Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	7.322432304733337
Filename:	SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
Filesize:	544768
MD5:	d633b0989e97dc05b09b6233fb53cf37
SHA1:	6e5a7f0493fea40bd213209ad06f4dd9069969ed
SHA256:	03ba158e40b1f9c80c0430cd9a06f00bcbddd3826a5965fccb4ac5b242b91a2c
SHA512:	28a594e2f150c7f9a970f068072fe92bcc4c08dc28893023675fec9ea60926c36c044f8200ff6b5759c6173a2ab3771fa18545c3fa8b9c5328ff54e615eb705c
SSDEEP:	6144:0k+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMs:0kt2UAogoOwhx7nA4+pMTg
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses 32bit PE files	Compliance, System Summary
Sample file is different than original file name gathered from version info	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_435bf9987f6a7ee95ec1aabecf98fbf5b0b7b2_82810a17_131cfb8a\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_435bf9987f6a7ee95ec1aabecf98fbf5b0b7b2_82810a17_131cfb8a\Report.wer
Category:	dropped
Dump:	Report.wer.7.dr
ID:	dr_3
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	0.9219508196362544
Encrypted:	false
Ssdeep:	192:3EZiT0oXy5/HBUZMX4jed+yf/u7sYS274ItWc:GiNXy5/BUZMX4je3f/u7sYX4ItWc
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1C9.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Dec 23 04:10:37 2021, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1C9.tmp.dmp
Category:	dropped
Dump:	WERE1C9.tmp.dmp.7.dr
ID:	dr_0
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Thu Dec 23 04:10:37 2021, 0x1205a4 type
Entropy:	2.0556218445180456
Encrypted:	false
Ssdeep:	192:WpMgAEEcxd3VvzLO5SkbmQsMO5efz9g3jF0F+MOl9NdniI:Q3Fe5LbpsMOWzS0FtOl9vi
Size:	46356
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8FD.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8FD.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERE8FD.tmp.WERInternalMetadata.xml.7.dr
ID:	dr_1
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	3.6885132910410148
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNicp67Og56YBDq6cgmfT/mSWCprk89bXEsf3Adm:RrlsNii676YBO6cgmfT/mSfX3f3
Size:	8326
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBBD.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBBD.tmp.xml
Category:	dropped
Dump:	WEREBBD.tmp.xml.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.490369220814527
Encrypted:	false
Ssdeep:	48:cvIwSD8zsPJgtWI9XHWSC8B18fm8M4JCdsD6hF+NgW+q8/QYBH4SrSh6d:uITfxE2SNMJlTgWVeDWh6d
Size:	4698
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.276319444681263
Encrypted:	false
Ssdeep:	12288:n7n8Dpvri2L28pTOUEr71nmFnj40sd22Cq69fqiELV1XeaeTsllkqU:7n8Dpvri2L28pTbz
Size:	1572864
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve.LOG1
Category:	dropped
Dump:	Amcache.hve.LOG1.7.dr
ID:	dr_5
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.032823767487586
Encrypted:	false
Ssdeep:	384:FJYJ5Rftx1QPJ4XLsFcnE7kvPBqXASeq5QMVyi6+/Jl4Lk4UZd1DoXznZXvwv0:PYXRftx1mJ4XoFcE74BqXTeq5QMVyi6o
Size:	24576
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll"

Details

Is windows:	true
Is dropped:	false
PID:	6196
Target ID:	0
Parent PID:	2236
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll"
Size:	116736
MD5:	7DEB5DB86C0AC789123DEC286286B938
Time:	20:10:29
Date:	22/12/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x12a0000
Modulesize:	135168
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Dridex unpacked file	E-Banking Fraud
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	3324
Target ID:	1
Parent PID:	6196
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
Size:	232960
MD5:	F3BDBE3BB6F734E357235F4D5898582D
Time:	20:10:30
Date:	22/12/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd80000
Modulesize:	364544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Call by Ordinal	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	2964
Target ID:	3
Parent PID:	3324
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	20:10:30
Date:	22/12/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x250000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Dridex unpacked file	E-Banking Fraud
Sigma detected: Suspicious Call by Ordinal	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 672

Details

Is windows:	true
Is dropped:	false
PID:	4764
Target ID:	7
Parent PID:	2964
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 672
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	20:10:34
Date:	22/12/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x11b0000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	7
From Memory:	true
Current Path:	C:\Windows\SysWOW64\WerFault.exe
Source:	Amcache.hve.7.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.n4pkg6fy8o.gaDVarFileInfo$

unknown

Details

Name:	http://www.n4pkg6fy8o.gaDVarFileInfo$
TargetID:	0
From Memory:	true
Current Path:	C:\Windows\System32\loaddll32.exe
Source:	loaddll32.exe, 00000000.00000002.819400491.000000006EC4F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.300427683.000000006EC4F000.00000002.00020000.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.4.135.27

unknown

Greece

Details

IP:	185.4.135.27
TargetID:	255
Country:	Greece
Countrycode:	GRC
ASN number:	199246
ASN name:	TOPHOSTGR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

85.10.248.28

unknown

Germany

Details

IP:	85.10.248.28
TargetID:	255
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

80.211.3.13

unknown

Italy

Details

IP:	80.211.3.13
TargetID:	255
Country:	Italy
Countrycode:	ITA
ASN number:	31034
ASN name:	ARUBA-ASNIT
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

144.91.122.102

unknown

Germany

Details

IP:	144.91.122.102
TargetID:	255
Country:	Germany
Countrycode:	DEU
ASN number:	51167
ASN name:	CONTABODE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHivePermissionsCorrect

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHiveOwnerCorrect