Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

flX5YA1C09.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.423212701081575
Filename:	flX5YA1C09.exe
Filesize:	506368
MD5:	2ab72b91ce16dd1252e5a054ac75752e
SHA1:	a9b72d4e2e3ced63e58d36e11d0bf5e8a3132f0f
SHA256:	ef1550c124e6a450ffce5f4ffe0313962c73e2169b7f6e4b289bafa386912400
SHA512:	83f8a0b269ce7755f973c0e67c5bb7ce7b8d62e4b534b8663d663168a1aaa5d8c1adaf5cfb122a3e2555464f4a7c939c3544d0b34c85aaa91d905fe951fb4e0c
SSDEEP:	12288:EcRxIa0CO71s6Hxw2KJrSddWzF1H43DPb6+:EoxIoOhlG2KJ2WR+Pb6
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V..._.+.B...PHE.^...PH..v...PH..\...PH..R...PH..P.......A...V...s.......?...9H..T...9H..W...9HG.W...9H..W...RichV..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to create an SMB header	Exploits	Exploitation of Remote Services
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API Security Software Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Detected potential crypto function	System Summary	Security Software Discovery
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
One or more processes crash	System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for error logging	System Summary	Security Software Discovery
Contains functionality to download additional files from the internet	Networking	Security Software Discovery Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Data Encrypted for Impact
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Archive Collected Data
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_flX5YA1C09.exe_6193f6e47d768fb07ef4e778aeb03f9f2b24ff_41b9c7aa_8ba48ea0-4bd8-4fb0-9fd2-b26a74e926a9\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_flX5YA1C09.exe_6193f6e47d768fb07ef4e778aeb03f9f2b24ff_41b9c7aa_8ba48ea0-4bd8-4fb0-9fd2-b26a74e926a9\Report.wer
Category:	dropped
Dump:	Report.wer.38.dr
ID:	dr_17
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9989196732181074
Encrypted:	false
Ssdeep:	96:74FmXAJ6PsBh8z75fQbQXIDcQNc6GcEOcw3X+HbHg/8BRTf3o8Fa9KifQvH+DFdO:s4G6Pf0jCUAjvVm8zuiFVZ24lO8L
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Archive Collected Data
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCCC0.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Oct 20 19:21:16 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCCC0.tmp.dmp
Category:	dropped
Dump:	WERCCC0.tmp.dmp.38.dr
ID:	dr_19
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Oct 20 19:21:16 2024, 0x1205a4 type
Entropy:	1.6017360298464471
Encrypted:	false
Ssdeep:	384:0JKKOFDj81+20DMjbnRafpqwSRuKLBIihjj+kJAkBYpmrIrbW:gyf8s20HSRuKLBLjVKpm0b
Size:	106948
Whitelisted:	false
Reputation:	timeout

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDEA.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDEA.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERCDEA.tmp.WERInternalMetadata.xml.38.dr
ID:	dr_20
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7148182515668258
Encrypted:	false
Ssdeep:	192:R6l7wVeJmFaO6Y2D1Kphkgmf9+pr+89bC0h+f3Qim:R6lXJM16YgKpCgmf98BIfS
Size:	10138
Whitelisted:	false
Reputation:	timeout

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE1A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE1A.tmp.xml
Category:	dropped
Dump:	WERCE1A.tmp.xml.38.dr
ID:	dr_21
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.467744226737068
Encrypted:	false
Ssdeep:	48:cvIwWl8zskJg771I9bQWpW8VYlYm8M4J1QmeQXZFVpmyq85lQ1QNl/iXjHOd:uIjfiI78p7VFJakZpmTaPiXjHOd
Size:	4645
Whitelisted:	false
Reputation:	timeout

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.38.dr
ID:	dr_18
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.468735284041842
Encrypted:	false
Ssdeep:	6144:YzZfpi6ceLPx9skLmb0fxZWSP3aJG8nAgeiJRMMhA2zX4WABluuNSjDH5S:OZHtxZWOKnMM6bFpYj4
Size:	1835008
Whitelisted:	false
Reputation:	timeout

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.35.dr
ID:	dr_16
Target ID:	35
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.003997527334849
Encrypted:	false
Ssdeep:	3:HnRthLK5a6eCMABe:HRoJPO
Size:	44
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\flX5YA1C09.exe

"C:\Users\user\Desktop\flX5YA1C09.exe"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1468 -s 1012

There are 26 hidden processes, click here to show them.

URLs

Name

Malicious

http://185.101.104.122/esphvciforabronkz.exe

unknown

https://keyauth.win/api/1.1/ITECT

unknown

http://185.101.104.122/esphvcionbronkz.exe

unknown

https://keyauth.win/api/1.1/64

unknown

http://185.101.104.122/esphvcionbronkz.exeC:

unknown

http://upx.sf.net

unknown

https://keyauth.win/api/1.2/gramW

unknown

http://185.101.104.122/esphvciforabronkz.exeC:

unknown

https://keyauth.win/api/1.2/p

unknown

https://curl.haxx.se/docs/http-cookies.html

unknown

https://curl.haxx.se/docs/http-cookies.html#

unknown

https://keyauth.win/api/1.2/

unknown

https://keyauth.win/api/1.1/

172.67.72.57

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.214.172

keyauth.win

172.67.72.57

Details

Name:	keyauth.win
IP:	172.67.72.57
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

172.67.72.57

keyauth.win

United States

Details

IP:	172.67.72.57
TargetID:	0
Current Path:	C:\Users\user\Desktop\flX5YA1C09.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	keyauth.win

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown