34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8

General

Target

34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
Size

14KB
MD5

431e262aa691837df99b5a1d237ace00
SHA1

8dd1d09617315e5ff936a03b04e21d0f6a893cfa
SHA256

34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8
SHA512

29b15b0b92c045b305128b4292da335f7d047ad8b2801e212254311c1fb307f168657f2336516e21ca28bfe6c9b88548aba7cfeb2d2fa18a54f2ab6575560543
SSDEEP

192:95kHA+lVQXEOH40Y3PF9R/3eOzlgNQ7wWHwPYqVyGIb/RWcs/dRhKCvb856:95hIb5d9RmOZr7w9P9yzNWcs/dRk6

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

Processes:

34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\notepad.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\schtasks.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\DpiScaling.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\esentutl.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\fontdrvhost.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\PackagedCWALauncher.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\stordiag.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\xwizard.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\chkntfs.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\dxdiag.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\SecEdit.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\Utilman.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\ddodiag.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\timeout.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\edpnotify.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\expand.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\Magnify.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\unregmp2.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\poqexec.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\doskey.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\CloudNotifications.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\PickerHost.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\bootcfg.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\charmap.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\systray.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\verifiergui.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\mountvol.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\label.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\WWAHost.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\cacls.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\RdpSaUacHelper.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\dpnsvr.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\PATHPING.EXE	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\rasdial.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\RpcPing.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\control.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingWizard.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\SearchIndexer.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\LaunchTM.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\SysWOW64\replace.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

Drops file in Windows directory 8 IoCs

Processes:

34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

description	ioc	process
File opened for modification	C:\Windows\winhlp32.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\write.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\bfsvc.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\explorer.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\HelpPane.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\hh.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\notepad.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
File opened for modification	C:\Windows\splwow64.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3848 4656 WerFault.exe 34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

pid	pid_target	process	target process
3848	4656	WerFault.exe	34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe

C:\Users\Admin\AppData\Local\Temp\34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe
"C:\Users\Admin\AppData\Local\Temp\34807e2d86b44e3ad79c3f38b98b7215f02c9504de79d38aca8b33e0d6b4bcb8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 424
2⤵
- Program crash
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4656 -ip 4656
1⤵
PID:4560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4656-132-0x0000000000200000-0x0000000000206B00-memory.dmp

Filesize
26KB

Download
memory/4656-133-0x0000000000200000-0x0000000000206B00-memory.dmp

Filesize
26KB

Download

Analysis

Sharing