Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Ou0ZT4968y.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.805543225209493
Filename:	Ou0ZT4968y.exe
Filesize:	3838464
MD5:	27b75158dcfeba6b3419bdbb15397584
SHA1:	8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256:	a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
SHA512:	eb9acc530d9c20dc26a00489572fe5b21075181f5f25d6598ebd5292aef5bbce9c2dc89fac04201ea7ce5c5faec545e44c02e54356ae6dfda7d2f70255a930b3
SSDEEP:	49152:YI2A2+xup+pRTSHO1c6R7heQLqPqW7SdZ8iyTgyfw91m0tfSl8TtVlkQb9Hmv3IS:FneShqwhb/lkHv3IzT
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..AA..B..AG..B..AF..B..AC..B..C..B..PF..B..PA..B..PG..B..PG..B..P@..B.Rich.*B.................PE..L..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Uses 32bit PE files	Compliance, System Summary
One or more processes crash	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
PE file contains an invalid data directory	System Summary
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Found strings which match to known social media urls	Networking
URLs found in memory or binary data	Networking
Contains functionality to query local / system time	Language, Device and Operating System Detection
SQL strings found in memory and binary data	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_6d94c01abebf2aab25e322aa91a877df2b8acdd6_dac8cab9_0497fefa\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_6d94c01abebf2aab25e322aa91a877df2b8acdd6_dac8cab9_0497fefa\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.6333673483266187
Encrypted:	false
Ssdeep:	96:BaF+Bywfq7hooI7Rj6tpXIQcQvc6QcEDMcw3Dz+HbHg6ZAXGng5FMTPSkvPkpXmt:YUEgKHBUZMXwjE/u7sYS274Ithd
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file contains an invalid data directory	System Summary
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFF8.tmp.dmp

Mini DuMP crash report, 14 streams, Fri Nov 25 03:47:14 2022, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFF8.tmp.dmp
Category:	dropped
Dump:	WERDFF8.tmp.dmp.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Fri Nov 25 03:47:14 2022, 0x1205a4 type
Entropy:	2.034850742153558
Encrypted:	false
Ssdeep:	192:IiBN776wEO8SUgESYjTTf0LwS6VbwiVB:BL8SUgEnWU
Size:	19308
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1AF.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1AF.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERE1AF.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7002308627041924
Encrypted:	false
Ssdeep:	192:Rrl7r3GLNisWM6IrhYI6YqLSUdQLgmfZS/4CprR89bigsf9Z2m:RrlsNie6IrhYI6YWSUd0gmfZSWizfj
Size:	8414
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE24C.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE24C.tmp.xml
Category:	dropped
Dump:	WERE24C.tmp.xml.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.485959521931812
Encrypted:	false
Ssdeep:	48:cvIwSD8zsEJgtWI9g+Wgc8sqYjI/8fm8M4J2mGMFqVDBQj+q8vFmGw++opNYed:uITfCz/grsqYNJW/DBQjKT95pNYed
Size:	4704
Whitelisted:	false
Reputation:	low

\Device\ConDrv

ASCII text, with no line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Ou0ZT4968y.exe
Type:	ASCII text, with no line terminators
Entropy:	1.0
Encrypted:	false
Ssdeep:	3:E:E
Size:	2
Whitelisted:	true
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Ou0ZT4968y.exe

Details

Is windows:	false
Is dropped:	false
PID:	4204
Target ID:	0
Parent PID:	3452
Name:	Ou0ZT4968y.exe
Path:	C:\Users\user\Desktop\Ou0ZT4968y.exe
Commandline:	C:\Users\user\Desktop\Ou0ZT4968y.exe
Size:	3838464
MD5:	27B75158DCFEBA6B3419BDBB15397584
Time:	19:47:01
Date:	24/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1150000
Modulesize:	3858432
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file contains an invalid data directory	System Summary
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Details

Is windows:	true
Is dropped:	false
PID:	6096
Target ID:	2
Parent PID:	4204
Name:	vbc.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Size:	2688096
MD5:	B3A917344F5610BEEC562556F11300FA
Time:	19:47:10
Date:	24/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x2c0000
Modulesize:	2695168
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3520
Target ID:	1
Parent PID:	4204
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	19:47:02
Date:	24/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff745070000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144

Details

Is windows:	true
Is dropped:	false
PID:	1216
Target ID:	4
Parent PID:	4204
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	19:47:12
Date:	24/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe20000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

https://gcc.gnu.org/bugs/):

unknown

Details

Name:	https://gcc.gnu.org/bugs/):
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Ou0ZT4968y.exe
Source:	Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://sectigo.com/CPS0

unknown

https://studio.youtube.comSAPISIDHASH

unknown

https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx

unknown

Details

Name:	https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Ou0ZT4968y.exe
Source:	Ou0ZT4968y.exe, 00000000.00000000.262227634.000000000120A000.00000004.00000001.01000000.00000003.sdmp, Ou0ZT4968y.exe, 00000000.00000003.260801348.000000000103F000.00000040.00001000.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ocsp.sectigo.com0

unknown

https://studio.youtube.com

unknown

https://studio.youtube.com/reauth

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHivePermissionsCorrect

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHiveOwnerCorrect