11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d

General

Target

11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe
Size

265KB
MD5

c3613bd934dde67b05ba3983fba2bdfd
SHA1

4bbe90eda2a079bd651c442ca0136053ae9b90b8
SHA256

11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d
SHA512

54fc5e3b5b06ce6e943447794a67cd435d2bd1b02c19ea2710f7cc7364afded4224c31ddee4de6f531f89c25291d22f2c54ae74a7856827be382c9a90b22da46

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

aumnq.exe

pid process

2416 aumnq.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3392 4220 WerFault.exe 11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe

pid	process
2416	aumnq.exe

pid	pid_target	process	target process
3392	4220	WerFault.exe	11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe

NTFS ADS 1 IoCs

Processes:

11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe

description	ioc	process
File created	\??\c:\programdata\6d6f5f6124\aumnq.exe:Zone.Identifier	11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exeaumnq.exe

description	pid	process	target process
PID 4220 wrote to memory of 2416	4220	11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe	aumnq.exe
PID 4220 wrote to memory of 2416	4220	11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe	aumnq.exe
PID 4220 wrote to memory of 2416	4220	11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe	aumnq.exe
PID 2416 wrote to memory of 4068	2416	aumnq.exe	REG.exe
PID 2416 wrote to memory of 4068	2416	aumnq.exe	REG.exe
PID 2416 wrote to memory of 4068	2416	aumnq.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe
"C:\Users\Admin\AppData\Local\Temp\11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d.exe"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4220

\??\c:\programdata\6d6f5f6124\aumnq.exe
c:\programdata\6d6f5f6124\aumnq.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\6d6f5f6124
3⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 280
2⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4220 -ip 4220
1⤵
PID:2364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\6d6f5f6124\aumnq.exe
Filesize
265KB

MD5
c3613bd934dde67b05ba3983fba2bdfd

SHA1
4bbe90eda2a079bd651c442ca0136053ae9b90b8

SHA256
11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d

SHA512
54fc5e3b5b06ce6e943447794a67cd435d2bd1b02c19ea2710f7cc7364afded4224c31ddee4de6f531f89c25291d22f2c54ae74a7856827be382c9a90b22da46

Download Submit
\??\c:\programdata\6d6f5f6124\aumnq.exe
Filesize
265KB

MD5
c3613bd934dde67b05ba3983fba2bdfd

SHA1
4bbe90eda2a079bd651c442ca0136053ae9b90b8

SHA256
11e12e20e3688dfd70b7a29b38a2e58f964b891b5fb89c6896c8c0a73c40021d

SHA512
54fc5e3b5b06ce6e943447794a67cd435d2bd1b02c19ea2710f7cc7364afded4224c31ddee4de6f531f89c25291d22f2c54ae74a7856827be382c9a90b22da46

Download Submit
memory/2416-139-0x0000000002B24000-0x0000000002B2C000-memory.dmp

Filesize
32KB

Download
memory/2416-132-0x0000000000000000-mapping.dmp

Download
memory/2416-138-0x0000000000400000-0x000000000283E000-memory.dmp

Filesize
36.2MB

Download
memory/2416-142-0x0000000002B24000-0x0000000002B2C000-memory.dmp

Filesize
32KB

Download
memory/2416-143-0x0000000000400000-0x000000000283E000-memory.dmp

Filesize
36.2MB

Download
memory/2416-144-0x0000000000400000-0x000000000283E000-memory.dmp

Filesize
36.2MB

Download
memory/4068-141-0x0000000000000000-mapping.dmp

Download
memory/4220-135-0x0000000002995000-0x000000000299C000-memory.dmp

Filesize
28KB

Download
memory/4220-136-0x0000000002950000-0x0000000002959000-memory.dmp

Filesize
36KB

Download
memory/4220-137-0x0000000000400000-0x000000000283E000-memory.dmp

Filesize
36.2MB

Download
memory/4220-130-0x0000000000400000-0x000000000283E000-memory.dmp

Filesize
36.2MB

Download
memory/4220-131-0x0000000002995000-0x000000000299C000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing