Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

O4oLJdI3gs.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.406965350057818
Filename:	O4oLJdI3gs.exe
Filesize:	449536
MD5:	6e90358d70a4a4c6d49dab693267a381
SHA1:	86b0d17461a208a6190f7da925c8cb14cf33784e
SHA256:	bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4
SHA512:	7e3d4b8293c376d18bae562ccbc0e4ca869ba6ea2cb26f76fd0ad761cf4693e7f5c3cfe30cbf7d386f1fe1e9dc4e7591bac34b382edf18881047eaa2555cf8cd
SSDEEP:	6144:U1Qg7Id01Nc57+61VxXiUfDbNxB/0m1S0cAg/hI7ghe3JfJRyS5T:UB7Id0fcEEJNxB/l/0/hI0Q3bZ5T
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........z...)...)...)...(...)...(...)...(...)...(...)...(...)...(...)...(...)...)...)...)...).9.(...).9.)...).9.(...)Rich...).......

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Installs a raw input device (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_1ab57e78-9611-486c-b44e-7ce3542d872f\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_1ab57e78-9611-486c-b44e-7ce3542d872f\Report.wer
Category:	dropped
Dump:	Report.wer.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.6603805580262176
Encrypted:	false
Ssdeep:	96:1wFHz3e1qigKJ2s3Wrk41yHpHS2QXIDcQkc6tcEycw3ZUtzJzQ+HbHgrZ2ZAX/dI:2FjSHn2xR0apYKjqzuiFHZ24lO8JO
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9287.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Jan 16 12:25:34 2025, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9287.tmp.dmp
Category:	dropped
Dump:	WER9287.tmp.dmp.7.dr
ID:	dr_1
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Thu Jan 16 12:25:34 2025, 0x1205a4 type
Entropy:	1.2682424234805212
Encrypted:	false
Ssdeep:	96:5jS8buzmR77SylpsMfiByY7i7IqXqYqFUv9Zo/MfQEmmRWIcrIg8pTIW:dhaz+pnfgbOf6PFUv9q/MrmmUhW
Size:	48198
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER92D7.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER92D7.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER92D7.tmp.WERInternalMetadata.xml.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6882904023622056
Encrypted:	false
Ssdeep:	192:R6l7wVeJgMebHUe6Y8BaOXRgmfr57vEWpDw89by+Mf0mm:R6lXJjg6Y6aOhgmfrFvNyVfs
Size:	8622
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9306.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9306.tmp.xml
Category:	dropped
Dump:	WER9306.tmp.xml.7.dr
ID:	dr_3
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.443454943962867
Encrypted:	false
Ssdeep:	48:cvIwWl8zsdJg771I9+RWpW8VYOYm8M4Jk5LvM6Fryq8vU5LvMcelaMuwFd:uIjf3I75A7ViJcjM4WsjMcel1u6d
Size:	4853
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.7.dr
ID:	dr_0
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4175949014723255
Encrypted:	false
Ssdeep:	6144:wcifpi6ceLPL9skLmb0mNSWSPtaJG8nAgex285i2MMhA20X4WABlGuN75+:Vi58NSWIZBk2MM6AFB9o
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\O4oLJdI3gs.exe

"C:\Users\user\Desktop\O4oLJdI3gs.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7516
Target ID:	0
Parent PID:	4056
Name:	O4oLJdI3gs.exe
Path:	C:\Users\user\Desktop\O4oLJdI3gs.exe
Commandline:	"C:\Users\user\Desktop\O4oLJdI3gs.exe"
Size:	449536
MD5:	6E90358D70A4A4C6D49DAB693267A381
Time:	07:25:23
Date:	16/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x510000
Modulesize:	528384
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample is known by Antivirus	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\System32\svchost.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7644
Target ID:	3
Parent PID:	4560
Name:	svchost.exe
Path:	C:\Windows\SysWOW64\svchost.exe
Commandline:	"C:\Windows\System32\svchost.exe"
Size:	46504
MD5:	1ED18311E3DA35942DB37D15FA40CC5B
Time:	07:25:25
Date:	16/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x580000
Modulesize:	53248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Uncommon Svchost Parent Process	System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\fontdrvhost.exe

"C:\Windows\System32\fontdrvhost.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7720
Target ID:	4
Parent PID:	4560
Name:	fontdrvhost.exe
Path:	C:\Windows\System32\fontdrvhost.exe
Commandline:	"C:\Windows\System32\fontdrvhost.exe"
Size:	827408
MD5:	BBCB897697B3442657C7D6E3EDDBD25F
Time:	07:25:31
Date:	16/01/2025
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6080a0000
Modulesize:	847872
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7720 -s 136

Details

Is windows:	true
Is dropped:	false
PID:	7824
Target ID:	7
Parent PID:	7720
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7720 -s 136
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	07:25:34
Date:	16/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6dbfa0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednw

Details

Name:	https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednw
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\O4oLJdI3gs.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednwx

unknown

https://cloudflare-dns.com/dns-query

unknown

Details

Name:	https://cloudflare-dns.com/dns-query
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\SysWOW64\svchost.exe
Source:	svchost.exe, 00000003.00000003.1346612962.000000000299F000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://upx.sf.net

unknown

https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednwkernelbasentdllkernel32GetProcessMitigation

unknown

Details

Name:	https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednwkernelbasentdllkernel32GetProcessMitigation
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\SysWOW64\svchost.exe
Source:	svchost.exe, 00000003.00000002.1384254461.000000000290C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000004.00000002.1603782046.000001C181C00000.00000040.00000001.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi

unknown

Details

Name:	https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\SysWOW64\svchost.exe
Source:	svchost.exe, 00000003.00000003.1346612962.000000000299F000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.210.172

IPs

Domain

Country

Malicious

154.216.19.249

unknown

Seychelles

Details

IP:	154.216.19.249
TargetID:	3
Current Path:	C:\Windows\SysWOW64\svchost.exe
Country:	Seychelles
Countrycode:	SYC
ASN number:	135357
ASN name:	SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\SibCode

sn3