d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63

General

Target

d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe
Size

1012KB
MD5

a0019b797dc0e16465d6b9b093702c0d
SHA1

07d15c2b582829d6a5ddd09172811125a332c00e
SHA256

d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63
SHA512

45c12e67d8f89066c13735e6e48161bc44801bbe210496edaa7145b2e9ee3691ba6cff14ba412dc783880a8d961e6a691606eb310def7f07eab7dc3de3ce62d6
SSDEEP

24576:tV/M24IobyYX7pAcJMZN2gtmb+0gzIB3yjHa/ZSL77Lv+f6T8E:tk1lGrZN2gtbLz03yjHgwbD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4572	d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe

Executes dropped EXE 1 IoCs

pid	Process
4572	d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 12 IoCs

pid	pid_target	Process	procid_target
4736	4372	WerFault.exe	86
1088	4572	WerFault.exe	96
1808	4572	WerFault.exe	96
2456	4572	WerFault.exe	96
2652	4572	WerFault.exe	96
400	4572	WerFault.exe	96
5112	4572	WerFault.exe	96
2396	4572	WerFault.exe	96
1660	4572	WerFault.exe	96
4232	4572	WerFault.exe	96
696	4572	WerFault.exe	96
3032	4572	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4572	d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe
4572	d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4372	d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4572	d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 4572	4372	d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe	96
PID 4372 wrote to memory of 4572	4372	d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe	96
PID 4372 wrote to memory of 4572	4372	d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe	96

C:\Users\Admin\AppData\Local\Temp\d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe
"C:\Users\Admin\AppData\Local\Temp\d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 344
  2⤵
  - Program crash
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe
  C:\Users\Admin\AppData\Local\Temp\d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 344
    3⤵
    - Program crash
    PID:1088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 636
    3⤵
    - Program crash
    PID:1808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 644
    3⤵
    - Program crash
    PID:2456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 720
    3⤵
    - Program crash
    PID:2652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 760
    3⤵
    - Program crash
    PID:400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 952
    3⤵
    - Program crash
    PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1420
    3⤵
    - Program crash
    PID:2396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1456
    3⤵
    - Program crash
    PID:1660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1464
    3⤵
    - Program crash
    PID:4232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1400
    3⤵
    - Program crash
    PID:696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1664
    3⤵
    - Program crash
    PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4372 -ip 4372
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4572 -ip 4572
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4572 -ip 4572
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4572 -ip 4572
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4572 -ip 4572
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4572 -ip 4572
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4572 -ip 4572
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4572 -ip 4572
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4572 -ip 4572
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4572 -ip 4572
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4572 -ip 4572
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4572 -ip 4572
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d483fc7276501943b0c81b82bf82b684fab6d4a5531064413a5d9791bc456a63.exe

Filesize
1012KB

MD5
df5ac3f9915627f7e3f7b4a9b9348889

SHA1
66f3f6d6ac1f58199ac8514e560957f6488fa89e

SHA256
e6eb455c5ffef834c7adec0b9db5b809df92cc8850e1fdb84c0928cadcad70ac

SHA512
b59c2e9670c84edd8f111315572f315df6ee4d7af603c76edb4a3474014b5fdb87c9d2d581f3250b79b28d72f88aad1b473cc5d5f4566ca40c8ca3a27b3cf942

Download Submit
memory/4372-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4372-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4372-9-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4572-10-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4572-11-0x0000000003FB0000-0x0000000004095000-memory.dmp

Filesize
916KB

Download
memory/4572-12-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4572-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4572-24-0x000000000B8E0000-0x000000000B983000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing