Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

JtBBqKs53G.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_158baf81-6414-4184-a1ea-1e0ccdfb985b\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_337f4289-2901-4a0a-8114-1c832252c4ac\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_96b2b60c-1c54-4bc6-a7a2-06bc0ed65fbd\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_b6345be3-c38a-45fe-a2e1-34d493e51155\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_c4668a89-5dfa-4b2e-8346-60fb2b69516b\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_e2ec837c-8e96-458a-987c-dc06c15e4699\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_f988a173-b8e9-414b-9cb5-1c4fef1cb4f4\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_bf7c8ad7f1083a49e48c6263938b6f798e05de0_31749536_e45e9632-8dec-46bd-b4a8-a4b543e6c8cb\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC371.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:00 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC45C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC48C.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6EB.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:01 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7B7.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7D8.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC98B.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:02 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9FA.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA1A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC0C.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:02 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC8A.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCCBA.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD090.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:03 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD12D.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD16D.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD301.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:04 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD43B.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD45B.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA93.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:06 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB3F.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB6F.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD81.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:07 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE2D.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE4E.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\ping[1].htm

very short file (no magic)

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 25 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\JtBBqKs53G.exe

"C:\Users\user\Desktop\JtBBqKs53G.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6960 -ip 6960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1344

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "JtBBqKs53G.exe" /f & erase "C:\Users\user\Desktop\JtBBqKs53G.exe" & exit

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1464

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "JtBBqKs53G.exe" /f

There are 3 hidden processes, click here to show them.

URLs

Name

Malicious

http://185.172.128.90/cpa/ping.php?substr=one&s=two

185.172.128.90

Details

Name:	http://185.172.128.90/cpa/ping.php?substr=one&s=two
IP:	185.172.128.90
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\JtBBqKs53G.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

http://upx.sf.net

unknown

http://185.172.128.90/cpa/ping.php?substr=one&s=twoV

unknown

IPs

Domain

Country

Malicious

185.172.128.90

unknown

Russian Federation

Details

IP:	185.172.128.90
TargetID:	0
Current Path:	C:\Users\user\Desktop\JtBBqKs53G.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	50916
ASN name:	NADYMSS-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking