Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

adEHIudJGb.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.170770312347737
Filename:	adEHIudJGb.exe
Filesize:	1663264
MD5:	ab9870c0ad477a2f5e0078e82c7afb54
SHA1:	0dafaa7feba79f41422715d008deefe5c7d94849
SHA256:	d4610be19ea719ca5ca2ec3f53e2ae70bb60b1345d74d65fdcd18a45282634d4
SHA512:	df2aa714b1b31e435ff766fa572c8408337c430c9216fbd0c0c463b616b3791e0274cb132e8f12273a9e6fb5fcd0ea6a3da1de58f1799471841decd6be02d4dc
SSDEEP:	49152:UEQTCzdN1WD0fvum5MLMERuwvoiRj6KIeVSc/zui+:f1mDRR36K2c/ii+
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.......................................... ........................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
One or more processes crash	System Summary
PE / OLE file has an invalid certificate	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_adEHIudJGb.exe_88f5ee299657cd886959496a81d085468cca591b_deb79f96_d5912164-c91f-4c0f-a0b9-e3d305f75ca8\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_adEHIudJGb.exe_88f5ee299657cd886959496a81d085468cca591b_deb79f96_d5912164-c91f-4c0f-a0b9-e3d305f75ca8\Report.wer
Category:	dropped
Dump:	Report.wer.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.7822078217881336
Encrypted:	false
Ssdeep:	96:gAF63OD2sKtaPQtYynFQXIDcQVlc6V5cE1cw3M+HbHg/PB6HeaOyVvESKDm6EBoH:d83OD2c0blR5/5jGnFzuiFuZ24lO8M
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4687.tmp.dmp

Mini DuMP crash report, 14 streams, Fri Nov 1 14:55:08 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4687.tmp.dmp
Category:	dropped
Dump:	WER4687.tmp.dmp.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Fri Nov 1 14:55:08 2024, 0x1205a4 type
Entropy:	1.427180548930039
Encrypted:	false
Ssdeep:	96:5X8JKuwdTS2YNMG5O2f85WsnkptcQ4x1i7qWjDc2882V2SAEJ7HnwYWIi0IhAkLV:qGQMUD8Oqr820SZTs7qe766
Size:	46164
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4724.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4724.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER4724.tmp.WERInternalMetadata.xml.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.701694783015132
Encrypted:	false
Ssdeep:	192:R6l7wVeJaePsP5OG6Y9H7F/gmfUhpDa89bqIhfvOm:R6lXJzPsR6Yd7F/gmfU3qmff
Size:	8520
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4764.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4764.tmp.xml
Category:	dropped
Dump:	WER4764.tmp.xml.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.480033506134391
Encrypted:	false
Ssdeep:	48:cvIwWl8zsXJg771I9H0WpW8VYaYm8M4JhOQq4F/hyq851BFlaC5qmDBd:uIjf5I7st7VKJhOtChMBz5qmDBd
Size:	4697
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.465814455410295
Encrypted:	false
Ssdeep:	6144:AIXfpi67eLPU9skLmb0b4sWSPKaJG8nAgejZMMhA2gX4WABl0uN/dwBCswSbp:FXD94sWlLZMM6YFHN+p
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\adEHIudJGb.exe

"C:\Users\user\Desktop\adEHIudJGb.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7300
Target ID:	0
Parent PID:	2580
Name:	adEHIudJGb.exe
Path:	C:\Users\user\Desktop\adEHIudJGb.exe
Commandline:	"C:\Users\user\Desktop\adEHIudJGb.exe"
Size:	1663264
MD5:	AB9870C0AD477A2F5E0078E82C7AFB54
Time:	10:55:08
Date:	01/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000000
Modulesize:	1683456
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Metasploit Payload	Remote Access Functionality
PE / OLE file has an invalid certificate	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7300 -s 416

Details

Is windows:	true
Is dropped:	false
PID:	7372
Target ID:	3
Parent PID:	7300
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7300 -s 416
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	10:55:08
Date:	01/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6b8e70000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#

unknown

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

http://upx.sf.net

unknown

https://sectigo.com/CPS0

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0

unknown

http://ocsp.sectigo.com0

unknown

https://www.chiark.greenend.org.uk/~sgtatham/putty/

unknown

https://www.chiark.greenend.org.uk/~sgtatham/putty/0

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

There are 1 hidden URLs, click here to show them.