Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.W32.FraudLoad.F32_DET.Eldorado.15068.22232.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	7.7921381550077236
Filename:	SecuriteInfo.com.W32.FraudLoad.F32_DET.Eldorado.15068.22232.dll
Filesize:	6634783
MD5:	ffb1e1ac949f4802c07223b054b3554f
SHA1:	c689e72eb1cf2b4c71dffcdfe44638ca66013af5
SHA256:	9c2297bef69362c32d50b6ab18a0f5274099e4fd8ac6c68119ff918975d8e71d
SHA512:	028e16c0df2a00f3a72d59ea612fddaa48b62dcbb73db17b0aee7ea791cb9d274b0e32118415cc19011f6948b3c17dff62dce80f4c37daa9b29468482d42d0aa
SSDEEP:	98304:uF/wLVIzIFPcYPAp7x4eXWkfPRHO6El2gEQu4lrRwuYU:uFILJ0YOeofpHO6EAmuh6
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.7...Y...Y...Y.z.R...Y...W...Y.z.S.-.Y.w.J...Y...X._.Y...R...Y...]...Y.Rich..Y.........................PE..L...t7);...........

Signature Hits	Behavior Group	Mitre Attack
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ca823b93c9345ee13ec5a9915514517e6e239_7522e4b5_e8a78a02-e37a-4086-8c01-d63afe47cecb\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ca823b93c9345ee13ec5a9915514517e6e239_7522e4b5_e8a78a02-e37a-4086-8c01-d63afe47cecb\Report.wer
Category:	dropped
Dump:	Report.wer.7.dr
ID:	dr_3
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8165214839964241
Encrypted:	false
Ssdeep:	192:BfOi6dOQWp0BU/wjeTbzuiF0Z24IO8dci:5OiBQWKBU/wjevzuiF0Y4IO8dci
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F60.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Apr 25 03:28:02 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F60.tmp.dmp
Category:	dropped
Dump:	WER4F60.tmp.dmp.7.dr
ID:	dr_0
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 03:28:02 2024, 0x1205a4 type
Entropy:	2.003143388398665
Encrypted:	false
Ssdeep:	192:wQty0LyIdIO5H4eh0PXPFGBpFckz1d2rb42TemUGS0s46p:CU5Hlh0P/FopFcUCrb42TemUs6
Size:	43684
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER50A9.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER50A9.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER50A9.tmp.WERInternalMetadata.xml.7.dr
ID:	dr_1
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.688803662760526
Encrypted:	false
Ssdeep:	192:R6l7wVeJYK6906YRk6kgmfTRJPKprt89bGTsfcNCm:R6lXJt6O6YC6kgmfTRJPVG4fcZ
Size:	8258
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5118.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER5118.tmp.xml
Category:	dropped
Dump:	WER5118.tmp.xml.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.4568079433994425
Encrypted:	false
Ssdeep:	48:cvIwWl8zsirJg77aI9wMMDWpW8VY7QYm8M4JCdPKFzoh+q8/arlMGScSvd:uIjfCI7CMMy7Ve9JJohDlMJ3vd
Size:	4656
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.298847336397499
Encrypted:	false
Ssdeep:	6144:zECqOEmWfd+WQFHy/9026ZTyaRsCDusBqD5dooi8lySD6VJSRrf:4CsL6seqD5SzSWVARD
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.FraudLoad.F32_DET.Eldorado.15068.22232.dll"

Details

Is windows:	true
Is dropped:	false
PID:	5348
Target ID:	0
Parent PID:	2592
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.FraudLoad.F32_DET.Eldorado.15068.22232.dll"
Size:	126464
MD5:	51E6071F9CBA48E79F10C84515AAE618
Time:	05:28:01
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff0000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4104
Target ID:	1
Parent PID:	5348
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	05:28:01
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff68cce0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.FraudLoad.F32_DET.Eldorado.15068.22232.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	6712
Target ID:	2
Parent PID:	5348
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.FraudLoad.F32_DET.Eldorado.15068.22232.dll",#1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	05:28:01
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc30000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.FraudLoad.F32_DET.Eldorado.15068.22232.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	6416
Target ID:	4
Parent PID:	6712
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.FraudLoad.F32_DET.Eldorado.15068.22232.dll",#1
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	05:28:01
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf20000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6416 -s 568

Details

Is windows:	true
Is dropped:	false
PID:	6804
Target ID:	7
Parent PID:	6416
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6416 -s 568
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	05:28:02
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown

http://www.flyingpig.com

unknown

http://www.flyingpig.com/support/hog2/downloads/

unknown

http://www.flyingpig.com/support/

unknown

http://www.installshield.com0

unknown