3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759

Analysis

Target

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe
Size

1.8MB
MD5

b826bb2b62dab956a48a12d4e27ea3a5
SHA1

b3dfdb88640cfad86d42d7f65bc70fb7831076c0
SHA256

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759
SHA512

c15233dedf2fc24de8d8f5f01c63e98a2844c18303dc3b10528e1441067c1b1f85a32f417027ea90a7f4c82764cf2a53482300e8af54a4055c0cfa4c713c2c03

Score

10^/10

suricata

suricata: ET MALWARE Legion Loader Activity Observed (suspira)
suricata: ET MALWARE Legion Loader Activity Observed (suspira)
suricata
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
580	1796	WerFault.exe	24

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe
1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 580	1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe	30
PID 1796 wrote to memory of 580	1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe	30
PID 1796 wrote to memory of 580	1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe	30
PID 1796 wrote to memory of 580	1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe	30

C:\Users\Admin\AppData\Local\Temp\3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe
"C:\Users\Admin\AppData\Local\Temp\3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 872
  2⤵
  - Program crash
  PID:580

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

memory/1796-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download