Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	6.519494951757422
Filename:	SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe
Filesize:	3121152
MD5:	9ec45fd755974a8b50342ee6dd8205e7
SHA1:	76f0aeb1891a895cee93aad524d37cc444344dbc
SHA256:	d67de542a7c8c3535b0a79589d4ba10880bd97e4c126038c13a2efaa5d854a64
SHA512:	2a27f0ca6bd953145a3daa0d03046c9a7ef96d22ed33bc6f21cfd1917848e1a783f780f642d8e86836c5bcf4abe7b1314604025fb50ff11929d1353fdd6f1a95
SSDEEP:	49152:MPOqWKcR4SmJruozxkweqUaJpCCEBuTcWk+ot:+OdKX9zxkweqLlEBddt
Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM..................'...........(....

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
One or more processes crash	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file does not import any functions	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_cd747641856f9a2967ad14e23498f88a3b0c989_9a399071_2b80367a-b9a8-4c78-9d2c-1ef668460b7e\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_cd747641856f9a2967ad14e23498f88a3b0c989_9a399071_2b80367a-b9a8-4c78-9d2c-1ef668460b7e\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.6808283954874877
Encrypted:	false
Ssdeep:	96:wPFDaG39+hqsGhMyoI7JfYQXIDcQvc6QcEVcw3cE//+HbHg6ZAX/d5FMT2SlPkpq:eJaG39oql0BU/YjEzuiFGZ24IO8A
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9A8.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Apr 25 17:24:18 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9A8.tmp.dmp
Category:	dropped
Dump:	WERA9A8.tmp.dmp.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 17:24:18 2024, 0x1205a4 type
Entropy:	1.9686712532799382
Encrypted:	false
Ssdeep:	96:5y8RE3AyR4GuL6i7nKU+tC3p2sOWIXWIikI4MbOiFvdvT:DYOlQC3HoMKiFvdv
Size:	18596
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA07.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA07.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERAA07.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.711111274471374
Encrypted:	false
Ssdeep:	192:R6l7wVeJYT6jy6YeLSU9RgmfZhgprj89bkYsfgRMm:R6lXJk6jy6YSSU9RgmffhkLf+
Size:	8474
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA75.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA75.tmp.xml
Category:	dropped
Dump:	WERAA75.tmp.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.6020446139820175
Encrypted:	false
Ssdeep:	48:cvIwWl8zs9rJg77aI9YDWpW8VYH0Ym8M4JyBKBWVFY+q8zBy+AwB/+qB/Wd:uIjfPI76y7VQJyMBi/9p+qpWd
Size:	4809
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.298760230123356
Encrypted:	false
Ssdeep:	6144:WECqOEmWfd+WQFNy/9026ZTyaRsCDusBqD5dooi8lsSD6VJSRZs:LCWL6seqD5S1SWVARq
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3108
Target ID:	0
Parent PID:	2592
Name:	SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe"
Size:	3121152
MD5:	9EC45FD755974A8B50342EE6DD8205E7
Time:	19:24:17
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	3121152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
PE file does not import any functions	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 232

Details

Is windows:	true
Is dropped:	false
PID:	6844
Target ID:	4
Parent PID:	3108
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 232
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	19:24:18
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7b0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.clamav.net

unknown

Details

Name:	http://www.clamav.net
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe
Source:	SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://upx.sf.net

unknown

http://www.indyproject.org/

unknown

http://InetURL:/1.0

unknown

Details

Name:	http://InetURL:/1.0
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe
Source:	SecuriteInfo.com.Trojan.TR.ATRAPS.Gen.28277.5978.exe
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking