e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f

General

Target

e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
Size

316KB
MD5

07c19ae7a373c1c7bc7217a44499c668
SHA1

757b45bf6000f48cec14d1d841ca947be904c636
SHA256

e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f
SHA512

edc36c4de66621c7831277eae6ba5879e4e1a5833767af57b3b77b7a4402898f7ed440e9ffa5e5db61dffd5d271e761c53f15dc2ed8716a66d544ad736a4ccf8
SSDEEP

6144:pgUzVP6rNX+ZAQEqjbEY2L/iSiumcZrSf5G8LUu9d:pgl5XGFgaDufZmfZH9d

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hBdGeCfAhDj24512.exe

pid process

2676 hBdGeCfAhDj24512.exe

pid	process
2676	hBdGeCfAhDj24512.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1740-132-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1740-134-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/1740-135-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/2676-142-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral2/memory/2676-143-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4248	1740	WerFault.exe	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
3736	1740	WerFault.exe	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
4960	2676	WerFault.exe	hBdGeCfAhDj24512.exe
4340	1740	WerFault.exe	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
5028	2676	WerFault.exe	hBdGeCfAhDj24512.exe
2316	2676	WerFault.exe	hBdGeCfAhDj24512.exe
4388	1740	WerFault.exe	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1296	1740	WerFault.exe	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
3308	2676	WerFault.exe	hBdGeCfAhDj24512.exe
3276	2676	WerFault.exe	hBdGeCfAhDj24512.exe
3384	1740	WerFault.exe	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
2080	2676	WerFault.exe	hBdGeCfAhDj24512.exe
1464	1740	WerFault.exe	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1496	2676	WerFault.exe	hBdGeCfAhDj24512.exe
2636	1740	WerFault.exe	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
4328	2676	WerFault.exe	hBdGeCfAhDj24512.exe
4972	2676	WerFault.exe	hBdGeCfAhDj24512.exe
912	1740	WerFault.exe	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe

pid	process
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exehBdGeCfAhDj24512.exe

description	pid	process
Token: SeDebugPrivilege	1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
Token: SeDebugPrivilege	2676	hBdGeCfAhDj24512.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe

description	pid	process	target process
PID 1740 wrote to memory of 2676	1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe	hBdGeCfAhDj24512.exe
PID 1740 wrote to memory of 2676	1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe	hBdGeCfAhDj24512.exe
PID 1740 wrote to memory of 2676	1740	e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe	hBdGeCfAhDj24512.exe

C:\Users\Admin\AppData\Local\Temp\e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe
"C:\Users\Admin\AppData\Local\Temp\e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 624
2⤵
- Program crash
PID:4248

C:\ProgramData\hBdGeCfAhDj24512\hBdGeCfAhDj24512.exe
"C:\ProgramData\hBdGeCfAhDj24512\hBdGeCfAhDj24512.exe" "C:\Users\Admin\AppData\Local\Temp\e7e2780e7c72c181bfd9dcc530bbdc6d7d44aa332a61a70b747f05c1f627536f.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 624
3⤵
- Program crash
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 632
3⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 668
3⤵
- Program crash
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 640
3⤵
- Program crash
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 684
3⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 796
3⤵
- Program crash
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 804
3⤵
- Program crash
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 852
3⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1076
3⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 620
2⤵
- Program crash
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 624
2⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 640
2⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 672
2⤵
- Program crash
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 800
2⤵
- Program crash
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 808
2⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 848
2⤵
- Program crash
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1060
2⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1740 -ip 1740
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1740 -ip 1740
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2676 -ip 2676
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1740 -ip 1740
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2676 -ip 2676
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2676 -ip 2676
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1740 -ip 1740
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1740 -ip 1740
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2676 -ip 2676
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2676 -ip 2676
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1740 -ip 1740
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2676 -ip 2676
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1740 -ip 1740
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2676 -ip 2676
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1740 -ip 1740
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2676 -ip 2676
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1740 -ip 1740
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2676 -ip 2676
1⤵
PID:3692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hBdGeCfAhDj24512\hBdGeCfAhDj24512.exe

Filesize
316KB

MD5
09bb8bb9d610a8ac9844e90dbb2cb38f

SHA1
7ac34c4b8236b5cb2f16c49b5fe1047c337ee8af

SHA256
8d68bc122be0859a42630a89e03394ecc09d90949a5afe6137835afef1eaa32e

SHA512
2d5f7259a6b28ee9e90361d731657bf6d4eb1ea66e59edc7f6b7eb2b80461c0b7f42012e72dd0be4a7841be2e56250ccd7ed84c8558b5649ecf4d98ad25bfc98

Download Submit
C:\ProgramData\hBdGeCfAhDj24512\hBdGeCfAhDj24512.exe

Filesize
316KB

MD5
09bb8bb9d610a8ac9844e90dbb2cb38f

SHA1
7ac34c4b8236b5cb2f16c49b5fe1047c337ee8af

SHA256
8d68bc122be0859a42630a89e03394ecc09d90949a5afe6137835afef1eaa32e

SHA512
2d5f7259a6b28ee9e90361d731657bf6d4eb1ea66e59edc7f6b7eb2b80461c0b7f42012e72dd0be4a7841be2e56250ccd7ed84c8558b5649ecf4d98ad25bfc98

Download Submit
memory/1740-132-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1740-134-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1740-135-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2676-136-0x0000000000000000-mapping.dmp

Download
memory/2676-142-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2676-143-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads