1c8ed4600279d1f7c32c1e4b16f8bcdf6f4210fdd550ba96b5a8327dde66858c

General

Target

f0011549f242b69cc3b620f1540c0a0f.exe
Size

142KB
MD5

f0011549f242b69cc3b620f1540c0a0f
SHA1

d44971e1b717b46058a1fecc6b8a19f2b536de85
SHA256

1c8ed4600279d1f7c32c1e4b16f8bcdf6f4210fdd550ba96b5a8327dde66858c
SHA512

f76a36f3b919ee111b938dfc246e5283b1c6e10bbb92bd77a7eb0f8aa98fd2b9c5faad73f563b86379c5e5e2997cb156ddea4905022922870acf7eefb0496d30

Score

8^/10

Malware Config

Signatures

Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

79 api.ipify.org
52 api.ipify.org
64 api.ipify.org
65 api.ipify.org
38 api.ipify.org
39 api.ipify.org
4 api.ipify.org
5 api.ipify.org
23 api.ipify.org

flow	ioc
79	api.ipify.org
52	api.ipify.org
64	api.ipify.org
65	api.ipify.org
38	api.ipify.org
39	api.ipify.org
4	api.ipify.org
5	api.ipify.org
23	api.ipify.org

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
676	788	WerFault.exe	f0011549f242b69cc3b620f1540c0a0f.exe
1472	1236	WerFault.exe	cxbswdg.exe
3736	1236	WerFault.exe	cxbswdg.exe
3992	788	WerFault.exe	f0011549f242b69cc3b620f1540c0a0f.exe
3792	788	WerFault.exe	f0011549f242b69cc3b620f1540c0a0f.exe
572	1236	WerFault.exe	cxbswdg.exe
3944	1236	WerFault.exe	cxbswdg.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	676	WerFault.exe
Token: SeBackupPrivilege	676	WerFault.exe
Token: SeDebugPrivilege	676	WerFault.exe
Token: SeDebugPrivilege	1472	WerFault.exe
Token: SeDebugPrivilege	3736	WerFault.exe
Token: SeDebugPrivilege	3992	WerFault.exe
Token: SeDebugPrivilege	3792	WerFault.exe
Token: SeDebugPrivilege	572	WerFault.exe
Token: SeDebugPrivilege	3944	WerFault.exe

Suspicious behavior: EnumeratesProcesses 95 IoCs

Processes:

WerFault.exef0011549f242b69cc3b620f1540c0a0f.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
788	f0011549f242b69cc3b620f1540c0a0f.exe
788	f0011549f242b69cc3b620f1540c0a0f.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe
3792	WerFault.exe

Executes dropped EXE 1 IoCs

Processes:

cxbswdg.exe

pid process

1236 cxbswdg.exe

pid	process
1236	cxbswdg.exe

Drops file in Windows directory 2 IoCs

Processes:

f0011549f242b69cc3b620f1540c0a0f.exe

description	ioc	process
File created	C:\Windows\Tasks\cxbswdg.job	f0011549f242b69cc3b620f1540c0a0f.exe
File opened for modification	C:\Windows\Tasks\cxbswdg.job	f0011549f242b69cc3b620f1540c0a0f.exe

C:\Users\Admin\AppData\Local\Temp\f0011549f242b69cc3b620f1540c0a0f.exe
"C:\Users\Admin\AppData\Local\Temp\f0011549f242b69cc3b620f1540c0a0f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Windows directory
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 544
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 864
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 876
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\ProgramData\jsmw\cxbswdg.exe
C:\ProgramData\jsmw\cxbswdg.exe start
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 540
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 720
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 876
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 692
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jsmw\cxbswdg.exe

Download Submit
C:\ProgramData\jsmw\cxbswdg.exe

Download Submit
memory/572-29-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/572-32-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/676-2-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/676-3-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/676-5-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/788-1-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/788-0-0x0000000003561000-0x0000000003562000-memory.dmp

Filesize
4KB

Download
memory/1236-9-0x000000000334C000-0x000000000334D000-memory.dmp

Filesize
4KB

Download
memory/1236-10-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

Filesize
4KB

Download
memory/1472-14-0x0000000003B70000-0x0000000003B71000-memory.dmp

Filesize
4KB

Download
memory/1472-11-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/3736-18-0x0000000003A40000-0x0000000003A41000-memory.dmp

Filesize
4KB

Download
memory/3736-15-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/3792-23-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/3792-26-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/3944-33-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/3944-36-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/3992-19-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/3992-22-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads