Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Base64.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	5.077287003077472
Filename:	Base64.exe
Filesize:	12288
MD5:	1622226f04adfc7b0c1ceec4b0b4236f
SHA1:	b0c6852d56a507e82da9760789c6708f6f332290
SHA256:	7a1d47b6f3c6d03bf7da12a84360ec19edeca08292c3b60156f8063ee639f1aa
SHA512:	bba57da2a9d3cee009d5b71ae299458fd7e897bc38f2404dd76731ec413d4cfdbceed654fe042d85ba16696be8b326e29d52cfdf908837b66784dd20ab3f23b0
SSDEEP:	192:zf60gXWMU3Ba9chWAqCSRKJxMF8/HW4HsUW3Q5tfqXU/iU:F/3B8ckADxMFiHs31H
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L..j-o.j-o.j-o.cU..`-o.8En.h-o.8Ej.x-o.8Ek.`-o.8El.h-o..Kn.o-o.j-n.[-o..Df.k-o..D..k-o..Dm.k-o.Richj-o.........PE..d...f._e...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
One or more processes crash	System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Base64.exe_499bb04f6bdfe31790fb9aa21d698a8ce2359192_99c0ef0c_e220a379-e700-4e94-b819-ac1f88aca209\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Base64.exe_499bb04f6bdfe31790fb9aa21d698a8ce2359192_99c0ef0c_e220a379-e700-4e94-b819-ac1f88aca209\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.6531036359334809
Encrypted:	false
Ssdeep:	96:B7FBsks6Qs6hgoW7JfuQXIDcQhc6UYcECAcw3a+HbHg/JgmZAX/d5FMT2SlPkpXz:9Y6Qw0vFUAfjJzuiFuZ24lO8rb
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA9F.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Dec 22 04:29:57 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA9F.tmp.dmp
Category:	dropped
Dump:	WERBA9F.tmp.dmp.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Dec 22 04:29:57 2024, 0x1205a4 type
Entropy:	1.4910655781852
Encrypted:	false
Ssdeep:	96:5v8HczW2TEP/4ki76NtjPcZ91qusrzcjAnUfimSM7rqkddcQPmnyhtv+kM3WIHNi:SHBYkOKt45sH3I7rqkjJekV9b/
Size:	53886
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB1D.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB1D.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERBB1D.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.700565791001288
Encrypted:	false
Ssdeep:	192:R6l7wVeJMqML6YEIX5I+gmfoXpr089bw1Rf7wm:R6lXJBg6YEo5I+gmfobwzfJ
Size:	8528
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB4C.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB4C.tmp.xml
Category:	dropped
Dump:	WERBB4C.tmp.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.481173351231124
Encrypted:	false
Ssdeep:	48:cvIwWl8zsDJg771I91dBOWpW8VYBYm8M4JxGSHFwpGyq85iGoSkEkx8W1ECpd:uIjfdI7+dBv7VtJxGnpGDGgE7W1jpd
Size:	4657
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421617640652345
Encrypted:	false
Ssdeep:	6144:rSvfpi6ceLP/9skLmb0OTfWSPHaJG8nAgeMZMMhA2fX4WABlEnNg0uhiTw:WvloTfW+EZMM6DFyK03w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Base64.exe

"C:\Users\user\Desktop\Base64.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2228
Target ID:	0
Parent PID:	1028
Name:	Base64.exe
Path:	C:\Users\user\Desktop\Base64.exe
Commandline:	"C:\Users\user\Desktop\Base64.exe"
Size:	12288
MD5:	1622226F04ADFC7B0C1CEEC4B0B4236F
Time:	23:29:57
Date:	21/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff781850000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected CobaltStrike	Remote Access Functionality
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6508
Target ID:	1
Parent PID:	2228
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	23:29:57
Date:	21/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2228 -s 192

Details

Is windows:	true
Is dropped:	false
PID:	1248
Target ID:	4
Parent PID:	2228
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2228 -s 192
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	23:29:57
Date:	21/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6f6020000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown