Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

jesovROZ8A.exe

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.9178862272744785
Filename:	jesovROZ8A.exe
Filesize:	202240
MD5:	039ce25d495fa555ae1c210592b564d0
SHA1:	6684d0ffde174052a03931981262dc0a7cb9891c
SHA256:	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab
SHA512:	c2be8d6b80e57339957f370b4ac31bd03140f9a9ed4865926eb6d7e5a69d3510b046930c1933d38629b4c3bcae007b6cf5e6140463ab6e064820cdd91bbd46bb
SSDEEP:	3072:RD9PfpJ/v2bIfdjba+htCsw0qv2AYjGX9E7e+q8EOADhpsWgXDeet78Bx/rUyMHL:RXJWbUTwsTqvdMO9nnSmphgTeE4B+8U
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F...'...'...'......h%......;'...k...'..0...C'...y...&..<&...%.......&..^....%...w...&...3...$.......$...7..Z&..Rich.'.........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection,
Multi AV Scanner detection for submitted file	AV Detection,
Machine Learning detection for sample	AV Detection,
Checks if the current process is being debugged	Anti Debugging,	Virtualization/Sandbox Evasion Security Software Discovery
Detected potential crypto function	System Summary,	Archive Collected Data Encrypted Channel
Sample file is different than original file name gathered from version info	System Summary,
Uses 32bit PE files	Compliance, System Summary,
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation,
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary,
Reads software policies	System Summary,	System Information Discovery
Sample is known by Antivirus	System Summary,

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_jesovROZ8A.exe_43fc5ffcbae1f11637667ee26b773884583759_76289d07_174609fe\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_jesovROZ8A.exe_43fc5ffcbae1f11637667ee26b773884583759_76289d07_174609fe\Report.wer
Category:	dropped
Dump:	Report.wer.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	3.7756645450844095
Encrypted:	false
Ssdeep:	192:d6lo4/KjHBUZMXYjRWV//u7s7S274ItDX2:H4/+BUZMXYjM/u7s7X4ItDX2
Size:	11734
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection,
Multi AV Scanner detection for submitted file	AV Detection,
Machine Learning detection for sample	AV Detection,
Sample file is different than original file name gathered from version info	System Summary,
Uses 32bit PE files	Compliance, System Summary,
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary,	Software Packing
Sample is known by Antivirus	System Summary,

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_jesovROZ8A.exe_43fc5ffcbae1f11637667ee26b773884583759_76289d07_1ac5feab\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_jesovROZ8A.exe_43fc5ffcbae1f11637667ee26b773884583759_76289d07_1ac5feab\Report.wer
Category:	dropped
Dump:	Report.wer.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	3.7735213884049688
Encrypted:	false
Ssdeep:	192:detqH/8yKjHBUZMXYjdKV//u7sOS274ItDXs:lH/8y+BUZMXYjM/u7sOX4ItDXs
Size:	11736
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection,
Multi AV Scanner detection for submitted file	AV Detection,
Machine Learning detection for sample	AV Detection,
Sample file is different than original file name gathered from version info	System Summary,
Uses 32bit PE files	Compliance, System Summary,
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary,	Software Packing
Sample is known by Antivirus	System Summary,

C:\ProgramData\Microsoft\Windows\WER\Temp\WER28C.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER28C.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER28C.tmp.WERInternalMetadata.xml.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	3.6994579938462806
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNijt6jfy6YS/SUIUpblGgmfPjStCprF89brnesfH5m:RrlsNip6e6YqSUIU+gmfPjS/rndfU
Size:	8282
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER32A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER32A.tmp.xml
Category:	dropped
Dump:	WER32A.tmp.xml.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.459246142148875
Encrypted:	false
Ssdeep:	48:cvIwSD8zs8tJgtWI98/EWSC8B1/8fm8M4JosSFL+q8qrVZ5P9M0h4sd:uITf8HNdSNsJ8tZ5P9MCdd
Size:	4622
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Jan 31 23:52:05 2021, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER97.tmp.dmp
Category:	dropped
Dump:	WER97.tmp.dmp.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Jan 31 23:52:05 2021, 0x1205a4 type
Entropy:	2.338919342839634
Encrypted:	false
Ssdeep:	192:/N/t2P6MvHmWzxUsxtr+AkK2VOD+wGt6t5Q3KrRMjCTx/aE6MC:GuWzxUsxx+bgTsZKruCTpP6MC
Size:	41942
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4E7.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Jan 31 23:48:57 2021, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4E7.tmp.dmp
Category:	dropped
Dump:	WERF4E7.tmp.dmp.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Jan 31 23:48:57 2021, 0x1205a4 type
Entropy:	2.2142712366005073
Encrypted:	false
Ssdeep:	192:aIgGguASAaeMREMvIeWYxbsxzrpAkY2gA2wa7BU1a1RAf82Dik8lYF1:ouASuM/vWYxbsx3px1p2Bia1v2DikX1
Size:	47426
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6DC.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6DC.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERF6DC.tmp.WERInternalMetadata.xml.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	3.697242777046635
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNitk6oB6YSeSUtDSXgmfPjSE+CprR889b/usfo1m:RrlsNiu6O6YbSUtDqgmfPjScp/tfn
Size:	8284
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF74A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF74A.tmp.xml
Category:	dropped
Dump:	WERF74A.tmp.xml.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.460278992789587
Encrypted:	false
Ssdeep:	48:cvIwSD8zsRJgtWI9icWSC8BU8fm8M4JosSF8+q8qrNP9M0hpd:uITfjVVSNfJP1P9MCpd
Size:	4622
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\jesovROZ8A.exe

'C:\Users\user\Desktop\jesovROZ8A.exe'

Details

Is windows:	false
Is dropped:	false
PID:	2416
Target ID:	0
Parent PID:	5632
Name:	jesovROZ8A.exe
Path:	C:\Users\user\Desktop\jesovROZ8A.exe
Commandline:	'C:\Users\user\Desktop\jesovROZ8A.exe'
Size:	202240
MD5:	039CE25D495FA555AE1C210592B564D0
Time:	15:52:02
Date:	31/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	294912
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection,
Multi AV Scanner detection for submitted file	AV Detection,
Machine Learning detection for sample	AV Detection,
Sample file is different than original file name gathered from version info	System Summary,
Uses 32bit PE files	Compliance, System Summary,
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary,	Software Packing
Sample is known by Antivirus	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 588

Details

Is windows:	true
Is dropped:	false
PID:	5888
Target ID:	2
Parent PID:	2416
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 588
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	15:52:03
Date:	31/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x230000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 588

Details

Is windows:	true
Is dropped:	false
PID:	6820
Target ID:	2
Parent PID:	6760
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 588
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	15:48:56
Date:	31/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xfe0000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary,
Spawns processes	System Summary,	Process Injection

Registry

Path

Value

Malicious

C:\Windows\SysWOW64\WerFault.exe

AmiHivePermissionsCorrect

C:\Windows\SysWOW64\WerFault.exe

AmiHiveOwnerCorrect

C:\Windows\SysWOW64\WerFault.exe

ProgramId

C:\Windows\SysWOW64\WerFault.exe

FileId

C:\Windows\SysWOW64\WerFault.exe

LowerCaseLongPath

C:\Windows\SysWOW64\WerFault.exe

LongPathHash

C:\Windows\SysWOW64\WerFault.exe

Name

C:\Windows\SysWOW64\WerFault.exe

Publisher

C:\Windows\SysWOW64\WerFault.exe

Version

C:\Windows\SysWOW64\WerFault.exe

BinFileVersion

C:\Windows\SysWOW64\WerFault.exe

BinaryType

C:\Windows\SysWOW64\WerFault.exe

ProductName

C:\Windows\SysWOW64\WerFault.exe

ProductVersion

C:\Windows\SysWOW64\WerFault.exe

LinkDate

C:\Windows\SysWOW64\WerFault.exe

BinProductVersion

C:\Windows\SysWOW64\WerFault.exe

Size

C:\Windows\SysWOW64\WerFault.exe

Language

C:\Windows\SysWOW64\WerFault.exe

IsPeFile

C:\Windows\SysWOW64\WerFault.exe

IsOsComponent

C:\Windows\SysWOW64\WerFault.exe

ExceptionRecord

C:\Windows\SysWOW64\WerFault.exe

DeviceTicket

C:\Windows\SysWOW64\WerFault.exe

DeviceId

C:\Windows\SysWOW64\WerFault.exe

ApplicationFlags

C:\Windows\SysWOW64\WerFault.exe

00184004E81BE713

C:\Windows\SysWOW64\WerFault.exe

ProgramId

C:\Windows\SysWOW64\WerFault.exe

FileId

C:\Windows\SysWOW64\WerFault.exe

LowerCaseLongPath

C:\Windows\SysWOW64\WerFault.exe

LongPathHash

C:\Windows\SysWOW64\WerFault.exe

Name

C:\Windows\SysWOW64\WerFault.exe

Publisher

C:\Windows\SysWOW64\WerFault.exe

Version

C:\Windows\SysWOW64\WerFault.exe

BinFileVersion

C:\Windows\SysWOW64\WerFault.exe

BinaryType

C:\Windows\SysWOW64\WerFault.exe

ProductName

C:\Windows\SysWOW64\WerFault.exe

ProductVersion

C:\Windows\SysWOW64\WerFault.exe

LinkDate

C:\Windows\SysWOW64\WerFault.exe

BinProductVersion

C:\Windows\SysWOW64\WerFault.exe

Size

C:\Windows\SysWOW64\WerFault.exe

Language

C:\Windows\SysWOW64\WerFault.exe

IsPeFile

C:\Windows\SysWOW64\WerFault.exe

IsOsComponent

C:\Windows\SysWOW64\WerFault.exe

00184004E81B760A

There are 32 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

A60000

unkown

page readonly

442000

unkown image

page execute and read and write

80F000

stack

page read and write

446000

unkown image

page read and write

2A3000

unkown

page read and write

90F000

stack

page read and write

400000

unkown image

page readonly

29F000

unkown

page read and write

401000

unkown image

page execute and read and write

61A000

heap default

page read and write

400000

unkown image

page readonly

610000

heap default

page read and write

5E0000

unkown

page execute and read and write

416000

unkown image

page execute and write copy

530000

unkown

page readonly

400000

unkown image

page readonly

445000

unkown image

page execute and write copy

446000

unkown image

page write copy

59E000

unkown

page read and write

550000

heap default

page read and write

520000

unkown

page read and write

A50000

heap private

page read and write

450000

unkown

page readonly

19C000

stack

page read and write

A20000

heap private

page read and write

5DE000

unkown

page read and write

9D000

unkown

page read and write

There are 17 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

Registry

Memdumps