Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.871157788525567
Filename:	file.exe
Filesize:	131072
MD5:	fcf03d6280f63f40a60e98d06605ab9d
SHA1:	420755bdc0da94be9a8213df4db439fac11475a8
SHA256:	bf18826310f2337edd96b0d183c47bb82b8f5da9a64ee7dd0a5d077385c8c38e
SHA512:	82646967165dc19a09440aa76c0eb2b562e336977d75ccf6f9dbf0f7ecc83c34445a21957c6ad8b590aea9252ec60ce74aa676ab94ba09da37ff7b1e7292103b
SSDEEP:	3072:PaUnVBiag8BuInCuXHDwpDEsu7jByqC4hmRA+Sxg/:C0iaghIBHDwpDSBn7+S
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Machine Learning detection for sample	AV Detection
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains functionality to read the PEB	Anti Debugging
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_b7ec1b37f5bdf9de2faad2aaaca2b15765533cd8_02bbd8d5_5f6ab712-a5ae-4c3e-8d69-92f3de4241c6\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_b7ec1b37f5bdf9de2faad2aaaca2b15765533cd8_02bbd8d5_5f6ab712-a5ae-4c3e-8d69-92f3de4241c6\Report.wer
Category:	dropped
Dump:	Report.wer.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.6242818047794745
Encrypted:	false
Ssdeep:	192:qgqvWQuav9QP/0NXfcE3jEzuiFnZ24IO8ThB:yEk6kNXffjEzuiFnY4IO8r
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB203.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Sep 30 14:18:53 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERB203.tmp.dmp
Category:	dropped
Dump:	WERB203.tmp.dmp.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Mon Sep 30 14:18:53 2024, 0x1205a4 type
Entropy:	2.0147615125548044
Encrypted:	false
Ssdeep:	96:5r8By8DVvVvFFti7nhHG4lZDFI6WInWIOKGZsl8O7:K79tO8pJslJ7
Size:	19428
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB232.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERB232.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERB232.tmp.WERInternalMetadata.xml.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6900660199956583
Encrypted:	false
Ssdeep:	192:R6l7wVeJDCN6jm56YEIjSU9iZmgmfBNJPWOEpx+89bmOsfgim:R6lXJM6S56YE8SU9imgmfrJPWOkmNfU
Size:	8264
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB262.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERB262.tmp.xml
Category:	dropped
Dump:	WERB262.tmp.xml.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.429437549882719
Encrypted:	false
Ssdeep:	48:cvIwWl8zs5Jg77aI91/SWpW8VYsYm8M4J+KFO+q82oNKFpd:uIjfLI7n77VEJ02NKFpd
Size:	4555
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421311151117267
Encrypted:	false
Ssdeep:	6144:BSvfpi6ceLP/9skLmb0OTLWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:YvloTLW+EZMM6DFy403w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2920
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	131072
MD5:	FCF03D6280F63F40A60E98D06605AB9D
Time:	10:18:52
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	131072
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Azorult	Stealing of Sensitive Information
Yara detected Azorult Info Stealer	Stealing of Sensitive Information
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 224

Details

Is windows:	true
Is dropped:	false
PID:	2220
Target ID:	3
Parent PID:	2920
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 224
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	10:18:52
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe30000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown

http://ip-api.com/json

unknown

https://dotbit.me/a/

unknown