Automated Malware Analysis IOC Report for

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.9372105160344235
Filename:	H1pXo79CPd
Filesize:	5196288
MD5:	cfdf53f247859f70b66c15ad037463d6
SHA1:	bf644a6a32b9eb6dda2e55119af2692d51421e57
SHA256:	21716bb1c51f01b8ed87151fe565c1d20e837a7a2121567db7915d7f8f6e633d
SHA512:	8362c17fc82fd32bb59c1a0e64214d62282c140178630cc160327d87371f92214c21bf6ce6b068606e54c78acb7cb51af59ce0a482b7a3a09998012658309f2d
SSDEEP:	98304:Mxtx/aR65SoMFPLa7Z4OiZrq1DfPHNADtV6v+a:MxdSNJmF4O7NADtV6v+
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.H ..&s..&s..&s...s..&sk..s..&s...s..&sk..sN.&sk..s..&s...s..&s..'sw.&sk..s..&sk..s..&sRich..&s........................PE..L..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates COM task schedule object (often to register a task for autostart)	Spreading	Scheduled Task/Job
Creates files inside the system directory	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior
Uses 32bit PE files	Compliance, System Summary	Process Injection
PE file has an executable .text section and no other executable section	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Injection Process Discovery
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a mix of resources often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Recovery\nw_elf.dll
Category:	dropped
Dump:	nw_elf.dll.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\H1pXo79CPd.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.2188747372209265
Encrypted:	false
Size:	288768
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Multi AV Scanner detection for dropped file	AV Detection	Security Software Discovery
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Windows\ClientDaemon.exe
Category:	dropped
Dump:	ClientDaemon.exe.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\Desktop\H1pXo79CPd.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.431580279207075
Encrypted:	false
Size:	2017280
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Checks for available system drives (often done to infect USB drives)	Spreading	Replication Through Removable Media Peripheral Device Discovery
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Details

File:	C:\Windows\nw_elf.dll
Category:	dropped
Dump:	nw_elf.dll0.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\Desktop\H1pXo79CPd.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.219661142785557
Encrypted:	false
Size:	288768
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for dropped file	AV Detection	Security Software Discovery
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ClientDaemon.exe_ba598b36f84f8d89f975d848c6abb9337824ed7_02b26f1f_7d3f8875-b0d3-4246-a4b5-06fd93ba1207\Report.wer
Category:	dropped
Dump:	Report.wer.12.dr
ID:	dr_7
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9955778121885941
Encrypted:	false
Size:	65536
Whitelisted:	false

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ClientDaemon.exe_ba598b36f84f8d89f975d848c6abb9337824ed7_02b26f1f_eb20255e-ed09-4b2c-a804-77ad66051d32\Report.wer
Category:	dropped
Dump:	Report.wer.16.dr
ID:	dr_10
Target ID:	16
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	TeX document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9949214033490823
Encrypted:	false
Size:	65536
Whitelisted:	false

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B17.tmp.dmp
Category:	dropped
Dump:	WER6B17.tmp.dmp.12.dr
ID:	dr_9
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Wed Oct 2 15:54:13 2024, 0x1205a4 type
Entropy:	1.9941956940990657
Encrypted:	false
Size:	104754
Whitelisted:	false

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BF2.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER6BF2.tmp.WERInternalMetadata.xml.12.dr
ID:	dr_5
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6980248350497567
Encrypted:	false
Size:	8408
Whitelisted:	false

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C51.tmp.xml
Category:	dropped
Dump:	WER6C51.tmp.xml.12.dr
ID:	dr_6
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.471339676420344
Encrypted:	false
Size:	4794
Whitelisted:	false

Details

File:	C:\Recovery\cb.txt
Category:	dropped
Dump:	cb.txt.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Users\user\Desktop\H1pXo79CPd.exe
Type:	data
Entropy:	6.2986359972551895
Encrypted:	false
Size:	263180
Whitelisted:	false

Details

File:	C:\Recovery\cd.txt
Category:	dropped
Dump:	cd.txt.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\H1pXo79CPd.exe
Type:	data
Entropy:	6.298703423049811
Encrypted:	false
Size:	263180
Whitelisted:	false

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.12.dr
ID:	dr_8
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.31018438532672
Encrypted:	false
Size:	1835008
Whitelisted:	false

IOC Report
H1pXo79CPd