Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

praxisbackup.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.500561305430131
Filename:	praxisbackup.exe
Filesize:	455168
MD5:	dbf8fe8bde46ead1bc550a03ad4a3f74
SHA1:	888f27dd2269119cf9524474a6a0b559d0d201a1
SHA256:	ca601708a3822d4f1fbea39171c8d5e94c0b8741f35a5a2fb63cd6d71da29b1a
SHA512:	cfcaee08a31394c4275f397ed6e71fa8c0009204f0c9cbfd2afbfcac6cc9b0245b34546196f994012afcbbdd642e15ad24bd54c315dbc01d1f45d6e6e3b92ccb
SSDEEP:	6144:+21l/vZY5g2hjEP1HAdYn8EQaQuNVChDb0/ejTEM3KDpaCx+n36GBdPhow499:+233ZY59+zrnOPSeg1E8+nqQU
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q=...S...S...S..hP...S..hV...S..hW...S..oV...S..oW...S..oP...S..hR...S...R.7.S...S...S...Q...S.Rich..S.................PE..d..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found API chain indicative of debugger detection	Anti Debugging	Access Token Manipulation Virtualization/Sandbox Evasion
Found evasive API chain (may stop execution after checking system information)	Malware Analysis System Evasion	Native API Masquerading
Sample is not signed and drops a device driver	Persistence and Installation Behavior
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates driver files	System Summary
Creates files inside the driver directory	System Summary	Masquerading
Creates files inside the system directory	System Summary
Creates or modifies windows services	Boot Survival
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	File and Directory Discovery
Enables driver privileges	System Summary	LSASS Driver
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to create services	System Summary	Windows Service Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading Masquerading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_praxisbackup.exe_fa851c8bd9c5583f741cfa88ae4a1244eeb19db5_9be301e6_7c27b446-6383-4edf-b7b5-fb839c6564ce\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_praxisbackup.exe_fa851c8bd9c5583f741cfa88ae4a1244eeb19db5_9be301e6_7c27b446-6383-4edf-b7b5-fb839c6564ce\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_6
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8003036856596354
Encrypted:	false
Ssdeep:	96:1B/FUtYUf50RsU7hqfUp7qabSKQXIDcQGc6aTcEYcw35nF+HbHg/opAnQVxj7OU7:DDJRqHB0osC0j1CizuiFfZ24lO8M5
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB2F.tmp.dmp

Mini DuMP crash report, 15 streams, Thu Oct 24 10:07:58 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB2F.tmp.dmp
Category:	dropped
Dump:	WERBB2F.tmp.dmp.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Thu Oct 24 10:07:58 2024, 0x1205a4 type
Entropy:	1.7109558267026694
Encrypted:	false
Ssdeep:	192:h8kDJdQUVZl4S7OQu7clAVW1/He+Z7vflPHGhTfXf20Eu:h7QECQu7OAmfHGNfuru
Size:	82532
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBAD.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBAD.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERBBAD.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.695174274762487
Encrypted:	false
Ssdeep:	192:R6l7wVeJ+eP3rL6Y2DuiA5gmfK9pDM89b50Tgfzjim:R6lXJXP3rL6YziA5gmfKB500fnz
Size:	8610
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBED.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBED.tmp.xml
Category:	dropped
Dump:	WERBBED.tmp.xml.4.dr
ID:	dr_5
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.434759248687144
Encrypted:	false
Ssdeep:	48:cvIwWl8zsXJg771I9ikwWpW8VY0Ym8M4JQoHhFSIoyq8vlHNvXVtsMXd:uIjf5I7UJ7VoJQ8uIoWtNvFtDXd
Size:	4770
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBFA.tmp.csv

data

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBFA.tmp.csv
Category:	dropped
Dump:	WERBBFA.tmp.csv.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\System32\svchost.exe
Type:	data
Entropy:	3.08239652802643
Encrypted:	false
Ssdeep:	1536:l5rTjwmhCXU2aMOQVavZQAIvumulCxznl0:l5rTjwmhCXU2aMOQVaBQAIvumulCxznK
Size:	75858
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC3A.tmp.txt

data

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC3A.tmp.txt
Category:	dropped
Dump:	WERBC3A.tmp.txt.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\System32\svchost.exe
Type:	data
Entropy:	2.684535737226691
Encrypted:	false
Ssdeep:	96:TiZYW7Puya+zYRYRiWm5HFUYEZybtk0iVHlKV8wdj4xnyaBICM9acNIL93:2ZD7OMWmU3zdaBICM93SL93
Size:	13340
Whitelisted:	false
Reputation:	low

C:\Windows\System32\drivers\Sysprox.sys

PE32+ executable (native) x86-64, for MS Windows

dropped

Details

File:	C:\Windows\System32\drivers\Sysprox.sys
Category:	dropped
Dump:	Sysprox.sys.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\praxisbackup.exe
Type:	PE32+ executable (native) x86-64, for MS Windows
Entropy:	6.396093720120602
Encrypted:	false
Ssdeep:	384:s33h+malYtzO7zmQ++jiPV+PQ6eg3OOAFN0rA1Ghj8mfFxf3xlSUYJLdSkjGZfdG:yx8YPoj8L6WOqGSfmb3C5Ltiq
Size:	30864
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_7
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.468765901031446
Encrypted:	false
Ssdeep:	6144:RzZfpi6ceLPx9skLmb0f9ZWSP3aJG8nAgeiJRMMhA2zX4WABluuN3jDH5S:JZHt9ZWOKnMM6bFp9j4
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\praxisbackup.exe

"C:\Users\user\Desktop\praxisbackup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4136
Target ID:	0
Parent PID:	4004
Name:	praxisbackup.exe
Path:	C:\Users\user\Desktop\praxisbackup.exe
Commandline:	"C:\Users\user\Desktop\praxisbackup.exe"
Size:	455168
MD5:	DBF8FE8BDE46EAD1BC550A03AD4A3F74
Time:	06:07:58
Date:	24/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff642160000
Modulesize:	471040
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

Details

Is windows:	true
Is dropped:	false
PID:	4060
Target ID:	1
Parent PID:	632
Name:	svchost.exe
Path:	C:\Windows\System32\svchost.exe
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Size:	55320
MD5:	B7F884C1B74A263F746EE12A5F7C9F6A
Time:	06:07:58
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7403e0000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136

Details

Is windows:	true
Is dropped:	false
PID:	5012
Target ID:	3
Parent PID:	4060
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	06:07:58
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff67b750000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4136 -s 488

Details

Is windows:	true
Is dropped:	false
PID:	1020
Target ID:	4
Parent PID:	4136
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4136 -s 488
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	06:07:58
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff67b750000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://secure.globalsign.net/cacert/PrimObject.crt0

unknown

http://secure.globalsign.net/cacert/ObjectSign.crt09

unknown

http://upx.sf.net

unknown

http://www.globalsign.net/repository09

unknown

http://www.globalsign.net/repository/0

unknown