BDQfYL99b2.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1596
Target ID:	0
Parent PID:	4004
Name:	BDQfYL99b2.exe
Path:	C:\Users\user\Desktop\BDQfYL99b2.exe
Commandline:	"C:\Users\user\Desktop\BDQfYL99b2.exe"
Size:	3397673
MD5:	A2DCC2E9DD81E3A5F6440ED7027A86DA
Time:	12:23:46
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x205bb1e0000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4616
Target ID:	3
Parent PID:	1596
Name:	aspnet_wp.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
Size:	40880
MD5:	EF2DCDFF05E9679F8D0E2895D9A2E3BB
Time:	12:23:48
Date:	03/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x1e0000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3704
Target ID:	1
Parent PID:	1596
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:23:46
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1596 -s 1064

Details

Is windows:	true
Is dropped:	false
PID:	3896
Target ID:	6
Parent PID:	1596
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1596 -s 1064
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	12:23:49
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff79aad0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

bossnacarpet.com

http://geoplugin.net/json.gp

178.237.33.50

http://geoplugin.net/json.gpal

unknown

http://geoplugin.net/json.gpc

unknown

http://upx.sf.net

unknown

http://geoplugin.net/json.gpG

unknown

http://geoplugin.net/json.gp/C

unknown

http://geoplugin.net/json.gpl

unknown

http://geoplugin.net/json.gpr&

unknown

http://geoplugin.net/json.gpr2

unknown

http://geoplugin.net/json.gp/

unknown

http://geoplugin.net/json.gp.

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

vegetachcnc.com

107.173.4.18

Details

Name:	vegetachcnc.com
IP:	107.173.4.18
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

bossnacarpet.com

173.255.204.62

Details

Name:	bossnacarpet.com
IP:	173.255.204.62
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

173.255.204.62

bossnacarpet.com

United States

Details

IP:	173.255.204.62
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
Country:	United States
Countrycode:	USA
ASN number:	63949
ASN name:	LINODE-APLinodeLLCUS
Private:	false
Domain:	bossnacarpet.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

107.173.4.18

vegetachcnc.com

United States

Details

IP:	107.173.4.18
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false
Domain:	vegetachcnc.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

52.168.117.173

unknown

United States

Details

IP:	52.168.117.173
TargetID:	6
Current Path:	C:\Windows\System32\WerFault.exe
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

178.237.33.50

geoplugin.net

Netherlands

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\chrome-6W1HCC

exepath

HKEY_CURRENT_USER\SOFTWARE\chrome-6W1HCC

licence

HKEY_CURRENT_USER\SOFTWARE\chrome-6W1HCC

time