f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e

General

Target

f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe
Size

1010KB
MD5

6a0cbd23667ca184a20e6d1ac3f5553a
SHA1

0373b39f3ef2e6fc9700715d9d8b939fdf49627a
SHA256

f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e
SHA512

61e4309bb92031ff68d7da2ff980800186ebe533621c7cc953b292055dfe6864efa48b01676dc079a054eeef3dbf8a893b04e6d5c9d30c9118e075a754864acb
SSDEEP

24576:6eiygERId33cipOCARMYknmckoNedGxyUkkXB:6eiygECd33JahckoNed4LNR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2860	f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe

Executes dropped EXE 1 IoCs

pid	Process
2860	f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 14 IoCs

pid	pid_target	Process	procid_target
920	1516	WerFault.exe	57
1316	2860	WerFault.exe	97
1028	2860	WerFault.exe	97
312	2860	WerFault.exe	97
2764	2860	WerFault.exe	97
2520	2860	WerFault.exe	97
2108	2860	WerFault.exe	97
3184	2860	WerFault.exe	97
4080	2860	WerFault.exe	97
5036	2860	WerFault.exe	97
4708	2860	WerFault.exe	97
3788	2860	WerFault.exe	97
1020	2860	WerFault.exe	97
3184	2860	WerFault.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2860	f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe
2860	f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1516	f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2860	f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2860	1516	f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe	97
PID 1516 wrote to memory of 2860	1516	f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe	97
PID 1516 wrote to memory of 2860	1516	f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe	97

C:\Users\Admin\AppData\Local\Temp\f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe
"C:\Users\Admin\AppData\Local\Temp\f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 352
  2⤵
  - Program crash
  PID:920
- C:\Users\Admin\AppData\Local\Temp\f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe
  C:\Users\Admin\AppData\Local\Temp\f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 344
    3⤵
    - Program crash
    PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 636
    3⤵
    - Program crash
    PID:1028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 636
    3⤵
    - Program crash
    PID:312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 636
    3⤵
    - Program crash
    PID:2764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 732
    3⤵
    - Program crash
    PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 916
    3⤵
    - Program crash
    PID:2108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1396
    3⤵
    - Program crash
    PID:3184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1412
    3⤵
    - Program crash
    PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1476
    3⤵
    - Program crash
    PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1536
    3⤵
    - Program crash
    PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1520
    3⤵
    - Program crash
    PID:3788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1500
    3⤵
    - Program crash
    PID:1020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1652
    3⤵
    - Program crash
    PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1516 -ip 1516
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2860 -ip 2860
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2860 -ip 2860
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2860 -ip 2860
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2860 -ip 2860
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2860 -ip 2860
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2860 -ip 2860
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2860 -ip 2860
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2860 -ip 2860
1⤵
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2860 -ip 2860
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2860 -ip 2860
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2860 -ip 2860
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2860 -ip 2860
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2860 -ip 2860
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f0cac186582dec914be71eac069d843f4cc597ae3eefe67a9d10c5199825041e.exe

Filesize
1010KB

MD5
ca718105862f71f27bdd366ebad36537

SHA1
09a03cca47620b88067d89cc325b3fe21b07b03f

SHA256
c7243c3de1cc3fa987f62c75cd0d0ab7505597b9425e9e5324cffd0e41e84457

SHA512
f76cbcf6a0b9c20269014169734a92ac755471f0f7903d25fb29ef38d7385adcbe2d7ff4bf9164df6612300f0b2df1a84661def673a961d839dc84894b3cfcac

Download Submit
memory/1516-0-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1516-6-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2860-7-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2860-8-0x00000000050F0000-0x00000000051F3000-memory.dmp

Filesize
1.0MB

Download
memory/2860-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2860-22-0x000000000DAF0000-0x000000000DBA8000-memory.dmp

Filesize
736KB

Download
memory/2860-21-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing