f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889

Analysis

max time kernel
131s
max time network
127s
platform
windows7_x64
resource
win7v20201028
submitted
06-11-2020 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe
Size

978KB
MD5

6e8498b91bf1a607f76bc04b2ad2fa70
SHA1

95e1904c2f67cd364b8b386e5ccdd33edcd4955c
SHA256

f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889
SHA512

00553a4611ec8badd707471ca53cebdc6cb876043a2e52522fb058369c228cfcf9fadb105795177bec50cc181c54879ab3cab74009ed2828ea96268c3dbcd172

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Decoder.exeDecoder.exe

pid process

608 Decoder.exe
1256 Decoder.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

464 cmd.exe

pid	process
608	Decoder.exe
1256	Decoder.exe

pid	process
464	cmd.exe

Loads dropped DLL 10 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
1084	WerFault.exe
672	WerFault.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1084 608 WerFault.exe Decoder.exe
672 1256 WerFault.exe Decoder.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1496 timeout.exe
836 timeout.exe
1424 timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

Decoder.exeDecoder.exe

pid process

608 Decoder.exe
1256 Decoder.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

pid	pid_target	process	target process
1084	608	WerFault.exe	Decoder.exe
672	1256	WerFault.exe	Decoder.exe

pid	process
1496	timeout.exe
836	timeout.exe
1424	timeout.exe

pid	process
608	Decoder.exe
1256	Decoder.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
1084	WerFault.exe
672	WerFault.exe
672	WerFault.exe
1084	WerFault.exe
672	WerFault.exe
1084	WerFault.exe
672	WerFault.exe
1084	WerFault.exe
672	WerFault.exe
1084	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1084 WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe
Token: SeDebugPrivilege	1084	WerFault.exe
Token: SeDebugPrivilege	672	WerFault.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.execmd.execmd.execmd.exeDecoder.exeDecoder.exe

description	pid	process	target process
PID 1824 wrote to memory of 1640	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 1824 wrote to memory of 1640	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 1824 wrote to memory of 1640	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 1824 wrote to memory of 1080	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 1824 wrote to memory of 1080	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 1824 wrote to memory of 1080	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 1824 wrote to memory of 464	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 1824 wrote to memory of 464	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 1824 wrote to memory of 464	1824	f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe	cmd.exe
PID 1080 wrote to memory of 1496	1080	cmd.exe	timeout.exe
PID 1080 wrote to memory of 1496	1080	cmd.exe	timeout.exe
PID 1080 wrote to memory of 1496	1080	cmd.exe	timeout.exe
PID 1640 wrote to memory of 1424	1640	cmd.exe	timeout.exe
PID 1640 wrote to memory of 1424	1640	cmd.exe	timeout.exe
PID 1640 wrote to memory of 1424	1640	cmd.exe	timeout.exe
PID 464 wrote to memory of 836	464	cmd.exe	timeout.exe
PID 464 wrote to memory of 836	464	cmd.exe	timeout.exe
PID 464 wrote to memory of 836	464	cmd.exe	timeout.exe
PID 1640 wrote to memory of 608	1640	cmd.exe	Decoder.exe
PID 1640 wrote to memory of 608	1640	cmd.exe	Decoder.exe
PID 1640 wrote to memory of 608	1640	cmd.exe	Decoder.exe
PID 1640 wrote to memory of 608	1640	cmd.exe	Decoder.exe
PID 1080 wrote to memory of 1256	1080	cmd.exe	Decoder.exe
PID 1080 wrote to memory of 1256	1080	cmd.exe	Decoder.exe
PID 1080 wrote to memory of 1256	1080	cmd.exe	Decoder.exe
PID 1080 wrote to memory of 1256	1080	cmd.exe	Decoder.exe
PID 608 wrote to memory of 1084	608	Decoder.exe	WerFault.exe
PID 608 wrote to memory of 1084	608	Decoder.exe	WerFault.exe
PID 608 wrote to memory of 1084	608	Decoder.exe	WerFault.exe
PID 608 wrote to memory of 1084	608	Decoder.exe	WerFault.exe
PID 1256 wrote to memory of 672	1256	Decoder.exe	WerFault.exe
PID 1256 wrote to memory of 672	1256	Decoder.exe	WerFault.exe
PID 1256 wrote to memory of 672	1256	Decoder.exe	WerFault.exe
PID 1256 wrote to memory of 672	1256	Decoder.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe
"C:\Users\Admin\AppData\Local\Temp\f0ca23d101868cd75aed85f10eda2c0067e7de7f81f84eee0232e9cd5f319889.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1424

C:\Users\Admin\AppData\Local\Temp\Decoder.exe
"C:\Users\Admin\AppData\Local\Temp\\\Decoder.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 540
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1496

C:\Users\Admin\AppData\Local\Temp\Decoder.exe
"C:\Users\Admin\AppData\Local\Temp\\\Decoder.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 544
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1EA4.tmp.cmd""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
9f3bfaf16ddc6ef0e164ff718feaa75c

SHA1
b5ea860963f06f503dcaf8e7ee03b29237ace64f

SHA256
02d917932135b74c6e275f4e4d6626d14ce4f05957f8d0c2d81fe50c13836d40

SHA512
3c32d2fdb75c526ce7853936cc89efa61eb77ad95112cb19ab519da29b0211717f36bcb3d8928e5dca7e296c9b542537cce316c4e011ed357681a081fefac9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EA4.tmp.cmd
MD5
f55991d1cf56a2c72ef12fdbaa6390a0

SHA1
7b6bded6b3ba2751001093165c8c137f20f14faa

SHA256
0f448b1f3e64290fe67abffbbfe2d482a689ed666c6167a9ca28a6e060d7533b

SHA512
47e1b9e001466ab1d69743cd56dbc7f7df5ce8d61200abfe1ef1c928df6d64a03cf0a11e2a132677355c4239329649cbe847be06ea447ecfa0f675b9d9a75a40

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
memory/464-6-0x0000000000000000-mapping.dmp

Download
memory/608-37-0x0000000000000000-mapping.dmp

Download
memory/608-15-0x0000000000000000-mapping.dmp

Download
memory/608-43-0x0000000000000000-mapping.dmp

Download
memory/608-19-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/608-21-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/608-41-0x0000000000000000-mapping.dmp

Download
memory/608-13-0x0000000000000000-mapping.dmp

Download
memory/608-39-0x0000000000000000-mapping.dmp

Download
memory/672-26-0x0000000000000000-mapping.dmp

Download
memory/672-28-0x0000000001F30000-0x0000000001F41000-memory.dmp

Filesize
68KB

Download
memory/672-46-0x0000000002510000-0x0000000002521000-memory.dmp

Filesize
68KB

Download
memory/836-11-0x0000000000000000-mapping.dmp

Download
memory/1080-5-0x0000000000000000-mapping.dmp

Download
memory/1084-25-0x0000000000000000-mapping.dmp

Download
memory/1084-27-0x0000000001D00000-0x0000000001D11000-memory.dmp

Filesize
68KB

Download
memory/1084-45-0x0000000002550000-0x0000000002561000-memory.dmp

Filesize
68KB

Download
memory/1256-16-0x0000000000000000-mapping.dmp

Download
memory/1256-38-0x0000000000000000-mapping.dmp

Download
memory/1256-40-0x0000000000000000-mapping.dmp

Download
memory/1256-42-0x0000000000000000-mapping.dmp

Download
memory/1256-20-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/1256-44-0x0000000000000000-mapping.dmp

Download
memory/1256-14-0x0000000000000000-mapping.dmp

Download
memory/1424-9-0x0000000000000000-mapping.dmp

Download
memory/1496-8-0x0000000000000000-mapping.dmp

Download
memory/1640-4-0x0000000000000000-mapping.dmp

Download
memory/1824-0-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-3-0x000000001AD70000-0x000000001ADE0000-memory.dmp

Filesize
448KB

Download
memory/1824-1-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download