Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

G9e272AEyo.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.423322949566928
Filename:	G9e272AEyo.exe
Filesize:	506368
MD5:	f0f5b379dfbcd101a6abffae96082417
SHA1:	505849de091e311eb9ef7c413a18525b7338dc8e
SHA256:	b779b04efc9be9517b8ae479e408f6054a0f7f8ef3d1af542d5c0c863566c165
SHA512:	77a2bc28641ae88fe14ff16bccc738941a7e2f939d9df5279956d76df9f7bcef8dd5f7ce47c0102f92011dfc8153c4f55ea687bca0064df75681345a627b96dc
SSDEEP:	6144:Sy8K4ZP3rneV8giiDYviaN4TuNy+m4W70Lzxw2T942uHde9VWWJpQHCgTf1:SDxVtfkYvi3qNRWYLz2m+P4mzHC6f1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V..._.+.B...PHE.^...PH..v...PH..\...PH..R...PH..P.......A...V...s.......?...9H..T...9H..W...9HG.W...9H..W...RichV..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to create an SMB header	Exploits	Exploitation of Remote Services
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
One or more processes crash	System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Contains functionality for error logging	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Security Software Discovery Archive Collected Data Data Encrypted for Impact
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Security Software Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_G9e272AEyo.exe_38d8115434c1d6f4526792875acb23d414_949d7e63_24e1ab57-b402-426d-a902-b7bdba8ffb82\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_G9e272AEyo.exe_38d8115434c1d6f4526792875acb23d414_949d7e63_24e1ab57-b402-426d-a902-b7bdba8ffb82\Report.wer
Category:	dropped
Dump:	Report.wer.37.dr
ID:	dr_17
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9977624473406657
Encrypted:	false
Ssdeep:	96:w5uFetdsThIx7tfaQXIDcQMc6VhcEGcw3wpm+HbHg/8BRTf3o8Fa9KUNsPQ2w1Ib:BGdD0yfsEpjfVmUzuiFyZ24lO8nxS
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Archive Collected Data
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CEA.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Oct 20 19:10:04 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CEA.tmp.dmp
Category:	dropped
Dump:	WER3CEA.tmp.dmp.37.dr
ID:	dr_19
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Oct 20 19:10:04 2024, 0x1205a4 type
Entropy:	1.6106783728828924
Encrypted:	false
Ssdeep:	384:n7NMclZ+0zZkORuKGf0f/3/sdDRtiqvO20N+zl:JF/+0VbRuKGQs5aZ0
Size:	106100
Whitelisted:	false
Reputation:	timeout

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DD6.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DD6.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER3DD6.tmp.WERInternalMetadata.xml.37.dr
ID:	dr_20
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7087127831487043
Encrypted:	false
Ssdeep:	192:R6l7wVeJcWL6Y9txmGgmfZnEprT89b42lfgom:R6lXJFL6Y3MGgmfZn148fm
Size:	10132
Whitelisted:	false
Reputation:	timeout

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E35.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E35.tmp.xml
Category:	dropped
Dump:	WER3E35.tmp.xml.37.dr
ID:	dr_21
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.465403245286182
Encrypted:	false
Ssdeep:	48:cvIwWl8zs8Jg771I9HmzSSWpW8VYOoYm8M4J1TPSMF+yq85R0K2nCCAt4nt3d:uIjf6I7dWz7VjJmXKw3d
Size:	4645
Whitelisted:	false
Reputation:	timeout

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.37.dr
ID:	dr_18
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4656039153401315
Encrypted:	false
Ssdeep:	6144:dIXfpi67eLPU9skLmb0b49WSPKaJG8nAgejZMMhA2gX4WABl0uNSdwBCswSbt:OXD949WlLZMM6YFHY+t
Size:	1835008
Whitelisted:	false
Reputation:	timeout

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.34.dr
ID:	dr_16
Target ID:	34
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.003997527334849
Encrypted:	false
Ssdeep:	3:HnRthLK5a6eCMABe:HRoJPO
Size:	44
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\G9e272AEyo.exe

"C:\Users\user\Desktop\G9e272AEyo.exe"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6580 -s 1004

There are 26 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

http://185.101.104.122/aimhvcibronkzops.exe

unknown

https://keyauth.win/api/1.1/ace

unknown

http://185.101.104.122/aimhvciforabronkz.exeC:

unknown

https://keyauth.win/api/1.2/s

unknown

http://185.101.104.122/aimhvciforabronkz.exe

unknown

https://curl.haxx.se/docs/http-cookies.html

unknown

https://curl.haxx.se/docs/http-cookies.html#

unknown

https://keyauth.win/api/1.1/ce

unknown

https://keyauth.win/api/1.2/

unknown

https://keyauth.win/api/1.1/

104.26.1.5

http://185.101.104.122/aimhvcibronkzops.exeC:

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

keyauth.win

104.26.1.5

Details

Name:	keyauth.win
IP:	104.26.1.5
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.26.1.5

keyauth.win

United States

Details

IP:	104.26.1.5
TargetID:	0
Current Path:	C:\Users\user\Desktop\G9e272AEyo.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	keyauth.win

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown