Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

rPROFORMAINVOICE-PO_ATS_1036.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.886828046222246
Filename:	rPROFORMAINVOICE-PO_ATS_1036.exe
Filesize:	1464832
MD5:	ccdc6abb91cba9b82fcea9f02aaeffac
SHA1:	8badde3b9cb21b8f6cd0fcf75f8b94a545fa35ea
SHA256:	55ead53e3dff6db18ab2e0a9e353c4f39e6d0ce7ad0dd506dd7ce92d866b7eaa
SHA512:	216e011f71e2783ec85b21ae98a1952d9c0f8ff7325e7001c177b3ffaeba5407446e42c05393bb33b6dcfd430eb81323343a24c9f6a2597709a6df26d0caf7df
SSDEEP:	24576:rAonTAWtaG9kwX2t684Bnndby1UuFLan9k5TRM7phylfihgdElWlVjD:rAodtaG9kS2U84B+FLan9k5TRM9zlgVj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E...E...D...E...D...E...E...E...DD..EI..D...EI..D...E...............

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery System Information Discovery
Multi AV Scanner detection for dropped file	AV Detection	Access Token Manipulation
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Security Software Discovery
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture Security Software Discovery
Drops PE files to the user root directory	Boot Survival	Masquerading
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Sample uses string decryption to hide its real strings	AV Detection	Access Token Manipulation
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Detected potential crypto function	System Summary	Access Token Manipulation Security Software Discovery
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Drops PE files to the user directory	Persistence and Installation Behavior	Security Software Discovery
Enables debug privileges	Anti Debugging
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API Access Token Manipulation
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found potential string decryption / allocating functions	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation Security Software Discovery
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	Security Software Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates files inside the user directory	System Summary
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe
Category:	dropped
Dump:	rPROFORMAINVOICE-PO_ATS_1036.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.886828046222246
Encrypted:	false
Ssdeep:	24576:rAonTAWtaG9kwX2t684Bnndby1UuFLan9k5TRM7phylfihgdElWlVjD:rAodtaG9kS2U84B+FLan9k5TRM9zlgVj
Size:	1464832
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msbuild.exe_c0d52432dfe3ceb750b4c6e7cd4c95a2e207481_11e7f0f4_f83a3f6a-ba45-452e-b37a-b98497531510\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msbuild.exe_c0d52432dfe3ceb750b4c6e7cd4c95a2e207481_11e7f0f4_f83a3f6a-ba45-452e-b37a-b98497531510\Report.wer
Category:	dropped
Dump:	Report.wer.9.dr
ID:	dr_4
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.1701646477935583
Encrypted:	false
Ssdeep:	192:/tzxScO3aXGT0BU/Ka6THyChC/zuiFzZ24IO8G:Zxi3aXxBU/KaWSp/zuiFzY4IO8G
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER24F5.tmp.dmp

Mini DuMP crash report, 15 streams, Wed Sep 25 12:27:39 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER24F5.tmp.dmp
Category:	dropped
Dump:	WER24F5.tmp.dmp.9.dr
ID:	dr_1
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 12:27:39 2024, 0x1205a4 type
Entropy:	3.6666584031052403
Encrypted:	false
Ssdeep:	3072:y3dCx2c0s4uEqkdXW8rfwqtNnY+LTg3NytN4XfUlOl:ytPc0s47wknYsTgdyte
Size:	330460
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER27E4.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER27E4.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER27E4.tmp.WERInternalMetadata.xml.9.dr
ID:	dr_2
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.717767588768132
Encrypted:	false
Ssdeep:	192:R6l7wVeJWg6XJ+YZzVapr689boJCsfqupm:R6lXJh6Z+Yn0oJBfTE
Size:	6384
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2833.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER2833.tmp.xml
Category:	dropped
Dump:	WER2833.tmp.xml.9.dr
ID:	dr_3
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.448828040781326
Encrypted:	false
Ssdeep:	48:cvIwWl8zs5NJg77aI9sfWpW8VYj2Ym8M4JoxFqI+q8vulmLCd:uIjf5nI7OO7VCJUKomLCd
Size:	4729
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.9.dr
ID:	dr_5
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.466344412417991
Encrypted:	false
Ssdeep:	6144:TIXfpi67eLPU9skLmb0b4OWSPKaJG8nAgejZMMhA2gX4WABl0uNddwBCswSb+:EXD94OWlLZMM6YFH7++
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

"C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6180
Target ID:	0
Parent PID:	2580
Name:	rPROFORMAINVOICE-PO_ATS_1036.exe
Path:	C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe
Commandline:	"C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe"
Size:	1464832
MD5:	CCDC6ABB91CBA9B82FCEA9F02AAEFFAC
Time:	08:25:20
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff78b950000
Modulesize:	1728512
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files to the user root directory	Boot Survival	Masquerading
Initial sample is a PE file and has a suspicious name	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3756
Target ID:	2
Parent PID:	6180
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	08:25:20
Date:	25/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x860000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6344
Target ID:	1
Parent PID:	6180
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:25:20
Date:	25/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1588

Details

Is windows:	true
Is dropped:	false
PID:	6604
Target ID:	9
Parent PID:	3756
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1588
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	08:27:38
Date:	25/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc30000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

67.215.224.133

Details

Name:	67.215.224.133
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

http://upx.sf.net

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

fp2e7a.wpc.phicdn.net

192.229.221.95

198.187.3.20.in-addr.arpa

unknown

IPs

Domain

Country

Malicious

67.215.224.133

unknown

United States

Details

IP:	67.215.224.133
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	8100
ASN name:	ASN-QUADRANET-GLOBALUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking