Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

launcher.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	0.26264220467827815
Filename:	launcher.exe
Filesize:	26684528
MD5:	913b4744fbcd88cbc9ba44808a835a91
SHA1:	d5cb6cbe5d4ad8b20a351080a6bc8e85fa72a64e
SHA256:	b411fa289b897c774560292abcf7c298e29e1b9b8243357b1cc7d25a28622739
SHA512:	ab0c1ec3840947262d4825bbc1cb1f0f056fceda99d7886ce7f83c432faf91a89e17f81e21132a9f997a895c0dd3cdb3d987b47608020cb1260657d782847863
SSDEEP:	12288:5R5ouJIVQhcEWuDG6X/ob2qlTIiw/TmQxFZpC:dnJIG2EFlf09GTmYvC
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..%wt.vwt.vwt.v...w{t.v...w.t.v...wbt.v...wet.v...wct.v...w~t.vwt.v(t.v...w:t.v...wvt.v...wvt.vRichwt.v................PE..L..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Checks if the current process is being debugged	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found large amount of non-executed APIs	Malware Analysis System Evasion
One or more processes crash	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_launcher.exe_unk_b0bb7f6d90ed2f8ba3c75ebe9dc55dc31e4cb28_122839a5_de3fb72a-2063-40a2-b49d-422c40f56fc6\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_launcher.exe_unk_b0bb7f6d90ed2f8ba3c75ebe9dc55dc31e4cb28_122839a5_de3fb72a-2063-40a2-b49d-422c40f56fc6\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.7971542237410658
Encrypted:	false
Ssdeep:	96:aF5LFSzDqZO2wsghqDEyCfIQXIDcQvc6QcEVcw3cE/f+HbHg/BQAS/YyNl4EfaAs:aLLzA2w8Q0BU/4jeTMzuiFFZ24IO8Hf
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE825.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Apr 22 05:00:05 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE825.tmp.dmp
Category:	dropped
Dump:	WERE825.tmp.dmp.5.dr
ID:	dr_0
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Mon Apr 22 05:00:05 2024, 0x1205a4 type
Entropy:	1.9414788471263662
Encrypted:	false
Ssdeep:	96:5H8liE3p16sKeAbqg3c9brwYYTKki75I4vvOLWSilevo0B7tjfKmp4TbS94sSCOe:a9kuhLBkO5H+voSxjfj4w0HwOKGEuGD
Size:	40616
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE910.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE910.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERE910.tmp.WERInternalMetadata.xml.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6992080068150726
Encrypted:	false
Ssdeep:	192:R6l7wVeJo16wL6Y9OSUcigmfWq7prB89byxsfHGm:R6lXJS6W6YkSUcigmfWqYyqfP
Size:	8320
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE930.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE930.tmp.xml
Category:	dropped
Dump:	WERE930.tmp.xml.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.469412429961924
Encrypted:	false
Ssdeep:	48:cvIwWl8zsauJg77aI9DIWpW8VYAYm8M4JhMsEFk+q8wHRQOQsd:uIjfakI7ph7VIJhMCRxQOQsd
Size:	4603
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4654274525378606
Encrypted:	false
Ssdeep:	6144:sIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNOdwBCswSbn:RXD94+WlLZMM6YFH0+n
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\launcher.exe

"C:\Users\user\Desktop\launcher.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7444
Target ID:	0
Parent PID:	2580
Name:	launcher.exe
Path:	C:\Users\user\Desktop\launcher.exe
Commandline:	"C:\Users\user\Desktop\launcher.exe"
Size:	26684528
MD5:	913B4744FBCD88CBC9BA44808A835A91
Time:	07:00:04
Date:	22/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x360000
Modulesize:	475136
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7464
Target ID:	1
Parent PID:	7444
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	07:00:04
Date:	22/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x160000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7472
Target ID:	2
Parent PID:	7444
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	07:00:04
Date:	22/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb40000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7444 -s 596

Details

Is windows:	true
Is dropped:	false
PID:	7560
Target ID:	5
Parent PID:	7444
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7444 -s 596
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	07:00:05
Date:	22/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xdb0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

demonstationfukewko.shop

incredibleextedwj.shop

shortsvelventysjo.shop

productivelookewr.shop

tolerateilusidjukl.shop

liabilitynighstjsko.shop

sideindexfollowragelrew.pw

shatterbreathepsw.shop

alcojoldwograpciw.shop

https://productivelookewr.shop/%

unknown

https://productivelookewr.shop/apibu

unknown

https://productivelookewr.shop:443/api

unknown

https://productivelookewr.shop/api

104.21.11.250

https://productivelookewr.shop/o

unknown

http://upx.sf.net

unknown

https://productivelookewr.shop/

unknown

There are 6 hidden URLs, click here to show them.

Domains

Name

Malicious

productivelookewr.shop

104.21.11.250

Details

Name:	productivelookewr.shop
IP:	104.21.11.250
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

sideindexfollowragelrew.pw

unknown

Details

Name:	sideindexfollowragelrew.pw
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

104.21.11.250

productivelookewr.shop

United States

Details

IP:	104.21.11.250
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	productivelookewr.shop

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking