735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f

General

Target

735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe
Size

832KB
MD5

2b5ee16ca62061cde3f88f030bc49b8b
SHA1

a3420d05b297ab178ae950bfc5375c9a7444658e
SHA256

735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f
SHA512

d38f662a01ba7ad7809c6e5b100b8e1e6d98aa34ddc47010e49e869c592567257254805f54827046ce7351f43d2f6097d0d6724b809ea247a61e5b9ae354ec3d
SSDEEP

12288:fRsvsNsyeJAOcwKzn+Vw0nbiLFsLJAhN4FfTGqHBzjE:fRpNsdjcwanYbiLVr8fTDBzg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1476	735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe

Executes dropped EXE 1 IoCs

pid	Process
1476	735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
4868	4136	WerFault.exe	85
1548	1476	WerFault.exe	93
1488	1476	WerFault.exe	93
2916	1476	WerFault.exe	93
3844	1476	WerFault.exe	93
224	1476	WerFault.exe	93
4792	1476	WerFault.exe	93
1980	1476	WerFault.exe	93
3920	1476	WerFault.exe	93
2116	1476	WerFault.exe	93
2176	1476	WerFault.exe	93
1212	1476	WerFault.exe	93
3340	1476	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1476	735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe
1476	735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4136	735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1476	735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 1476	4136	735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe	93
PID 4136 wrote to memory of 1476	4136	735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe	93
PID 4136 wrote to memory of 1476	4136	735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe	93

C:\Users\Admin\AppData\Local\Temp\735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe
"C:\Users\Admin\AppData\Local\Temp\735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 348
  2⤵
  - Program crash
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe
  C:\Users\Admin\AppData\Local\Temp\735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 348
    3⤵
    - Program crash
    PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 636
    3⤵
    - Program crash
    PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 676
    3⤵
    - Program crash
    PID:2916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 708
    3⤵
    - Program crash
    PID:3844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 676
    3⤵
    - Program crash
    PID:224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 964
    3⤵
    - Program crash
    PID:4792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1364
    3⤵
    - Program crash
    PID:1980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1456
    3⤵
    - Program crash
    PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1452
    3⤵
    - Program crash
    PID:2116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1496
    3⤵
    - Program crash
    PID:2176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1704
    3⤵
    - Program crash
    PID:1212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1040
    3⤵
    - Program crash
    PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4136 -ip 4136
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1476 -ip 1476
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1476 -ip 1476
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1476 -ip 1476
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1476 -ip 1476
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1476 -ip 1476
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1476 -ip 1476
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1476 -ip 1476
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1476 -ip 1476
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1476 -ip 1476
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1476 -ip 1476
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1476 -ip 1476
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1476 -ip 1476
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\735d5ce62872cce62793dc05c72722277f780ab1b54ad1d5b56b39898100060f.exe

Filesize
832KB

MD5
92bfc19778dabe3bd5c46516dd2182c6

SHA1
03c2c052a05e93688e24c0d4dd8a6c8fb9d5a170

SHA256
7f64825964cdea4a428d8cf5365838f1b3256c5340c233db6294657d8e0d47d5

SHA512
2b4e40094904bab3d6c8e14bfa46438ed87d14ba0e853f009bc3509547c3706be900898e8f76fa6c3f14cc932e041eb2ac79fe337a85dfbd3f5f15e3489113f1

Download Submit
memory/1476-7-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1476-9-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1476-8-0x0000000004FB0000-0x0000000005082000-memory.dmp

Filesize
840KB

Download
memory/1476-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1476-21-0x000000000B9A0000-0x000000000BA38000-memory.dmp

Filesize
608KB

Download
memory/4136-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4136-6-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing