Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

6GUgc6JYS1.exe

PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy:	5.361963209685598
Filename:	6GUgc6JYS1.exe
Filesize:	23040
MD5:	789bf0a8714e77d0d524ba22d8efbd7e
SHA1:	61c56b19c55020494fa19faa3d1b7a2f070259df
SHA256:	cf580830ecedcd498730091d01b92c1fde220d95f1fa677ce88f1a17f236b6b8
SHA512:	70cfde0ebc2dec25bf28873269543351cc8a218e6a0d5d7b6f3d3c87673aa81ad0187ed6990ed82875455b621ec49a02f875760c6bf6c7359971658d05af933b
SSDEEP:	384:Y021unhcOSuFUKrxzk+kzekzLko0nN7WIeW:Yt0GOHF5lk+kKkzLz0nJ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............+.,...V...".............@..........................................`... ............................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Contains functionality to call native functions	System Summary
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
One or more processes crash	System Summary
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6GUgc6JYS1.exe_14b8f6c7377787902fbdfdce8cfba71edc84f2_d9c5afb0_0b286928-5b74-4105-9195-d990964fe4a3\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6GUgc6JYS1.exe_14b8f6c7377787902fbdfdce8cfba71edc84f2_d9c5afb0_0b286928-5b74-4105-9195-d990964fe4a3\Report.wer
Category:	dropped
Dump:	Report.wer.7.dr
ID:	dr_0
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8902174182806722
Encrypted:	false
Ssdeep:	96:iLFQfuv3+/sa2Coh7JfTQXIDcQWc6zcEZcw37n+HbHg/5jgOg0dl/phsv5o1OyWW:MLvu/v0I3DEjZ7yzuiFCZ24lO8Te
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp

Mini DuMP crash report, 14 streams, Sat Oct 26 07:11:56 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp
Category:	dropped
Dump:	WER8DF6.tmp.dmp.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sat Oct 26 07:11:56 2024, 0x1205a4 type
Entropy:	1.3021244577485591
Encrypted:	false
Ssdeep:	384:nyCEX5vNwAOK3DR/62N5t3akw74uM1KjE5qdQt58:nL85FwAOcVSG5t3akw74VL5QQw
Size:	159734
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E94.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E94.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER8E94.tmp.WERInternalMetadata.xml.7.dr
ID:	dr_3
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7110211166131153
Encrypted:	false
Ssdeep:	192:R6l7wVeJOHEP6Y+izpgmfWYoJpDa89b3ddfadm:R6lXJuE6YbzpgmfWYof3nfJ
Size:	8812
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EC3.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EC3.tmp.xml
Category:	dropped
Dump:	WER8EC3.tmp.xml.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.505379579987411
Encrypted:	false
Ssdeep:	48:cvIwWl8zsI/Jg771I9N/OWpW8VYJYm8M4JOlFOKFAyq85j+QONKi/LE4gzTfd:uIjfSI7yv7VFJOvEyDOfzErTfd
Size:	4701
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.7.dr
ID:	dr_1
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.569187439173982
Encrypted:	false
Ssdeep:	6144:ooPefZnQMa3tfLXbn90foomgsattlbSldrUHT7hSgkSNv0juQJYchUJvTGAGBsLq:lPPAooVJHnsg/d1TsqGn
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\6GUgc6JYS1.exe

"C:\Users\user\Desktop\6GUgc6JYS1.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6608
Target ID:	1
Parent PID:	4088
Name:	6GUgc6JYS1.exe
Path:	C:\Users\user\Desktop\6GUgc6JYS1.exe
Commandline:	"C:\Users\user\Desktop\6GUgc6JYS1.exe"
Size:	23040
MD5:	789BF0A8714E77D0D524BA22D8EFBD7E
Time:	03:11:34
Date:	26/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff78fd20000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228

Details

Is windows:	true
Is dropped:	false
PID:	7088
Target ID:	7
Parent PID:	6608
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	03:11:56
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff603290000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://20.25.126.96/bDDs

http://20.25.126.96:443/bDDs

https://20.25.126.96/Y

unknown

https://20.25.126.96/bDDs2i

unknown

https://20.25.126.96/bDDs

unknown

https://20.25.126.96/bDDsH:px6

unknown

https://20.25.126.96/2

unknown

https://20.25.126.96/

unknown

https://20.25.126.96/bDDsF

unknown

https://20.25.126.96/DDs

unknown

http://upx.sf.net

unknown

https://20.25.126.96/.i$x

unknown

https://20.25.126.96/l

unknown

https://20.25.126.96/%

unknown

There are 4 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

20.25.126.96

unknown

United States

Details

IP:	20.25.126.96
TargetID:	1
Current Path:	C:\Users\user\Desktop\6GUgc6JYS1.exe
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking