34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8

General

Target

34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
Size

14KB
MD5

431e262aa691837df99b5a1d237ace00
SHA1

8dd1d09617315e5ff936a03b04e21d0f6a893cfa
SHA256

34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8
SHA512

29b15b0b92c045b305128b4292da335f7d047ad8b2801e212254311c1fb307f168657f2336516e21ca28bfe6c9b88548aba7cfeb2d2fa18a54f2ab6575560543
SSDEEP

192:95kHA+lVQXEOH40Y3PF9R/3eOzlgNQ7wWHwPYqVyGIb/RWcs/dRhKCvb856:95hIb5d9RmOZr7w9P9yzNWcs/dRk6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

572 WerFault.exe
572 WerFault.exe
572 WerFault.exe
572 WerFault.exe
572 WerFault.exe

pid	process
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe

Drops file in System32 directory 64 IoCs

Processes:

34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\find.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\mstsc.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\systray.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\dplaysvr.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\certutil.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\rekeywiz.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\regedt32.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\MRINFO.EXE	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\odbcad32.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\SecEdit.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\fixmapi.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\dllhst3g.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\sort.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\xwizard.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\runonce.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\powercfg.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\TSTheme.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\forfiles.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\icardagt.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\credwiz.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\xpsrchvw.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\bitsadmin.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\cipher.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\SyncHost.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\attrib.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\RegisterIEPKEYs.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\OptionalFeatures.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\PkgMgr.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\poqexec.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\TCPSVCS.EXE	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\wusa.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\diskraid.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\ntkrnlpa.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\verifier.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\Robocopy.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\sdchange.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\setx.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\ddodiag.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\setupSNK.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\write.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\clip.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\DpiScaling.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

Drops file in Windows directory 11 IoCs

Processes:

34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

description	ioc	process
File opened for modification	C:\Windows\twunk_16.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\twunk_32.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\bfsvc.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\fveupdate.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\splwow64.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\notepad.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\winhlp32.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\write.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\explorer.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\HelpPane.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\hh.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

572 584 WerFault.exe 34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

pid	pid_target	process	target process
572	584	WerFault.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

description	pid	process	target process
PID 584 wrote to memory of 572	584	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe	WerFault.exe
PID 584 wrote to memory of 572	584	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe	WerFault.exe
PID 584 wrote to memory of 572	584	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe	WerFault.exe
PID 584 wrote to memory of 572	584	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
"C:\Users\Admin\AppData\Local\Temp\34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 132
2⤵
- Loads dropped DLL
- Program crash
PID:572

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
Filesize
14KB

MD5
431e262aa691837df99b5a1d237ace00

SHA1
8dd1d09617315e5ff936a03b04e21d0f6a893cfa

SHA256
34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8

SHA512
29b15b0b92c045b305128b4292da335f7d047ad8b2801e212254311c1fb307f168657f2336516e21ca28bfe6c9b88548aba7cfeb2d2fa18a54f2ab6575560543

Download Submit
\Users\Admin\AppData\Local\Temp\34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
Filesize
14KB

MD5
431e262aa691837df99b5a1d237ace00

SHA1
8dd1d09617315e5ff936a03b04e21d0f6a893cfa

SHA256
34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8

SHA512
29b15b0b92c045b305128b4292da335f7d047ad8b2801e212254311c1fb307f168657f2336516e21ca28bfe6c9b88548aba7cfeb2d2fa18a54f2ab6575560543

Download Submit
\Users\Admin\AppData\Local\Temp\34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
Filesize
14KB

MD5
431e262aa691837df99b5a1d237ace00

SHA1
8dd1d09617315e5ff936a03b04e21d0f6a893cfa

SHA256
34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8

SHA512
29b15b0b92c045b305128b4292da335f7d047ad8b2801e212254311c1fb307f168657f2336516e21ca28bfe6c9b88548aba7cfeb2d2fa18a54f2ab6575560543

Download Submit
\Users\Admin\AppData\Local\Temp\34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
Filesize
14KB

MD5
431e262aa691837df99b5a1d237ace00

SHA1
8dd1d09617315e5ff936a03b04e21d0f6a893cfa

SHA256
34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8

SHA512
29b15b0b92c045b305128b4292da335f7d047ad8b2801e212254311c1fb307f168657f2336516e21ca28bfe6c9b88548aba7cfeb2d2fa18a54f2ab6575560543

Download Submit
\Users\Admin\AppData\Local\Temp\34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
Filesize
14KB

MD5
431e262aa691837df99b5a1d237ace00

SHA1
8dd1d09617315e5ff936a03b04e21d0f6a893cfa

SHA256
34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8

SHA512
29b15b0b92c045b305128b4292da335f7d047ad8b2801e212254311c1fb307f168657f2336516e21ca28bfe6c9b88548aba7cfeb2d2fa18a54f2ab6575560543

Download Submit
memory/572-55-0x0000000000000000-mapping.dmp

Download
memory/584-54-0x0000000000170000-0x0000000000176B00-memory.dmp

Filesize
26KB

Download
memory/584-61-0x0000000000170000-0x0000000000176B00-memory.dmp

Filesize
26KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads