8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6

General

Target

8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe
Size

1012KB
MD5

c0acbfffc41a6a889543ac375d1b5193
SHA1

d673f7ea25ded99e9785968a762d31f1c7e35bfc
SHA256

8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6
SHA512

ad5c8777d312be53be3a665e8aa845fbae2befcff8e5de9259a12e5f6db8e1808f2c90989fd8814ddc23b82e8e1a30d6387b56d459f519073b033b64df4c0fd3
SSDEEP

24576:EROUsQevKGvRIt1CSoa/ZSL77Lv+f6T8E:Ops1KGvqt1C/gwbD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4612	8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe

Executes dropped EXE 1 IoCs

pid	Process
4612	8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 12 IoCs

pid	pid_target	Process	procid_target
1820	4612	WerFault.exe	94
1316	4612	WerFault.exe	94
2516	4612	WerFault.exe	94
4076	4612	WerFault.exe	94
5064	4612	WerFault.exe	94
3084	4612	WerFault.exe	94
4344	4612	WerFault.exe	94
1476	4612	WerFault.exe	94
1732	4612	WerFault.exe	94
2192	4612	WerFault.exe	94
2560	4612	WerFault.exe	94
4792	4612	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4612	8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe
4612	8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4720	8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4612	8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4612	4720	8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe	94
PID 4720 wrote to memory of 4612	4720	8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe	94
PID 4720 wrote to memory of 4612	4720	8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe	94

C:\Users\Admin\AppData\Local\Temp\8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe
"C:\Users\Admin\AppData\Local\Temp\8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe
  C:\Users\Admin\AppData\Local\Temp\8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 344
    3⤵
    - Program crash
    PID:1820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 632
    3⤵
    - Program crash
    PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 652
    3⤵
    - Program crash
    PID:2516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 640
    3⤵
    - Program crash
    PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 720
    3⤵
    - Program crash
    PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 920
    3⤵
    - Program crash
    PID:3084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1408
    3⤵
    - Program crash
    PID:4344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1464
    3⤵
    - Program crash
    PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1636
    3⤵
    - Program crash
    PID:1732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1692
    3⤵
    - Program crash
    PID:2192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1448
    3⤵
    - Program crash
    PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1460
    3⤵
    - Program crash
    PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4720 -ip 4720
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4612 -ip 4612
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4612 -ip 4612
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4612 -ip 4612
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4612 -ip 4612
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4612 -ip 4612
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4612 -ip 4612
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4612 -ip 4612
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4612 -ip 4612
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4612 -ip 4612
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4612 -ip 4612
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4612 -ip 4612
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4612 -ip 4612
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f984c865b14a0b60b96e4eda4af481ab5e3bb6f4d6b7145dcca9b3d4c3635a6.exe

Filesize
1012KB

MD5
e83f0486be2fc07b0033a9d5c9b11f94

SHA1
8ac8b9363abba8091c79ce4c01192e4add55b2ba

SHA256
28ac2c7f3dac81fb5c9f74539bc421a4792b065c98f0fa21560d7662970a7407

SHA512
02a136b3c3052b0e11853300ff30328522b8127d6d7c065c25b35e03d4cde1b88ce57ca878c0d439ec6c665765913d5b1ea194a59e15bdab13ec7e7290c70322

Download Submit
memory/4612-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4612-9-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4612-10-0x0000000005020000-0x0000000005105000-memory.dmp

Filesize
916KB

Download
memory/4612-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4612-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-22-0x000000000EAC0000-0x000000000EB63000-memory.dmp

Filesize
652KB

Download
memory/4720-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4720-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4720-8-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing