b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82

General

Target

b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe
Size

3.9MB
MD5

2f72175e684a536d39aa047ee057fcb9
SHA1

faa3b6908bdba57a751019faaafe114989acb2c1
SHA256

b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82
SHA512

8e315b88e84d9d821e252ae3fcb62c58cc41d08315492c2b6871c4faffcf87c5c0d55feee80f6c2abdb513c5aa1b838ed25bfe567f4864d8a831e5dfc686391d
SSDEEP

49152:ZXmt/RuMt1oCAUdwWgRbCAjN/QeYEwxegRbSbmv1V3w7DgRbCAjN/QeYEwxegRb5:5mzVRdwjGyBm+itV3JGyBmF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
4668	2732	WerFault.exe	87
4592	2668	WerFault.exe	97
4064	2668	WerFault.exe	97
3044	2668	WerFault.exe	97
3768	2668	WerFault.exe	97
1456	2668	WerFault.exe	97
3648	2668	WerFault.exe	97
1788	2668	WerFault.exe	97
1100	2668	WerFault.exe	97
4988	2668	WerFault.exe	97
2532	2668	WerFault.exe	97
4216	2668	WerFault.exe	97
1520	2668	WerFault.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2668	b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe
2668	b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2732	b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2668	b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2668	2732	b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe	97
PID 2732 wrote to memory of 2668	2732	b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe	97
PID 2732 wrote to memory of 2668	2732	b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe	97

C:\Users\Admin\AppData\Local\Temp\b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe
"C:\Users\Admin\AppData\Local\Temp\b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 352
  2⤵
  - Program crash
  PID:4668
- C:\Users\Admin\AppData\Local\Temp\b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe
  C:\Users\Admin\AppData\Local\Temp\b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 356
    3⤵
    - Program crash
    PID:4592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 564
    3⤵
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 648
    3⤵
    - Program crash
    PID:3044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 564
    3⤵
    - Program crash
    PID:3768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 752
    3⤵
    - Program crash
    PID:1456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 904
    3⤵
    - Program crash
    PID:3648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1404
    3⤵
    - Program crash
    PID:1788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1472
    3⤵
    - Program crash
    PID:1100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1456
    3⤵
    - Program crash
    PID:4988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1476
    3⤵
    - Program crash
    PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1728
    3⤵
    - Program crash
    PID:4216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1676
    3⤵
    - Program crash
    PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2732 -ip 2732
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2668 -ip 2668
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2668 -ip 2668
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2668 -ip 2668
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2668 -ip 2668
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2668 -ip 2668
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2668 -ip 2668
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2668 -ip 2668
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2668 -ip 2668
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2668 -ip 2668
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2668 -ip 2668
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2668 -ip 2668
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2668 -ip 2668
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b61aa85e1cec76cddb6f5e0e2a43ea50d02119279fcf4682444b0b7253ebcc82.exe

Filesize
3.9MB

MD5
178f031ffde599ac83b942ee705ed592

SHA1
d3cc601e26d68da747688e7e8aed80c43d53b4e7

SHA256
5f3b97a9914653e92d42ef36aea5d47ad004d88133aa77f71bfabf769b9b1a50

SHA512
a853807952b0cffd99fd128d736640d3bbbb4a7a86261ddb4d1857fd2d1b2d3a7c5d1d7134a2a5f3425120a8d9238372cd75eab7701adfeb33f94ffd69e30c57

Download Submit
memory/2668-7-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2668-8-0x0000000001760000-0x0000000001844000-memory.dmp

Filesize
912KB

Download
memory/2668-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2668-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-21-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download
memory/2732-0-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2732-6-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download

Analysis

Sharing