Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

main.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	1.6820053479408899
Filename:	main.dll
Filesize:	4952064
MD5:	96d2a1bfbe79b68678b78017bf4ca532
SHA1:	c61e6222a42d858ab329eb5e0930b5274256c69d
SHA256:	5e97d896a427313467f598567f4dd60afc891f6b516faf3fc8d6379a7df40de4
SHA512:	0bc8ef5742d395692468d56966c3c9e640dbb34dcaf9922825067a69dc92f90574078553f3c2fb0052bce951939b869e19ab686470064422ffa9c7586c081bf6
SSDEEP:	24576:ab5Wyc+GYmc0guuEtMQxmbW0dH580xYIwzO0Zzp:ab8ysYm5ax580/wK0Zzp
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G........................E............'.......'.......'..................1....'.......'......Rich...........................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4bf71269e42599aca6dd6e6e3b744db6dcf1974_7522e4b5_f39e2f26-38ae-4b7c-88e0-3cfc3351528d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4bf71269e42599aca6dd6e6e3b744db6dcf1974_7522e4b5_f39e2f26-38ae-4b7c-88e0-3cfc3351528d\Report.wer
Category:	dropped
Dump:	Report.wer.7.dr
ID:	dr_3
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9328969788248272
Encrypted:	false
Ssdeep:	192:iq2PiWObr0BU/wjeTOkzuiFqZ24IO84ci:2iXb4BU/wje/zuiFqY4IO84ci
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A98.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Oct 14 07:46:25 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A98.tmp.dmp
Category:	dropped
Dump:	WER5A98.tmp.dmp.7.dr
ID:	dr_0
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Mon Oct 14 07:46:25 2024, 0x1205a4 type
Entropy:	2.166253177348043
Encrypted:	false
Ssdeep:	192:So5i+7J2O5H4wm3m0pFQf7uFuaYvhLWlQcwGdfZUoWFBAXj:J7JB5HtmNQKFwCLbfZeKj
Size:	54648
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B73.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B73.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER5B73.tmp.WERInternalMetadata.xml.7.dr
ID:	dr_1
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.694012503883682
Encrypted:	false
Ssdeep:	192:R6l7wVeJrY6yd6YYx6rgmf88MprV89boRsfu4m:R6lXJ06yd6Y+6rgmf88roKf4
Size:	8374
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BA3.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BA3.tmp.xml
Category:	dropped
Dump:	WER5BA3.tmp.xml.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.480821660060863
Encrypted:	false
Ssdeep:	48:cvIwWl8zs+Jg77aI9djOnWpW8VYHyYm8M4JCdPEFEXAP+q8vjP7HGScSgd:uIjf0I7zjD7VOJIAPKPHJ3gd
Size:	4791
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.417470220345491
Encrypted:	false
Ssdeep:	6144:kcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:Ji58oSWIZBk2MM6AFBWo
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\main.dll"

Details

Is windows:	true
Is dropped:	false
PID:	7468
Target ID:	0
Parent PID:	4056
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\main.dll"
Size:	126464
MD5:	51E6071F9CBA48E79F10C84515AAE618
Time:	03:46:23
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xdd0000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7476
Target ID:	1
Parent PID:	7468
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:46:23
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	7532
Target ID:	3
Parent PID:	7468
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	03:46:23
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x410000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\main.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	7584
Target ID:	4
Parent PID:	7532
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	03:46:23
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xea0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776

Details

Is windows:	true
Is dropped:	false
PID:	7696
Target ID:	7
Parent PID:	7584
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	03:46:25
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown

Domains

Name

Malicious

s-part-0017.t-0009.fb-t-msedge.net

13.107.253.45

time.windows.com

unknown