Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

OHkRFujs2m.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.542595019085764
Filename:	OHkRFujs2m.exe
Filesize:	52736
MD5:	e3df75b478f43b2bc1178c59351f131d
SHA1:	1a1292b2d9413b211b288f754eab30b38d31e3bf
SHA256:	d53bda0838a3db470a20a273d1effee7ef42bbc0a337fbb65eddfe079a5d0206
SHA512:	e5c28fef2c8eb9edf55dc8f054645311872217c397c69cce2f52818f679238ee445ebf512344838a7e35b27c57e0aaff498e9a9c8743bc26a0b9360c5b264556
SSDEEP:	1536:Iv7qsuoozpxPK8nlcNjmBXBchp8kSCxPxf:9CgPJihTPxf
Preview:	MZ......................@.....................................................6.........`....'......%.......^}f}(@.F.I.N.T.[.W._.`,.4h4.1p...w...^}f}(@.._.RKP.K.../:.\|S.]....$[...?...c....rqtk.5(O.9.sn}P.B..{V.x_..l.>.......&U.ozY.......!d.....PE..L.....[

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has a writeable .text section	System Summary
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
One or more processes crash	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OHkRFujs2m.exe_ccc029e7440f42aaa9a3f96c2c528b459f2262_e7b9045b_0cdb27ff-1fd0-4065-a5fe-5b576051abb5\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OHkRFujs2m.exe_ccc029e7440f42aaa9a3f96c2c528b459f2262_e7b9045b_0cdb27ff-1fd0-4065-a5fe-5b576051abb5\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.6350973369256793
Encrypted:	false
Ssdeep:	96:0GFjMPwvbiJcsuhnU7afiQXIDcQvc6QcEVcw3cE/9QQ+HbHg6ZAX/d5FMT2SlPky:7p0Qbccr0BU/YjEzuiFTZ24IO860
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has a writeable .text section	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7ACB.tmp.dmp

Mini DuMP crash report, 14 streams, Wed Apr 24 00:47:53 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7ACB.tmp.dmp
Category:	dropped
Dump:	WER7ACB.tmp.dmp.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Wed Apr 24 00:47:53 2024, 0x1205a4 type
Entropy:	2.0606885663609606
Encrypted:	false
Ssdeep:	96:5W8gE3IfsWyI30dci7n3zl7D3uH6m+b+couWI9wIPmPI48pNImVjZ:rU46O3Z7rXm+8TuNImVjZ
Size:	18776
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B2A.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B2A.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER7B2A.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7023768524224763
Encrypted:	false
Ssdeep:	192:R6l7wVeJek6bEf6YNfSU9GgmfRdprw89bphsfoaDm:R6lXJF6bEf6Y1SU9GgmfRtpafon
Size:	8284
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B5A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B5A.tmp.xml
Category:	dropped
Dump:	WER7B5A.tmp.xml.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.4778169518704045
Encrypted:	false
Ssdeep:	48:cvIwWl8zstJg77aI9AGyWpW8VYgPYm8M4JC3F5e+q8mi+bL8S7d:uIjfHI7GC7VJSJlRbgS7d
Size:	4579
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.416673986609114
Encrypted:	false
Ssdeep:	6144:+cifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNa5+:Li58oSWIZBk2MM6AFBUo
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\OHkRFujs2m.exe

"C:\Users\user\Desktop\OHkRFujs2m.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6552
Target ID:	0
Parent PID:	4056
Name:	OHkRFujs2m.exe
Path:	C:\Users\user\Desktop\OHkRFujs2m.exe
Commandline:	"C:\Users\user\Desktop\OHkRFujs2m.exe"
Size:	52736
MD5:	E3DF75B478F43B2BC1178C59351F131D
Time:	02:47:52
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	156311
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has a writeable .text section	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 232

Details

Is windows:	true
Is dropped:	false
PID:	8
Target ID:	4
Parent PID:	6552
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 232
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	02:47:53
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x580000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown

IPs

Domain

Country

Malicious

104.208.16.94

unknown

United States

Details

IP:	104.208.16.94
TargetID:	4
Current Path:	C:\Windows\SysWOW64\WerFault.exe
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking