c991fe8c6d840624fbf7b46c88514ff6324fea56997929b0a81d97b0f6eb7f88

Analysis

max time kernel
138s
max time network
142s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9232ce72a3cf88a3d1442248275c797.exe
Size

977KB
MD5

e9232ce72a3cf88a3d1442248275c797
SHA1

80ccfcbb63dc194ddf3762aaff2b8c8a6b49fc94
SHA256

c991fe8c6d840624fbf7b46c88514ff6324fea56997929b0a81d97b0f6eb7f88
SHA512

ef8de903636d21bf80e0348c5a703e8c38325fa05fa23851e34a2608cb4d7ad927963d51f09adc5ec9e5c86140f9a4bdb5473181fbdc675510b3133384914feb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Decoder.exeDecoder.exe

pid process

1984 Decoder.exe
1980 Decoder.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

812 cmd.exe

pid	process
1984	Decoder.exe
1980	Decoder.exe

pid	process
812	cmd.exe

Loads dropped DLL 10 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
1524	WerFault.exe
1524	WerFault.exe
1724	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1524	WerFault.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1724 1984 WerFault.exe Decoder.exe
1524 1980 WerFault.exe Decoder.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

832 timeout.exe
852 timeout.exe
1720 timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

Decoder.exeDecoder.exe

pid process

1980 Decoder.exe
1984 Decoder.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org

pid	pid_target	process	target process
1724	1984	WerFault.exe	Decoder.exe
1524	1980	WerFault.exe	Decoder.exe

pid	process
832	timeout.exe
852	timeout.exe
1720	timeout.exe

pid	process
1980	Decoder.exe
1984	Decoder.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
1524	WerFault.exe
1724	WerFault.exe
1524	WerFault.exe
1724	WerFault.exe
1524	WerFault.exe
1724	WerFault.exe
1524	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1524	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1724 WerFault.exe

pid	process
1724	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e9232ce72a3cf88a3d1442248275c797.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	844	e9232ce72a3cf88a3d1442248275c797.exe
Token: SeDebugPrivilege	1524	WerFault.exe
Token: SeDebugPrivilege	1724	WerFault.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

e9232ce72a3cf88a3d1442248275c797.execmd.execmd.execmd.exeDecoder.exeDecoder.exe

description	pid	process	target process
PID 844 wrote to memory of 564	844	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 844 wrote to memory of 564	844	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 844 wrote to memory of 564	844	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 844 wrote to memory of 1464	844	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 844 wrote to memory of 1464	844	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 844 wrote to memory of 1464	844	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 844 wrote to memory of 812	844	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 844 wrote to memory of 812	844	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 844 wrote to memory of 812	844	e9232ce72a3cf88a3d1442248275c797.exe	cmd.exe
PID 812 wrote to memory of 832	812	cmd.exe	timeout.exe
PID 812 wrote to memory of 832	812	cmd.exe	timeout.exe
PID 812 wrote to memory of 832	812	cmd.exe	timeout.exe
PID 564 wrote to memory of 852	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 852	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 852	564	cmd.exe	timeout.exe
PID 1464 wrote to memory of 1720	1464	cmd.exe	timeout.exe
PID 1464 wrote to memory of 1720	1464	cmd.exe	timeout.exe
PID 1464 wrote to memory of 1720	1464	cmd.exe	timeout.exe
PID 1464 wrote to memory of 1980	1464	cmd.exe	Decoder.exe
PID 564 wrote to memory of 1984	564	cmd.exe	Decoder.exe
PID 1464 wrote to memory of 1980	1464	cmd.exe	Decoder.exe
PID 564 wrote to memory of 1984	564	cmd.exe	Decoder.exe
PID 1464 wrote to memory of 1980	1464	cmd.exe	Decoder.exe
PID 564 wrote to memory of 1984	564	cmd.exe	Decoder.exe
PID 1464 wrote to memory of 1980	1464	cmd.exe	Decoder.exe
PID 564 wrote to memory of 1984	564	cmd.exe	Decoder.exe
PID 1980 wrote to memory of 1524	1980	Decoder.exe	WerFault.exe
PID 1980 wrote to memory of 1524	1980	Decoder.exe	WerFault.exe
PID 1980 wrote to memory of 1524	1980	Decoder.exe	WerFault.exe
PID 1980 wrote to memory of 1524	1980	Decoder.exe	WerFault.exe
PID 1984 wrote to memory of 1724	1984	Decoder.exe	WerFault.exe
PID 1984 wrote to memory of 1724	1984	Decoder.exe	WerFault.exe
PID 1984 wrote to memory of 1724	1984	Decoder.exe	WerFault.exe
PID 1984 wrote to memory of 1724	1984	Decoder.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e9232ce72a3cf88a3d1442248275c797.exe
"C:\Users\Admin\AppData\Local\Temp\e9232ce72a3cf88a3d1442248275c797.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:852

C:\Users\Admin\AppData\Local\Temp\Decoder.exe
"C:\Users\Admin\AppData\Local\Temp\\\Decoder.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 548
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1720

C:\Users\Admin\AppData\Local\Temp\Decoder.exe
"C:\Users\Admin\AppData\Local\Temp\\\Decoder.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 548
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA3CA.tmp.cmd""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
9f3bfaf16ddc6ef0e164ff718feaa75c

SHA1
b5ea860963f06f503dcaf8e7ee03b29237ace64f

SHA256
02d917932135b74c6e275f4e4d6626d14ce4f05957f8d0c2d81fe50c13836d40

SHA512
3c32d2fdb75c526ce7853936cc89efa61eb77ad95112cb19ab519da29b0211717f36bcb3d8928e5dca7e296c9b542537cce316c4e011ed357681a081fefac9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA3CA.tmp.cmd
MD5
f0e75ced1c41c2d2f4abf18af6452e52

SHA1
3e67644dfbac46e0c233c0b2b576691e34a427f7

SHA256
1875c14faf28fae97495aaa6640b6dd037ae15791a81756f35d4d2e42523c197

SHA512
6a0e758e66962f716ac99f8e483cf3889aa5aadc9aa00417e84f6c9dd71b576e242bfe5f9b642c35717eac132361739f51ab266514de8db96d8b7b97743cef87

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
\Users\Admin\AppData\Local\Temp\Decoder.exe
MD5
e37021a3f1418f0e8e16fbcaeb983208

SHA1
7d800522aae223974b99775f8b56be8029474276

SHA256
9d19d1befd5def35739d3e1fd3432fde6a11577c393a8ffe3651bb170fba9eab

SHA512
49f643e9068ac68effdd597ebe89680d4e6a7d19b2b2c89bb71c3accd333ac8f20216be0f5f4bd13d0f709755332d7dab0a4f99591e1a3176de0fdfccb2f7adf

Download Submit
memory/564-4-0x0000000000000000-mapping.dmp

Download
memory/812-6-0x0000000000000000-mapping.dmp

Download
memory/832-9-0x0000000000000000-mapping.dmp

Download
memory/844-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/844-3-0x000000001AB50000-0x000000001ABC0000-memory.dmp

Filesize
448KB

Download
memory/844-0-0x000007FEF6120000-0x000007FEF6B0C000-memory.dmp

Filesize
9.9MB

Download
memory/852-10-0x0000000000000000-mapping.dmp

Download
memory/1464-5-0x0000000000000000-mapping.dmp

Download
memory/1524-45-0x0000000002410000-0x0000000002421000-memory.dmp

Filesize
68KB

Download
memory/1524-25-0x0000000000000000-mapping.dmp

Download
memory/1524-27-0x0000000001FD0000-0x0000000001FE1000-memory.dmp

Filesize
68KB

Download
memory/1720-11-0x0000000000000000-mapping.dmp

Download
memory/1724-46-0x0000000002540000-0x0000000002551000-memory.dmp

Filesize
68KB

Download
memory/1724-28-0x0000000001E60000-0x0000000001E71000-memory.dmp

Filesize
68KB

Download
memory/1724-26-0x0000000000000000-mapping.dmp

Download
memory/1980-13-0x0000000000000000-mapping.dmp

Download
memory/1980-43-0x0000000000000000-mapping.dmp

Download
memory/1980-20-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-16-0x0000000000000000-mapping.dmp

Download
memory/1980-37-0x0000000000000000-mapping.dmp

Download
memory/1980-39-0x0000000000000000-mapping.dmp

Download
memory/1980-41-0x0000000000000000-mapping.dmp

Download
memory/1984-21-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/1984-42-0x0000000000000000-mapping.dmp

Download
memory/1984-44-0x0000000000000000-mapping.dmp

Download
memory/1984-40-0x0000000000000000-mapping.dmp

Download
memory/1984-19-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/1984-14-0x0000000000000000-mapping.dmp

Download
memory/1984-15-0x0000000000000000-mapping.dmp

Download
memory/1984-38-0x0000000000000000-mapping.dmp

Download