Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\Desktop\extract\Setup.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-core-profile-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-core-rtlsupport-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-core-string-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-core-synch-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-core-synch-l1-2-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-core-sysinfo-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-core-timezone-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-core-util-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-conio-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-convert-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-environment-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-filesystem-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-heap-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-locale-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-math-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-multibyte-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-private-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\Desktop\extract\api-ms-win-crt-process-l1-1-0.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_api_24a6e77318e0bb5eb29992db4daf9eb8d15327cf_e147a954_86d35f76-f56e-4ffc-bc94-3736a8796053\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_api_6c6a6e6bf6b445970e8ef838c8696bd7b5876e0_e147a954_2d8b9a80-499f-4738-8ce7-7d8647786680\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_api_9df865fded585f94f5f016e71860a3884066_e147a954_57177326-392c-4f9b-955a-5f42c59945a9\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_api_9df865fded585f94f5f016e71860a3884066_e147a954_d0a27185-710b-4546-a743-76e98b285bfe\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2CA.tmp.dmp

Mini DuMP crash report, 14 streams, Wed Oct 30 00:55:16 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB31A.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB349.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC009.tmp.dmp

Mini DuMP crash report, 14 streams, Wed Oct 30 00:55:19 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC087.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC097.tmp.dmp

Mini DuMP crash report, 14 streams, Wed Oct 30 00:55:19 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC103.tmp.dmp

Mini DuMP crash report, 14 streams, Wed Oct 30 00:55:20 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC105.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC172.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1D1.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1EE.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC23E.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\Desktop\cmdline.out

ASCII text, with CRLF line terminators

modified

C:\Users\user\Desktop\download\idverificationz.zip

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\Desktop\extract\ks_tyres.ini

ASCII text, with CRLF line terminators

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

\Device\ConDrv

ASCII text, with CRLF, CR line terminators

dropped

There are 32 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\7za.exe

7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\idverificationz.zip"

C:\Windows\System32\loaddll64.exe

loaddll64.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll"

C:\Windows\System32\rundll32.exe

rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,FlushInstructionCache

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",#1

C:\Windows\System32\rundll32.exe

rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,GetCurrentProcessorNumber

C:\Windows\System32\rundll32.exe

rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,GetCurrentProcessorNumberEx

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",FlushInstructionCache

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetCurrentProcessorNumber

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetCurrentProcessorNumberEx

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",SetThreadIdealProcessorEx

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",SetThreadContext

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",SetProcessMitigationPolicy

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",OpenProcess

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",IsProcessorFeaturePresent

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetThreadTimes

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetThreadIdealProcessorEx

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetThreadContext

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetProcessMitigationPolicy

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetProcessHandleCount

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetCurrentThreadStackLimits

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://idverificationz.b-cdn.net/idverificationz.zip" > cmdline.out 2>&1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\wget.exe

wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://idverificationz.b-cdn.net/idverificationz.zip"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",#1

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2316 -s 316

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6208 -s 312

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6304 -s 316

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7104 -s 316

There are 20 hidden processes, click here to show them.

URLs

Name

Malicious

https://idverificationz.b-cdn.net/idverificationz.zip

http://www.ezbsystems.com/ultraiso/order.php?uilang=ct

unknown

http://www.ezbsystems.com/ultraiso

unknown

http://ocsp.sectigo.com0

unknown

http://www.ezbsystems.com)

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=kr

unknown

http://forum.ezbsystems.com

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=cn

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=gr

unknown

http://www.ultraiso.com

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=de

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=tr

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=pt

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=tw

unknown

http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=cz

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=he

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=pl

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=se

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=jp

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=fr

unknown

https://idverificationz.b-cdn.net/idverificationz.zipOC

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=sk

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=by

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=si

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=ar

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=et

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=es

unknown

https://sectigo.com/CPS0

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=my

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=it

unknown

https://idverificationz.b-cdn.net/idverificationz.zip

169.150.247.35

http://www.ezbsystems.com/ultraiso/order.php?uilang=no

unknown

http://upx.sf.net

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=nl

unknown

http://www.ezbsystems.comhttp://www.ezbsystems.com/ultraisohttp://www.ezbsystems.com/ultraiso/order.

unknown

http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=bg

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=jphttp://www.ezbsystems.com/ultraiso/order.php?u

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=fi

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=ru

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=vn

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=ro

unknown

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

http://www.ezbsystems.com/ultraiso/order.htm

unknown

http://www.ezbsystems.comDVarFileInfo$

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=lt

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=dk

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=hu

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=ua

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=hr

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=lv

unknown

http://www.ezbsystems.com

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=mk

unknown

http://www.ezbsystems.com/easyboot

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=yu

unknown

http://www.ezbsystems.com/ultraiso/order.php?uilang=id

unknown

There are 47 hidden URLs, click here to show them.

Domains

Name

Malicious

idverificationz.b-cdn.net

169.150.247.35

Details

Name:	idverificationz.b-cdn.net
IP:	169.150.247.35
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
AI detected suspicious URL	Persistence and Installation Behavior	Browser Extensions
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

169.150.247.35

idverificationz.b-cdn.net

United States

Details

IP:	169.150.247.35
TargetID:	2
Current Path:	C:\Windows\SysWOW64\wget.exe
Country:	United States
Countrycode:	USA
ASN number:	2711
ASN name:	SPIRITTEL-ASUS
Private:	false
Domain:	idverificationz.b-cdn.net

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking