Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

bC7vK74a5a.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.4232273237386295
Filename:	bC7vK74a5a.exe
Filesize:	506368
MD5:	728c57cf9e4022a270356c0e2341e7f4
SHA1:	4cf9c62cd6fc7bb9a025326831574e3444e6f93f
SHA256:	f44f58459e9f4bb4af9159ec4aae9bb37e4cc8cae779d1a9ff3d755ba0bdaf53
SHA512:	2a7ffd46a1c13c68ccb7cb1d60a5628bd7de63ae15e17c19c9bd48c2e53b635d0b2ea684c5dc878aef08a02a50662183b16ad031ac1be3ded3fe227985fcf7a2
SSDEEP:	6144:ty8K4ZP3rneV8giiDYviaN4TuNy+m4W70Lzxw2T942uHde9VWWYpQUCgTf1:tDxVtfkYvi3qNRWYLz2m+P4mwUC6f1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V..._.+.B...PHE.^...PH..v...PH..\...PH..R...PH..P.......A...V...s.......?...9H..T...9H..W...9HG.W...9H..W...RichV..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Excessive usage of taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to create an SMB header	Exploits	Exploitation of Remote Services
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for error logging	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Security Software Discovery Archive Collected Data Data Encrypted for Impact
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Security Software Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bC7vK74a5a.exe_3d1df02cfb4a4a20b131a6e5094572abda3813_f313f8e1_86d6d614-7dbd-4c82-b5d8-5051dfa7ebd8\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bC7vK74a5a.exe_3d1df02cfb4a4a20b131a6e5094572abda3813_f313f8e1_86d6d614-7dbd-4c82-b5d8-5051dfa7ebd8\Report.wer
Category:	dropped
Dump:	Report.wer.37.dr
ID:	dr_17
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9982394840034947
Encrypted:	false
Ssdeep:	192:RUGhRB6xr0FsA+jnVm8zuiFRZ24lO8f0:3Rsx4FsA+jZzuiFRY4lO8f
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Archive Collected Data
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E54.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Oct 20 19:28:31 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E54.tmp.dmp
Category:	dropped
Dump:	WER6E54.tmp.dmp.37.dr
ID:	dr_19
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Oct 20 19:28:31 2024, 0x1205a4 type
Entropy:	1.6107327880710214
Encrypted:	false
Ssdeep:	384:H7Ni/EFW0Zv20tqRuKb5gbkOJukt1RDR8pXURleGx:pLW0dBoRuKb50yURlD
Size:	105812
Whitelisted:	false
Reputation:	timeout

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F4F.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F4F.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER6F4F.tmp.WERInternalMetadata.xml.37.dr
ID:	dr_20
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.717381837756507
Encrypted:	false
Ssdeep:	192:R6l7wVeJk3Jb6Y9aHQgmf55Ppr189bFpqh36x5bfHl3m:R6lXJc16YwHQgmf55gF0h36x5bf4
Size:	10142
Whitelisted:	false
Reputation:	timeout

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F8E.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F8E.tmp.xml
Category:	dropped
Dump:	WER6F8E.tmp.xml.37.dr
ID:	dr_21
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.459171110618495
Encrypted:	false
Ssdeep:	48:cvIwWl8zsjJg771I9wLWpW8VYWYm8M4JPaFsoyq851w0svd:uIjf9I7f67VqJIP0svd
Size:	4645
Whitelisted:	false
Reputation:	timeout

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.37.dr
ID:	dr_18
Target ID:	37
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.465593169957847
Encrypted:	false
Ssdeep:	6144:JIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uN1dwBCswSbt:6XD94zWlLZMM6YFHP+t
Size:	1835008
Whitelisted:	false
Reputation:	timeout

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.34.dr
ID:	dr_16
Target ID:	34
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.003997527334849
Encrypted:	false
Ssdeep:	3:HnRthLK5a6eCMABe:HRoJPO
Size:	44
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\bC7vK74a5a.exe

"C:\Users\user\Desktop\bC7vK74a5a.exe"

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 460 -p 5544 -ip 5544

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5544 -s 996

There are 27 hidden processes, click here to show them.

URLs

Name

Malicious

http://upx.sf.net

unknown

https://keyauth.win/api/1.2/EL=6

unknown

http://185.101.104.122/aimhvcibronkzops.exe

unknown

https://keyauth.win/api/1.1/ace

unknown

http://185.101.104.122/aimhvciforabronkz.exeC:

unknown

http://185.101.104.122/aimhvciforabronkz.exe

unknown

https://curl.haxx.se/docs/http-cookies.html

unknown

https://curl.haxx.se/docs/http-cookies.html#

unknown

https://keyauth.win/api/1.2/

unknown

https://keyauth.win/api/1.1/

104.26.0.5

http://185.101.104.122/aimhvcibronkzops.exeC:

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

keyauth.win

104.26.0.5

Details

Name:	keyauth.win
IP:	104.26.0.5
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.26.0.5

keyauth.win

United States

Details

IP:	104.26.0.5
TargetID:	0
Current Path:	C:\Users\user\Desktop\bC7vK74a5a.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	keyauth.win

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown