Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.4110720048107375
Filename:	file.exe
Filesize:	1278832
MD5:	a00d324c74f00710ced44b8c7f1a3561
SHA1:	218364f5e378c73877815755538d99250bbef5e5
SHA256:	86935c2a69aa7096890dd8b72291170dfd9a5d7b22f3a83e70b6e7afcc2d75d7
SHA512:	5c37f908bed65f88707f1f6d837690c3f088d46d2bddf589ce9207daf500e446bbb3293fd9f673ed320d19a8cda47032742bef132eb46827c9b6e03f1d1269db
SSDEEP:	24576:x8Bq2LeSLFQJI+SyTna8Sw89UHKEiyq9fizOdt1yCUaOBe7q4DmU/:3LapNEq9fiKuCUace7q4d/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4...p...p...p...y...........{.......P.......z.......U...p...........&.......q.......q...Richp...........PE..L....e"W...........

Signature Hits	Behavior Group	Mitre Attack
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)	Malware Analysis System Evasion, Anti Debugging
Contains functionality to communicate with device drivers	System Summary
Contains functionality to get notified if a device is plugged in / out	Spreading	Peripheral Device Discovery
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
One or more processes crash	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Queries the installation date of Windows	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery Peripheral Device Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file imports many functions	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary
Executable creates window controls seldom found in malware	System Summary	Access Token Manipulation

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_3524697aa2453b3e919c4615a9f9b77b6fec82a_95c5483c_7625f84b-010b-4c55-8b33-ee1b0c902343\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_3524697aa2453b3e919c4615a9f9b77b6fec82a_95c5483c_7625f84b-010b-4c55-8b33-ee1b0c902343\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.1035727105549051
Encrypted:	false
Ssdeep:	192:EMBYqSEvCPAL0BU/7E3jwxriQ4jzuiFTZ24IO8bB:JYnGCXBU/AjuWzuiFTY4IO8l
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file imports many functions	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER32F8.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Nov 24 02:21:58 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER32F8.tmp.dmp
Category:	dropped
Dump:	WER32F8.tmp.dmp.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Nov 24 02:21:58 2024, 0x1205a4 type
Entropy:	1.9538403487498193
Encrypted:	false
Ssdeep:	384:ma+ce/xdhr6/UVVefzBl9OmOEKk32JoQ6XQ8bO3aiUdlGh/grIojv/hYRY6Uqts:maRyxdV6/UVVefVl6Y293srI6qU
Size:	131438
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36F0.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER36F0.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER36F0.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.694521687604444
Encrypted:	false
Ssdeep:	192:R6l7wVeJJCI6MD6YEIbSU9oM9/gmfBvZcfprw89bE0sfivsm:R6lXJj6o6YEESU9ougmfJZcfEnfw
Size:	8342
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3730.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3730.tmp.xml
Category:	dropped
Dump:	WER3730.tmp.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.4544441946460855
Encrypted:	false
Ssdeep:	48:cvIwWl8zsEJg77aI9n0WpW8VY0Ym8M4JlkF8+q8j14pLbBHd:uIjfCI7Ft7VIJT7pLbBHd
Size:	4642
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4219442689957384
Encrypted:	false
Ssdeep:	6144:xSvfpi6ceLP/9skLmb0OTxWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:IvloTxW+EZMM6DFy403w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1200
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1278832
MD5:	A00D324C74F00710CED44B8C7F1A3561
Time:	21:21:55
Date:	23/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5c0000
Modulesize:	1298432
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file imports many functions	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1460

Details

Is windows:	true
Is dropped:	false
PID:	2700
Target ID:	4
Parent PID:	1200
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1460
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	21:21:56
Date:	23/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xbe0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown