942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb

General

Target

942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe
Size

46KB
MD5

31d8863449a10d592458d6c3429a28e9
SHA1

9fca1ac7ba8e6546240f7f69ec153442044a1667
SHA256

942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb
SHA512

e9e62d0cb61f937a24a9889c9037b6294856fbac74aea55a6c485157b7c3ec1c201b9e00977f9767418174afaf1ef59b48e34e428efea18549970a8605e76328
SSDEEP

768:V1fmtzWr7rgt0iqES3D51gcZNUSbdS+pCsenPl1yU1fLgJxxha510C:E2reUccrU414Pv/g700C

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1088	IEFILES.INI

Loads dropped DLL 5 IoCs

pid	Process
1444	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe
1444	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe
664	WerFault.exe
664	WerFault.exe
664	WerFault.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
664	1088	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1444	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1088	1444	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe	27
PID 1444 wrote to memory of 1088	1444	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe	27
PID 1444 wrote to memory of 1088	1444	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe	27
PID 1444 wrote to memory of 1088	1444	942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe	27
PID 1088 wrote to memory of 664	1088	IEFILES.INI	28
PID 1088 wrote to memory of 664	1088	IEFILES.INI	28
PID 1088 wrote to memory of 664	1088	IEFILES.INI	28
PID 1088 wrote to memory of 664	1088	IEFILES.INI	28

C:\Users\Admin\AppData\Local\Temp\942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe
"C:\Users\Admin\AppData\Local\Temp\942aeb41ef09b327f315445ccf7ab45a729b4434a14c3cb3be998855e5d11ceb.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\\IEFILES.INI"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI

Filesize
32KB

MD5
a8344d714f7307e99ef6df03e422ada8

SHA1
cc0879e5055766c51cf2d349214b8e1be3fcc777

SHA256
ba254dd12c231a73432badbbd6fc6d8336eaa1a2be4692b2acb65c077f2064f0

SHA512
499be0ad504c51f2da42b30c0542e6932b109a8f3c3a918b82e29ed64684e4553098e04257cdbe8dce90b57f5564bdd3533575dd2caf039361a13aae838cbfad

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI

Filesize
32KB

MD5
a8344d714f7307e99ef6df03e422ada8

SHA1
cc0879e5055766c51cf2d349214b8e1be3fcc777

SHA256
ba254dd12c231a73432badbbd6fc6d8336eaa1a2be4692b2acb65c077f2064f0

SHA512
499be0ad504c51f2da42b30c0542e6932b109a8f3c3a918b82e29ed64684e4553098e04257cdbe8dce90b57f5564bdd3533575dd2caf039361a13aae838cbfad

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI

Filesize
32KB

MD5
a8344d714f7307e99ef6df03e422ada8

SHA1
cc0879e5055766c51cf2d349214b8e1be3fcc777

SHA256
ba254dd12c231a73432badbbd6fc6d8336eaa1a2be4692b2acb65c077f2064f0

SHA512
499be0ad504c51f2da42b30c0542e6932b109a8f3c3a918b82e29ed64684e4553098e04257cdbe8dce90b57f5564bdd3533575dd2caf039361a13aae838cbfad

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI

Filesize
32KB

MD5
a8344d714f7307e99ef6df03e422ada8

SHA1
cc0879e5055766c51cf2d349214b8e1be3fcc777

SHA256
ba254dd12c231a73432badbbd6fc6d8336eaa1a2be4692b2acb65c077f2064f0

SHA512
499be0ad504c51f2da42b30c0542e6932b109a8f3c3a918b82e29ed64684e4553098e04257cdbe8dce90b57f5564bdd3533575dd2caf039361a13aae838cbfad

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI

Filesize
32KB

MD5
a8344d714f7307e99ef6df03e422ada8

SHA1
cc0879e5055766c51cf2d349214b8e1be3fcc777

SHA256
ba254dd12c231a73432badbbd6fc6d8336eaa1a2be4692b2acb65c077f2064f0

SHA512
499be0ad504c51f2da42b30c0542e6932b109a8f3c3a918b82e29ed64684e4553098e04257cdbe8dce90b57f5564bdd3533575dd2caf039361a13aae838cbfad

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES.INI

Filesize
32KB

MD5
a8344d714f7307e99ef6df03e422ada8

SHA1
cc0879e5055766c51cf2d349214b8e1be3fcc777

SHA256
ba254dd12c231a73432badbbd6fc6d8336eaa1a2be4692b2acb65c077f2064f0

SHA512
499be0ad504c51f2da42b30c0542e6932b109a8f3c3a918b82e29ed64684e4553098e04257cdbe8dce90b57f5564bdd3533575dd2caf039361a13aae838cbfad

Download Submit
memory/1088-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1088-65-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1444-63-0x0000000002860000-0x0000000002887000-memory.dmp

Filesize
156KB

Download
memory/1444-62-0x0000000002860000-0x0000000002887000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing