Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

LwNdQo4zIk.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.853487844881012
Filename:	LwNdQo4zIk.exe
Filesize:	1034752
MD5:	3ccd6b369eb1dde57d181e7550bd7268
SHA1:	aee399e263c838570c00133feab275b81009e12a
SHA256:	f5717aef9a4323816387603920b652a94ac0d9cedef36391cedd9cdcbfef7f60
SHA512:	00bd3bb981e2a5bd4c30241025f352e9e528d76300e67fcdbe89ee9e12ecbba73b291aebd9b73f73a8aaa32e2a8b2d1b4d49796cdc11a1b891a313cf0a9dcc03
SSDEEP:	24576:RFOWvM7bZBFpXlDpRjJ5JAXVm359Ov9UIrczuX:RguWRNpRjJPgAp9ucz
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................;.Y.......Z.......L.......................K.......[.......^.....Rich............................PE..L....7.b...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Antivirus or Machine Learning detection for unpacked file	AV Detection	Software Packing
Drops PE files	Persistence and Installation Behavior
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enum processes or threads	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Runs a DLL by calling functions	System Summary	Rundll32
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Creates temporary files	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
PE file contains a debug data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp
Category:	dropped
Dump:	Pyupydeoe.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\LwNdQo4zIk.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.89627808323015
Encrypted:	false
Ssdeep:	24576:l8Jr+SgWH5UB/VdYQ/N7WqpWaQxYZYBsFn:OJrSBYqLY
Size:	803328
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Creates temporary files	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8e16aed3aa5676a94a41f4f83e9862e56aba6f4_82810a17_1425c040\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8e16aed3aa5676a94a41f4f83e9862e56aba6f4_82810a17_1425c040\Report.wer
Category:	dropped
Dump:	Report.wer.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9238031503162372
Encrypted:	false
Ssdeep:	96:LPFHcXy6iX0iLoy1j95ax7JRFpXIW/a/z+HbHg/BQAS/YyNl4ttPMLUE+im2kMnj:LNcHiX0oXO5jed+C8/u7sZS274ItWc
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F7A.tmp.dmp

Mini DuMP crash report, 15 streams, Thu Jan 5 16:43:08 2023, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F7A.tmp.dmp
Category:	dropped
Dump:	WER9F7A.tmp.dmp.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Thu Jan 5 16:43:08 2023, 0x1205a4 type
Entropy:	1.6906140255429625
Encrypted:	false
Ssdeep:	384:aoicjB5LbBGIyA59HVt1L62vdK7NUar8N4T43BK2ui:aYVbBGTYtVfLRdK7No3BFu
Size:	99428
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA20B.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA20B.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERA20B.tmp.WERInternalMetadata.xml.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7191879909123386
Encrypted:	false
Ssdeep:	96:RtIU6o7r3GLt3inf06gY8QuSfGEapBCaM4Ur89bcnsfUN0m:Rrl7r3GLNif06gYTuS6Cprr89bcnsfUb
Size:	5888
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA26A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA26A.tmp.xml
Category:	dropped
Dump:	WERA26A.tmp.xml.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.436378949362253
Encrypted:	false
Ssdeep:	48:cvIwSD8zsYJgtWI98W4kWgc8sqYjw8fm8M4JCdsTFMFK+q8/4FfySy4SrS6d:uITfeHW49grsqYBJxFbhFryDW6d
Size:	4616
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LwNdQo4zIk.exe

Details

Is windows:	false
Is dropped:	false
PID:	1792
Target ID:	0
Parent PID:	3528
Name:	LwNdQo4zIk.exe
Path:	C:\Users\user\Desktop\LwNdQo4zIk.exe
Commandline:	C:\Users\user\Desktop\LwNdQo4zIk.exe
Size:	1034752
MD5:	3CCD6B369EB1DDE57D181E7550BD7268
Time:	08:52:18
Date:	05/01/2023
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1150976
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot

Details

Is windows:	true
Is dropped:	false
PID:	5472
Target ID:	1
Parent PID:	1792
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	08:52:23
Date:	05/01/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960

Details

Is windows:	true
Is dropped:	false
PID:	5192
Target ID:	3
Parent PID:	1568
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960
Size:	434592
MD5:	9E2B8ACAD48ECCA55C0230D63623661B
Time:	08:43:07
Date:	05/01/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc90000
Modulesize:	442368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

192.168.2.1

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHivePermissionsCorrect

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AmiHiveOwnerCorrect