Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SY5DeZW6pz.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

MS-DOS executable

dropped

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SY5DeZW6pz.exe_5a1e64436764aeb06a12223e505a1adc0f838d9_cfc0479b_04a1246b\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\vSQshX.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vSQshX.exe_e41397ed243f95936a1fabef5fb2c6d1bf7554_3e01cb5b_16a9314c\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER182.tmp.dmp

Mini DuMP crash report, 14 streams, Wed Aug 31 21:41:32 2022, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EED.tmp.dmp

Mini DuMP crash report, 15 streams, Wed Aug 31 21:41:40 2022, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26BE.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2855.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F2.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E7.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\k1[1].rar

ASCII text

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\k2[1].rar

ASCII text

dropped

C:\Users\user\AppData\Local\Temp\584026FF.exe

ASCII text

modified

C:\Users\user\AppData\Local\Temp\7830502D.exe

ASCII text

dropped

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a

data

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 8 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SY5DeZW6pz.exe

"C:\Users\user\Desktop\SY5DeZW6pz.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5580
Target ID:	0
Parent PID:	4692
Name:	SY5DeZW6pz.exe
Path:	C:\Users\user\Desktop\SY5DeZW6pz.exe
Commandline:	"C:\Users\user\Desktop\SY5DeZW6pz.exe"
Size:	960512
MD5:	536F2C1238EF65A64820C35D4504CE67
Time:	23:41:20
Date:	31/08/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf390000
Modulesize:	1134592
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Gandcrab	Spam, unwanted Advertisements and Ransom Demands
Yara detected ReflectiveLoader	Data Obfuscation
Found Tor onion address	Networking	Proxy
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\vSQshX.exe

Details

Is windows:	false
Is dropped:	true
PID:	5540
Target ID:	1
Parent PID:	5580
Name:	vSQshX.exe
Path:	C:\Users\user\AppData\Local\Temp\vSQshX.exe
Commandline:	C:\Users\user\AppData\Local\Temp\vSQshX.exe
Size:	15872
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
Time:	23:41:21
Date:	31/08/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xc20000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532

Details

Is windows:	true
Is dropped:	false
PID:	1276
Target ID:	4
Parent PID:	5580
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	23:41:29
Date:	31/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xdf0000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 1432

Details

Is windows:	true
Is dropped:	false
PID:	5876
Target ID:	6
Parent PID:	5540
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 1432
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	23:41:38
Date:	31/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xdf0000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://ddos.dnsnb8.net:799/cj//k3.rar%

unknown

http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b

unknown

http://ddos.dnsnb8.net:799/cj//k3.rar

unknown

http://ddos.dnsnb8.net:799/cj//k2.rar%

unknown

http://ddos.dnsnb8.net:799/cj//k2.rar

63.251.106.25

http://ddos.dnsnb8.net/&

unknown

http://ddos.dnsnb8.net:799/cj//k1.rar

63.251.106.25

http://www.activestate.com

unknown

http://www.develop.comYann

unknown

http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE

unknown

http://www.baanboard.comPraveen

unknown

http://upx.sf.net

unknown

http://www.rftp.com

unknown

https://www.torproject.org/

unknown

http://www.scintilla.org

unknown

http://www.activestate.comJames

unknown

http://www.develop.com

unknown

http://www.lua.org

unknown

http://www.spaceblue.comDenis

unknown

http://www.spaceblue.com

unknown

http://www.rftp.comSteve

unknown

http://www.baanboard.com

unknown

http://www.scintila.org/scite.rng

unknown

http://www.autoitscript.com/autoit3/scite

unknown

https://tox.chat/download.html

unknown

There are 15 hidden URLs, click here to show them.

Domains

Name

Malicious

ddos.dnsnb8.net

63.251.106.25

Details

Name:	ddos.dnsnb8.net
IP:	63.251.106.25
TargetID:	1
Current Path:	C:\Users\user\AppData\Local\Temp\vSQshX.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

63.251.106.25

ddos.dnsnb8.net

United States

Details

IP:	63.251.106.25
TargetID:	1
Current Path:	C:\Users\user\AppData\Local\Temp\vSQshX.exe
Country:	United States
Countrycode:	USA
ASN number:	29791
ASN name:	VOXEL-DOT-NETUS
Private:	false
Domain:	ddos.dnsnb8.net

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

192.168.2.1

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHivePermissionsCorrect

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHiveOwnerCorrect