Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Ljrfk7uRvO.exe

PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy:	5.241464468454697
Filename:	Ljrfk7uRvO.exe
Filesize:	19456
MD5:	e1a865386810fdd8cfe6724c251bc236
SHA1:	9eca601597cd96d337b5fed54b3943bed1a35137
SHA256:	8b92f9878021028541ee3ad507b2a08fb3884007cca9b659503693a41589eb22
SHA512:	bd44f655f5dd8d07735622f9035e83b78da6a634745a24327501400465ef892482236071826d7a37cfbae48af2883a0cd3c8c7f4739540ff1b33801b79f13c4b
SSDEEP:	192:0V7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2JSbTRWF8qa1Dojjgi:mqaCF31cix+Dc4zjCSbYFF46gi
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...."."...H................@............................................... ............................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found API chain indicative of debugger detection	Anti Debugging	Virtualization/Sandbox Evasion
Machine Learning detection for sample	AV Detection
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ljrfk7uRvO.exe_46e1d5682d2aaed3ce5311f53ec99cd11ab55ee5_0a3509db_6478054e-9102-4016-9df3-992504b8e67a\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ljrfk7uRvO.exe_46e1d5682d2aaed3ce5311f53ec99cd11ab55ee5_0a3509db_6478054e-9102-4016-9df3-992504b8e67a\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_0
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8896411247310103
Encrypted:	false
Ssdeep:	96:SvuFREBUslhMoh7JfqQXIDcQWc6zcEZcw37dhT+HbHg/5jgOg0dl/phsv5o1OyW+:d4BUw0I3DUjZ7yzuiFCZ24lO8S
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp

Mini DuMP crash report, 14 streams, Sat Oct 26 07:11:45 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FD.tmp.dmp
Category:	dropped
Dump:	WER74FD.tmp.dmp.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sat Oct 26 07:11:45 2024, 0x1205a4 type
Entropy:	1.3384797411052702
Encrypted:	false
Ssdeep:	768:hf2o2wGNPzLDNtJ/Ig/APQydIK3z71Nmz2fittJJRkP2fr:hL4eIymKD71Nmz2fittJJRkP2fr
Size:	148478
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER759A.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER759A.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER759A.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7069326538353247
Encrypted:	false
Ssdeep:	192:R6l7wVeJpkDK96YNk/fbgmfAmpD089bdt0f3/m:R6lXJpAQ6Y+XbgmfAqd+fO
Size:	8796
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75DA.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER75DA.tmp.xml
Category:	dropped
Dump:	WER75DA.tmp.xml.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.488923446996072
Encrypted:	false
Ssdeep:	48:cvIwWl8zsI/Jg771I9P8WpW8VYlYm8M4Jkb4COKFWeyq85gVnONG3sU3LUhQd:uIjfSI7Y17VVJoxLSGr34hQd
Size:	4685
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.416748870454769
Encrypted:	false
Ssdeep:	6144:ncifpi6ceLPL9skLmb0mkSWSPtaJG8nAgex285i2MMhA20X4WABlGuNS5+:ci58kSWIZBk2MM6AFBEo
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Ljrfk7uRvO.exe

"C:\Users\user\Desktop\Ljrfk7uRvO.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5916
Target ID:	0
Parent PID:	4056
Name:	Ljrfk7uRvO.exe
Path:	C:\Users\user\Desktop\Ljrfk7uRvO.exe
Commandline:	"C:\Users\user\Desktop\Ljrfk7uRvO.exe"
Size:	19456
MD5:	E1A865386810FDD8CFE6724C251BC236
Time:	03:11:21
Date:	26/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	49152
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5916 -s 1112

Details

Is windows:	true
Is dropped:	false
PID:	5920
Target ID:	6
Parent PID:	5916
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5916 -s 1112
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	03:11:45
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff755c30000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://20.25.126.96/Sp6d

http://20.25.126.96:443/Sp6d

https://20.25.126.96/Sp6dbJ

unknown

https://20.25.126.96/Sp6d

unknown

https://20.25.126.96/Sp6d$

unknown

https://20.25.126.96/Sp6dSpace_G

unknown

https://20.25.126.96/

unknown

https://20.25.126.96/p

unknown

https://20.25.126.96/t

unknown

http://upx.sf.net

unknown

https://20.25.126.96/k

unknown

https://20.25.126.96/chedvmbusRFCOMM

unknown

https://20.25.126.96/p6d

unknown

https://20.25.126.96/f

unknown

There are 4 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

20.25.126.96

unknown

United States

Details

IP:	20.25.126.96
TargetID:	0
Current Path:	C:\Users\user\Desktop\Ljrfk7uRvO.exe
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking