IOC Report
55876.exe

Files

File Path

Type

Category

Malicious

55876.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_55876.exe_1d28606ee4dd33d687b1238c2fc915949b77486c_431570d7_0b3287b9-b17d-494b-8f9c-1ac368821c63\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_55876.exe_458c60b62e70e9612b38d86cdbe9bf45285e9550_431570d7_9297d733-114a-47e8-9564-bea5205a9a9d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1049.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1069.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFC.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Nov 25 08:00:14 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD8.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE17.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDB.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Nov 25 08:00:15 2024, 0x1205a4 type

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\55876.exe

"C:\Users\user\Desktop\55876.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3560
Target ID:	0
Parent PID:	1028
Name:	55876.exe
Path:	C:\Users\user\Desktop\55876.exe
Commandline:	"C:\Users\user\Desktop\55876.exe"
Size:	1540096
MD5:	083F9411071A4FFA0450C05C210010B0
Time:	03:00:11
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1540096
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
PE file contains a mix of resources often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 776

Details

Is windows:	true
Is dropped:	false
PID:	3008
Target ID:	4
Parent PID:	3560
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 776
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	03:00:14
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x30000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 780

Details

Is windows:	true
Is dropped:	false
PID:	3276
Target ID:	6
Parent PID:	3560
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 780
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	03:00:15
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x30000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

IP

Malicious

http://upx.sf.net

unknown

Domains

Name

IP

Malicious

www.shduih.com

18.167.130.152

Details

Name:	www.shduih.com
IP:	18.167.130.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

IP

Domain

Country

Malicious

18.167.130.152

www.shduih.com

United States

Details

IP:	18.167.130.152
TargetID:	0
Current Path:	C:\Users\user\Desktop\55876.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	www.shduih.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

ProgramId

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

FileId

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

LowerCaseLongPath

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

LongPathHash

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

Name

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

OriginalFileName

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

Publisher

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

Version

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

BinFileVersion

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

BinaryType

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

ProductName

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

ProductVersion

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

LinkDate

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

BinProductVersion

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

AppxPackageFullName

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

AppxPackageRelativeId

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

Size

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

Language

\REGISTRY\A\{c4042608-7ad1-c1ce-7474-ac3846d9648c}\Root\InventoryApplicationFile\55876.exe|f37542312ee3f60d

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

BE0000

heap

page read and write

2A6E000

stack

page read and write

1D0000

heap

page read and write

19D000

stack

page read and write

5AE000

heap

page read and write

400000

unkown

page readonly

273E000

stack

page read and write

590000

heap

page read and write

529000

unkown

page readonly

283F000

stack

page read and write

1D5000

heap

page read and write

8AE000

stack

page read and write

292D000

stack

page read and write

403000

unkown

page readonly

580000

heap

page read and write

9C000

stack

page read and write

5BC000

heap

page read and write

401000

unkown

page execute read

406000

unkown

page read and write

5A0000

heap

page read and write

BB0000

heap

page read and write

407000

unkown

page readonly

2B6F000

stack

page read and write

400000

unkown

page readonly

405000

unkown

page write copy

2A2E000

stack

page read and write

8EE000

stack

page read and write

7AE000

stack

page read and write

401000

unkown

page execute read

403000

unkown

page readonly

5AA000

heap

page read and write

405000

unkown

page write copy

407000

unkown

page readonly

9EF000

stack

page read and write

529000

unkown

page readonly

There are 25 hidden memdumps, click here to show them.