Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

CustomPayload.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.8416209103189685
Filename:	CustomPayload.exe
Filesize:	24496
MD5:	0025bd5b725a83366b8fc30c6b5c65bf
SHA1:	484f6760a8e49df78b1cc3ce1f5620f193864f28
SHA256:	c5cfe951aae6cc74e6e8f1d9c33e15fd1b1bbb34066a10cec27fc62e81d86548
SHA512:	ef444495769ab50da12f8b8133be99e53f41d5ee1d119ecac2ed0b8499673b62cb704c817615ffa7484986f707e5d0877183ee2bf2035559e955563b89929390
SSDEEP:	384:9Av7XUuCQG9p62Z91qrjSo3RV89o3RV8c+Y7h7X2Ip4gOASqjdAA1m5wMRv3cqu6:wQrX6QnFSVKSVN+Y7N2Ip41ASqxf1mlT
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)e..........."...0..............7... ...@....@.. ...............................I....`................................

Signature Hits	Behavior Group	Mitre Attack
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp Security Software Discovery
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
One or more processes crash	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CustomPayload.ex_5035bc726e39bdc2f26a93f32e1c85a4add9d2_22e67bdd_eabe1e55-6226-428b-b477-e1d723350c71\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CustomPayload.ex_5035bc726e39bdc2f26a93f32e1c85a4add9d2_22e67bdd_eabe1e55-6226-428b-b477-e1d723350c71\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9133497387628312
Encrypted:	false
Ssdeep:	96:YZF1yTmxssYBgzxymTpQXIDcQBc6TocEq6cw3X+BHUHZ0ownOgFkEwH3d2FYAKca:M3emxs8A0/XotKaWSIzuiFVZ24lO8l
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEE5.tmp.dmp

Mini DuMP crash report, 16 streams, Tue Sep 10 13:37:39 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEE5.tmp.dmp
Category:	dropped
Dump:	WERAEE5.tmp.dmp.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Tue Sep 10 13:37:39 2024, 0x1205a4 type
Entropy:	3.155853615490259
Encrypted:	false
Ssdeep:	3072:NwGFMi1CCqq5E3+vBLwIB4cUFdXcSzms8y:6GFTqq5E3QxzUFd76
Size:	290345
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB09C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERB09C.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERB09C.tmp.WERInternalMetadata.xml.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7007471402069685
Encrypted:	false
Ssdeep:	192:R6l7wVeJfK0HhZ6Y2Dm+R90gmfi4dbDprT89b6lVfD+m:R6lXJyU6Yb+Rugmfi4dG6nfz
Size:	8560
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0CB.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0CB.tmp.xml
Category:	dropped
Dump:	WERB0CB.tmp.xml.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.483186463136627
Encrypted:	false
Ssdeep:	48:cvIwWl8zshXPNJg771I939juWpW8VYNYm8M4JHsFjuyq85YK01md:uIjfhXPnI7a9jP7VFJ4uc01md
Size:	4740
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.5.dr
ID:	dr_5
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.468769474183624
Encrypted:	false
Ssdeep:	6144:EzZfpi6ceLPx9skLmb0fbZWSP3aJG8nAgeiJRMMhA2zX4WABluuNijDH5S:qZHtbZWOKnMM6bFpIj4
Size:	1835008
Whitelisted:	false
Reputation:	low

\Device\ConDrv

ASCII text, with CRLF, LF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\CustomPayload.exe
Type:	ASCII text, with CRLF, LF line terminators
Entropy:	4.950157693544746
Encrypted:	false
Ssdeep:	6:WsTbZqbbUcfvfAw3XpBQLKPLIP12MUAvvm33JpQWoJPqZEKKZe:2HfvfTHpBQLKPLI4MA3rQ1iZE1e
Size:	324
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\CustomPayload.exe

"C:\Users\user\Desktop\CustomPayload.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3796
Target ID:	0
Parent PID:	4004
Name:	CustomPayload.exe
Path:	C:\Users\user\Desktop\CustomPayload.exe
Commandline:	"C:\Users\user\Desktop\CustomPayload.exe"
Size:	24496
MD5:	0025BD5B725A83366B8FC30C6B5C65BF
Time:	09:37:37
Date:	10/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x17db9580000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2404
Target ID:	1
Parent PID:	3796
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:37:37
Date:	10/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3796 -s 856

Details

Is windows:	true
Is dropped:	false
PID:	1336
Target ID:	5
Parent PID:	3796
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3796 -s 856
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	09:37:38
Date:	10/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff64b8d0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown