Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

vy3mvlAaCZ.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.497360445509992
Filename:	vy3mvlAaCZ.exe
Filesize:	159232
MD5:	1873a210d41acdef243e921f3810803a
SHA1:	6fa90a229148759d12c63bee342e55fa887f6976
SHA256:	34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
SHA512:	2a45638cc994e6e3af3fe3f7ec153235591c5e07893665485a0e564aefce1f9a8d8da9146b1d7eeab45c09f3fb4afa56107467013fe4e490800546827af96676
SSDEEP:	3072:l5K/B0toL6SNJmlZHQsozTS+SMqqDL2/TrKdcG:lcytw/u1yTS+xqqDL6HKL
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..{...(...(...(...(...(..?(...(T.?(...(T..(...(T.>(w..(..M(...(...(...(..:(...(...(...(Rich...(........................PE..L..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Machine Learning detection for sample	AV Detection
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Uses 32bit PE files	Compliance, System Summary
Yara signature match	System Summary
Antivirus or Machine Learning detection for unpacked file	AV Detection	Software Packing
One or more processes crash	System Summary
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to query windows version	Language, Device and Operating System Detection
Program exit points	Malware Analysis System Evasion
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vy3mvlAaCZ.exe_6074d93d852c1785169ec71e797e6a243c122_d0e789f3_1326a322\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vy3mvlAaCZ.exe_6074d93d852c1785169ec71e797e6a243c122_d0e789f3_1326a322\Report.wer
Category:	dropped
Dump:	Report.wer.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	0.673804623399491
Encrypted:	false
Ssdeep:	96:kbFWtfhs1Dg3fDUpXIQcQvc6QcEDMcw3Db+HbHg/8BRTf3OyWZAXGng5FMTPSkvu:WsKHBUZMXYjuq/u7svIS274Itwl
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vy3mvlAaCZ.exe_6074d93d852c1785169ec71e797e6a243c122_d0e789f3_15f13808\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vy3mvlAaCZ.exe_6074d93d852c1785169ec71e797e6a243c122_d0e789f3_15f13808\Report.wer
Category:	dropped
Dump:	Report.wer.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	0.6759231119557786
Encrypted:	false
Ssdeep:	96:/0FQKV2fhs1Dg3fDUpXIQcQvc6QcEDMcw3Db+HbHg/8BRTf3OyWZAXGng5FMTPSq:MuKVBHBUZMXYjuq/u7sZS274Itw
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Sep 1 06:59:26 2022, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmp.dmp
Category:	dropped
Dump:	WER97F6.tmp.dmp.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Thu Sep 1 06:59:26 2022, 0x1205a4 type
Entropy:	1.8846641325885034
Encrypted:	false
Ssdeep:	96:5P8M8M/mnPXq82qhi7o5g+f0lltRuii8Y6ATZK+TD5iWI3WIX7I2Qej:WUmnP1OGcltMGuK+TmQe
Size:	35404
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A1A.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A1A.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER9A1A.tmp.WERInternalMetadata.xml.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	3.696981182329922
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNiLz6e6Yq0SUZKgmfgdSPvCpr189bGMsfLCm:RrlsNi/6e6YJSUZKgmfgdSdGffP
Size:	8278
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B44.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B44.tmp.xml
Category:	dropped
Dump:	WER9B44.tmp.xml.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.442876235276256
Encrypted:	false
Ssdeep:	48:cvIwSD8zspJgtWI9qUWgc8sqYji8fm8M4JNWFXhho+q8FCevxEATULMd:uITf7hNgrsqYrJ0hyXevOATULMd
Size:	4563
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C8E.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Sep 1 06:51:57 2022, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C8E.tmp.dmp
Category:	dropped
Dump:	WER2C8E.tmp.dmp.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Thu Sep 1 06:51:57 2022, 0x1205a4 type
Entropy:	1.9834403820735447
Encrypted:	false
Ssdeep:	96:5y8b8M/8BXAHF8i7oFRz62llKlyhMD+TD7mD8I8oiq0e8pDmTDyJAZzmxWXpWIR6:zL8BQGOXClBhMD+TI8JO+0yxxewj
Size:	33352
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EB2.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EB2.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER2EB2.tmp.WERInternalMetadata.xml.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Entropy:	3.6997139229664695
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNiuR6LzgMip6Yq8SUlF0SgmfgdSpCprY89b3asf5vdm:RrlsNiY64Mip6YRSUlbgmfgdSU35f54
Size:	8284
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER300B.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER300B.tmp.xml
Category:	dropped
Dump:	WER300B.tmp.xml.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.44811839040715
Encrypted:	false
Ssdeep:	48:cvIwSD8zs4tJgtWI97zWgc8sqYjC8fm8M4JNWF9+q8Fk0xEATULzd:uITf4H0CgrsqY7JIIOATULzd
Size:	4563
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\vy3mvlAaCZ.exe

"C:\Users\user\Desktop\vy3mvlAaCZ.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4268
Target ID:	0
Parent PID:	5352
Name:	vy3mvlAaCZ.exe
Path:	C:\Users\user\Desktop\vy3mvlAaCZ.exe
Commandline:	"C:\Users\user\Desktop\vy3mvlAaCZ.exe"
Size:	159232
MD5:	1873A210D41ACDEF243E921F3810803A
Time:	23:59:22
Date:	31/08/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x930000
Modulesize:	180224
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Gandcrab	Spam, unwanted Advertisements and Ransom Demands
Yara detected ReflectiveLoader	Data Obfuscation
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244

Details

Is windows:	true
Is dropped:	false
PID:	4940
Target ID:	3
Parent PID:	4268
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	23:59:24
Date:	31/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x970000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244

Details

Is windows:	true
Is dropped:	false
PID:	5556
Target ID:	2
Parent PID:	4876
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	23:51:56
Date:	31/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xde0000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHivePermissionsCorrect

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHiveOwnerCorrect

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

ProgramId

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

FileId

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

LowerCaseLongPath

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

LongPathHash

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

Name

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

Publisher

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

Version

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

BinFileVersion

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

BinaryType

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

ProductName

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

ProductVersion

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

LinkDate

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

BinProductVersion

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

Size

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

Language

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

IsPeFile

\REGISTRY\A\{d00e812a-86e8-84c0-8225-ffbd1764ff1a}\Root\InventoryApplicationFile\vy3mvlaacz.exe|9c7091c0

IsOsComponent

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug

ExceptionRecord

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property

001840064172BCE4