5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa

General

Target

5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe
Size

1012KB
MD5

9c4c397b9ea53c3aceabb7fa9273d3fe
SHA1

871aa3a55ecd6f17535984676779b697314f4746
SHA256

5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa
SHA512

eb043d340e57513a0cb42d1bf385d7720d2377d3f6175dc0dda07263fc0e94c81300e02af731a8108b922bd66e250425f8f724472cf11332fd99acb91e52b0db
SSDEEP

24576:n5wAfzZjRCHiaGRc3G/LiYlrea/ZSL77Lv+f6T8E:n55zCCplbl6gwbD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4504	5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe

Executes dropped EXE 1 IoCs

pid	Process
4504	5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 16 IoCs

pid	pid_target	Process	procid_target
4780	2028	WerFault.exe	85
4484	4504	WerFault.exe	94
3228	4504	WerFault.exe	94
1040	4504	WerFault.exe	94
2180	4504	WerFault.exe	94
4588	4504	WerFault.exe	94
3580	4504	WerFault.exe	94
2012	4504	WerFault.exe	94
5032	4504	WerFault.exe	94
404	4504	WerFault.exe	94
5096	4504	WerFault.exe	94
2736	4504	WerFault.exe	94
4884	4504	WerFault.exe	94
2404	4504	WerFault.exe	94
4368	4504	WerFault.exe	94
3960	4504	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4504	5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe
4504	5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2028	5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4504	5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4504	2028	5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe	94
PID 2028 wrote to memory of 4504	2028	5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe	94
PID 2028 wrote to memory of 4504	2028	5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe	94

C:\Users\Admin\AppData\Local\Temp\5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe
"C:\Users\Admin\AppData\Local\Temp\5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 344
  2⤵
  - Program crash
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe
  C:\Users\Admin\AppData\Local\Temp\5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 344
    3⤵
    - Program crash
    PID:4484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 636
    3⤵
    - Program crash
    PID:3228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 644
    3⤵
    - Program crash
    PID:1040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 644
    3⤵
    - Program crash
    PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 720
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 920
    3⤵
    - Program crash
    PID:3580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1420
    3⤵
    - Program crash
    PID:2012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1444
    3⤵
    - Program crash
    PID:5032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1492
    3⤵
    - Program crash
    PID:404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1724
    3⤵
    - Program crash
    PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1488
    3⤵
    - Program crash
    PID:2736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1564
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1712
    3⤵
    - Program crash
    PID:2404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1424
    3⤵
    - Program crash
    PID:4368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1480
    3⤵
    - Program crash
    PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2028 -ip 2028
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4504 -ip 4504
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4504 -ip 4504
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4504 -ip 4504
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4504 -ip 4504
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4504 -ip 4504
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4504 -ip 4504
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4504 -ip 4504
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4504 -ip 4504
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4504 -ip 4504
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4504 -ip 4504
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4504 -ip 4504
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4504 -ip 4504
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4504 -ip 4504
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4504 -ip 4504
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4504 -ip 4504
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5fed54b50588ce2ccb920706be3331d662d2ea2098bcf2b4b8856f3c5a264caa.exe

Filesize
1012KB

MD5
d50fc7b62ffdfc456d42b4cb497bd7b8

SHA1
a4bca2408c27d1e9f3929f7fcff8dc7c2e99fc64

SHA256
f8b50349030c1b019228f5e958ab394c0f463ee0fd547cecac55b7cb8d6ee5d1

SHA512
6fb083c2097229cb54dfaebe369e63dfbda6f0ffa8a04be26b7ad22308b234a8606e80affad66503f96cb15509ec58bdbdf3a91f3b2583473ba141f650a4e9c9

Download Submit
memory/2028-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2028-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4504-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4504-8-0x0000000001590000-0x0000000001675000-memory.dmp

Filesize
916KB

Download
memory/4504-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4504-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-22-0x000000000B9F0000-0x000000000BA93000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing