Automated Malware Analysis IOC Report for

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.469320228864725
Filename:	file.exe
Filesize:	238080
MD5:	a3b774ed5023f56970eea0668ae65703
SHA1:	3aebfec7980d1db1edbeccbb29044ea677be304b
SHA256:	f4f6bcce8531ffa055776e57b0f650b7f87049808e3b29d65fab79ec841ed81c
SHA512:	98a9ec33206f8074104b2ecb19026cdbbe1a313e8f2be6ab088611c9c2dda1b7aaaf10a610376acbc9c5448076becc4685ef364d78dfbbb2eabfb3ddcf0117f6
SSDEEP:	6144:iV8tR1u52up3sfkVXJYS1Ne/1z0BvEQTEOMEd:iV8trKM87YS1Ne9zY8MEtEd
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}...............N1......N'.................D....N ......N0......N5.....Rich............PE..L.....8a...........................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery System Information Discovery
One or more processes crash	System Summary
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
PE file contains executable resources (Code or Archives)	System Summary
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Drops PE files	Persistence and Installation Behavior
Checks if the current process is being debugged	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Uses an in-process (OLE) Automation server	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Reads ini files	System Summary	File and Directory Discovery
URLs found in memory or binary data	Networking	Security Software Discovery
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains a debug data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_19a29c4013ef4dd44ec0ddb13aa79330f349af61_440dec59_0f5aa088\Report.wer
Category:	dropped
Dump:	Report.wer.39.dr
ID:	dr_51
Target ID:	39
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9615479906283381
Encrypted:	false
Ssdeep:	192:+VCfavsSHox3uWI3jDyrD/u7scS274ItmFBx:Cjox3uNjg/u7scX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_050a1b5a\Report.wer
Category:	dropped
Dump:	Report.wer.30.dr
ID:	dr_46
Target ID:	30
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9125206160115215
Encrypted:	false
Ssdeep:	192:D8VCfavDzH56rfI3jDyc/u7shS274ItmFBx:DMv56rojD/u7shX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_11c5ac93\Report.wer
Category:	dropped
Dump:	Report.wer.20.dr
ID:	dr_34
Target ID:	20
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8590430290576522
Encrypted:	false
Ssdeep:	192:ZVCfavHzH56rfI3jDm/u7shS274ItmFBx:DT56rojC/u7shX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_12a5b81c\Report.wer
Category:	dropped
Dump:	Report.wer.24.dr
ID:	dr_38
Target ID:	24
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8787028216016062
Encrypted:	false
Ssdeep:	192:m4VCfavuzH56rfI3jDym/u7shS274ItmFBx:/E56rojJ/u7shX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_14656e32\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_18
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8358188215804623
Encrypted:	false
Ssdeep:	192:CVCfavUzH56rfI3jDB/u7sGS274ItmFBx:ei56rojl/u7sGX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_15d97769\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_20
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8356682104401857
Encrypted:	false
Ssdeep:	192:Z5VCfav6zH56rfI3jDB/u7sGS274ItmFBx:dA56rojl/u7sGX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_16118592\Report.wer
Category:	dropped
Dump:	Report.wer.8.dr
ID:	dr_26
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8358981846766972
Encrypted:	false
Ssdeep:	192:hkVCfavhzH56rfI3jDB/u7sGS274ItmFBx:y156rojl/u7sGX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_1669c460\Report.wer
Category:	dropped
Dump:	Report.wer.27.dr
ID:	dr_42
Target ID:	27
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8921234333730086
Encrypted:	false
Ssdeep:	192:jErVCfavuzH56rfI3jDyH/u7shS274ItmFBx:jEpE56roj4/u7shX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_167963e1\Report.wer
Category:	dropped
Dump:	Report.wer.2.dr
ID:	dr_14
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8220738451315124
Encrypted:	false
Ssdeep:	192:pZNVCfavtzH56rfI3jDk/u7sGS274ItmFBx:pZPx56rojg/u7sGX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5d9419a62ad22f2f3dad8325a855f3b6c07dd93d_440dec59_17059f44\Report.wer
Category:	dropped
Dump:	Report.wer.13.dr
ID:	dr_30
Target ID:	13
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8358726160645562
Encrypted:	false
Ssdeep:	192:TVCfavQzH56rfI3jDB/u7sGS274ItmFBx:xe56rojl/u7sGX4ItU
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\soft[1]
Category:	dropped
Dump:	soft[1].0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.275018147968825
Encrypted:	false
Ssdeep:	49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
Size:	3947920
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dll[1]
Category:	dropped
Dump:	dll[1].0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.47050397947197
Encrypted:	false
Ssdeep:	6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
Size:	242176
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Bunifu_UI_v1.5.3.dll
Category:	dropped
Dump:	Bunifu_UI_v1.5.3.dll.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.47050397947197
Encrypted:	false
Ssdeep:	6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
Size:	242176
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

Details

File:	C:\Users\user\AppData\Local\Temp\aQULKwbFPdioo894n025t\Cleaner.exe
Category:	dropped
Dump:	Cleaner.exe.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.275018147968825
Encrypted:	false
Ssdeep:	49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
Size:	3947920
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads the hosts file	System Summary	Remote System Discovery
Spawns processes	System Summary	Process Injection
Uses Microsoft Silverlight	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_445db5b1e911895cef210568c60f7d906ed046_440dec59_126996c2\Report.wer
Category:	dropped
Dump:	Report.wer.28.dr
ID:	dr_51
Target ID:	28
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9823734558168841
Encrypted:	false
Ssdeep:	192:cStzCfavo7Hox3uNP3jDyr+/u7sKS274ItmOBxJ:cSZ+ox3uVjd/u7sKX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_0b008542\Report.wer
Category:	dropped
Dump:	Report.wer.11.dr
ID:	dr_26
Target ID:	11
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8370796279502537
Encrypted:	false
Ssdeep:	192:/Dd5zCfavNqH56rIP3jDB/u7slS274ItmOBx:JlA56rQjl/u7slX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_0d406b90\Report.wer
Category:	dropped
Dump:	Report.wer.7.dr
ID:	dr_22
Target ID:	7
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8371767119643627
Encrypted:	false
Ssdeep:	192:9zCfavyqH56rIP3jDB/u7slS274ItmOBxi:JZ56rQjl/u7slX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_0ee88fc2\Report.wer
Category:	dropped
Dump:	Report.wer.13.dr
ID:	dr_30
Target ID:	13
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8371606978605497
Encrypted:	false
Ssdeep:	192:Q6zCfavuqH56rIP3jDB/u7slS274ItmOBx:QQ156rQjl/u7slX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_146c4ac9\Report.wer
Category:	dropped
Dump:	Report.wer.3.dr
ID:	dr_14
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8229995583664064
Encrypted:	false
Ssdeep:	192:bGzCfavgqH56rIP3jDk/u7slS274ItmOBx:b8/56rQjg/u7slX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_147c56fe\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_15
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8372423344232678
Encrypted:	false
Ssdeep:	192:59zCfavbqH56rIP3jDB/u7slS274ItmOBx:3G56rQjl/u7slX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_14851770\Report.wer
Category:	dropped
Dump:	Report.wer.21.dr
ID:	dr_47
Target ID:	21
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9136302872278061
Encrypted:	false
Ssdeep:	192:2zCfavGqH56rIP3jDyc/u7sKS274ItmOBxl:M956rQjD/u7sKX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_160c9d5e\Report.wer
Category:	dropped
Dump:	Report.wer.15.dr
ID:	dr_34
Target ID:	15
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8601420861951884
Encrypted:	false
Ssdeep:	192:75czCfavjqH56rIP3jDm/u7slS274ItmOBx:756e56rQjC/u7slX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_1688a9a3\Report.wer
Category:	dropped
Dump:	Report.wer.17.dr
ID:	dr_38
Target ID:	17
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.879641008331665
Encrypted:	false
Ssdeep:	192:C6gzCfavbqH56rIP3jDym/u7slS274ItmOBx:ClG56rQjJ/u7slX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_aa89147a1632e1dc9dc974cd4d3dc4b44506e_440dec59_1774bb65\Report.wer
Category:	dropped
Dump:	Report.wer.19.dr
ID:	dr_41
Target ID:	19
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8934864854284043
Encrypted:	false
Ssdeep:	192:ia5zCfavNqH56rIP3jDyH/u7slS274ItmOBx:vlA56rQj4/u7slX4ItR
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\soft[1]
Category:	dropped
Dump:	soft[1].0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.275018147968825
Encrypted:	false
Ssdeep:	49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
Size:	3947920
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\dll[1]
Category:	dropped
Dump:	dll[1].0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.47050397947197
Encrypted:	false
Ssdeep:	6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
Size:	242176
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Bunifu_UI_v1.5.3.dll
Category:	dropped
Dump:	Bunifu_UI_v1.5.3.dll.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.47050397947197
Encrypted:	false
Ssdeep:	6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
Size:	242176
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

Details

File:	C:\Users\user\AppData\Local\Temp\du2kVBqiTxfv\Cleaner.exe
Category:	dropped
Dump:	Cleaner.exe.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.275018147968825
Encrypted:	false
Ssdeep:	49152:+/PD/DL/D9CuZrr2h60qPPB+lJJkF9IC966eB+lJJkF9IC966eB+lJJkF9IC966h:+3D///UUrP43m8C/3m8C/3m8C5
Size:	3947920
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Launches processes in debugging mode, may be used to hinder debugging	Anti Debugging	Disable or Modify Tools
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads the hosts file	System Summary	Remote System Discovery
Spawns processes	System Summary	Process Injection
Uses Microsoft Silverlight	System Summary

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1455.tmp.dmp
Category:	dropped
Dump:	WER1455.tmp.dmp.30.dr
ID:	dr_43
Target ID:	30
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:51 2022, 0x1205a4 type
Entropy:	2.162723789176737
Encrypted:	false
Ssdeep:	768:wOGPMXXKWPMZGelnY29d1TBuFXMyU+VGAHIPlnS8:hXXKWPMZGe5Y29XTBuFXRVGAoPl9
Size:	116820
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER19C5.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER19C5.tmp.WERInternalMetadata.xml.30.dr
ID:	dr_44
Target ID:	30
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.700989303638173
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNi6C+6ZpZX6YqeSUGx+gmfB0SeBCpB2f89bLEsfJZm:RrlsNig6ZnX6YjSUu+gmfOSVL3fG
Size:	8342
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A91.tmp.xml
Category:	dropped
Dump:	WER1A91.tmp.xml.30.dr
ID:	dr_45
Target ID:	30
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.47248095416639
Encrypted:	false
Ssdeep:	48:cvIwSD8zsKJgtWI9UqrWgc8sqYj/8fm8M4JbUZFIK+q86mYrZMjT4d:uITfYvqagrsqY4JwMK6YrZMX4d
Size:	4573
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6095.tmp.dmp
Category:	dropped
Dump:	WER6095.tmp.dmp.2.dr
ID:	dr_11
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:05 2022, 0x1205a4 type
Entropy:	2.270123045328824
Encrypted:	false
Ssdeep:	192:rVuX2UmxwtOPolF+4n72zkA8taYKciSgyf97wtWb1oNGELAUV27Gv4Vms6LLoA+S:9xnPQHnuhWf/qN9kk27Gkm/z
Size:	50950
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER62E8.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER62E8.tmp.WERInternalMetadata.xml.2.dr
ID:	dr_12
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7002240972170037
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNi6Cz63g6YqzSUvggmfB0SeBCpBRg89bREsf0OTbm:RrlsNi96w6Y+SUvggmfOSddR3fTO
Size:	8308
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6385.tmp.xml
Category:	dropped
Dump:	WER6385.tmp.xml.2.dr
ID:	dr_13
Target ID:	2
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.4713509172613
Encrypted:	false
Ssdeep:	48:cvIwSD8zsRJgtWI9UqrWgc8sqYjr8fm8M4JbUZF/L+q86mYrZMjT4d:uITfjvqagrsqYkJw36YrZMX4d
Size:	4573
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B15.tmp.dmp
Category:	dropped
Dump:	WER6B15.tmp.dmp.4.dr
ID:	dr_15
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:08 2022, 0x1205a4 type
Entropy:	2.33684318015984
Encrypted:	false
Ssdeep:	384:v/4MP40IYCYP/U1rCf6bgqhQ3qNLkk25GFvAR99mb:fP40ZarCzqhaGokPFU9mb
Size:	64046
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D39.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER6D39.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_16
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7010978056776356
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNi6Ct6L+6Yq+SUkOgmfB0SeBCpBSV89b0Esf08m:RrlsNiD6i6YzSUkOgmfOSF03fm
Size:	8324
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DC6.tmp.xml
Category:	dropped
Dump:	WER6DC6.tmp.xml.4.dr
ID:	dr_17
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.472013890568415
Encrypted:	false
Ssdeep:	48:cvIwSD8zsRJgtWI9UqrWgc8sqYjN8fm8M4JbUZF16+q86mYrZMjT4d:uITfjvqagrsqYOJwR66YrZMX4d
Size:	4573
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER73B0.tmp.dmp
Category:	dropped
Dump:	WER73B0.tmp.dmp.6.dr
ID:	dr_21
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:10 2022, 0x1205a4 type
Entropy:	2.028796625566219
Encrypted:	false
Ssdeep:	384:MHuAw4ylPerdhnFJG4vB/qk/PzKhQ3qNLkk25GhgDUh:nA2PeRhV1P+haGokPEUh
Size:	79800
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7632.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER7632.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_22
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7040721630788607
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNi6Cj+6a6Yq6SUYAgmfB0SeBCpB189bdEsf8fm:RrlsNid+6a6Y3SUYAgmfOSmd3fJ
Size:	8326
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER76CF.tmp.xml
Category:	dropped
Dump:	WER76CF.tmp.xml.6.dr
ID:	dr_19
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.470885526084952
Encrypted:	false
Ssdeep:	48:cvIwSD8zsRJgtWI9UqrWgc8sqYjA8fm8M4JbUZFy+An7+q86mYrZMjT4d:uITfjvqagrsqYpJw/a76YrZMX4d
Size:	4573
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F87.tmp.dmp
Category:	dropped
Dump:	WER7F87.tmp.dmp.8.dr
ID:	dr_23
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Tue Oct 4 00:32:13 2022, 0x1205a4 type
Entropy:	2.043851295321239
Encrypted:	false
Ssdeep:	384:ZaAw4xnkPORZwt2PV74vBNqkYPSKhQ3qNLkk2ZGDIanedh:QAlkPORZc2yMPXhaGokbwdh
Size:	79260
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8209.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER8209.tmp.WERInternalMetadata.xml.8.dr
ID:	dr_24
Target ID:	8
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7003878701766695
Encrypted:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

IOC Report
file.exe