f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264

General

Target

f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe
Size

6.2MB
MD5

806e990b146effe15fed9ba9f96f94e7
SHA1

ddadde0227c35ca9c12cd50bb7ba12534d32ff37
SHA256

f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264
SHA512

eb2cbc1dac6a3b436aff690cc172a83db30fd40a5b97cb2a5750e6c68b2a5823036dfe662cad92a2b90b1eca090d146745db26d9ba4d843cc3f8393e7a05eaed
SSDEEP

98304:DCR8O85/PGEuT7o0Fu1W8XEfYKlmpYzPouT7o0Fu1W8XEfYd:DCaO85nGzT8EfWyQuT8Efy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4176	f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe

Executes dropped EXE 1 IoCs

pid	Process
4176	f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 14 IoCs

pid	pid_target	Process	procid_target
4408	4056	WerFault.exe	85
4416	4176	WerFault.exe	94
3292	4176	WerFault.exe	94
4816	4176	WerFault.exe	94
220	4176	WerFault.exe	94
1404	4176	WerFault.exe	94
2360	4176	WerFault.exe	94
1428	4176	WerFault.exe	94
1480	4176	WerFault.exe	94
764	4176	WerFault.exe	94
1620	4176	WerFault.exe	94
32	4176	WerFault.exe	94
2380	4176	WerFault.exe	94
4808	4176	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4176	f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe
4176	f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4056	f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4176	f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4176	4056	f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe	94
PID 4056 wrote to memory of 4176	4056	f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe	94
PID 4056 wrote to memory of 4176	4056	f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe	94

C:\Users\Admin\AppData\Local\Temp\f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe
"C:\Users\Admin\AppData\Local\Temp\f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 344
  2⤵
  - Program crash
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe
  C:\Users\Admin\AppData\Local\Temp\f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 344
    3⤵
    - Program crash
    PID:4416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 628
    3⤵
    - Program crash
    PID:3292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 636
    3⤵
    - Program crash
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 636
    3⤵
    - Program crash
    PID:220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 708
    3⤵
    - Program crash
    PID:1404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 888
    3⤵
    - Program crash
    PID:2360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1420
    3⤵
    - Program crash
    PID:1428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1396
    3⤵
    - Program crash
    PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1684
    3⤵
    - Program crash
    PID:764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1492
    3⤵
    - Program crash
    PID:1620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1504
    3⤵
    - Program crash
    PID:32
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1544
    3⤵
    - Program crash
    PID:2380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 652
    3⤵
    - Program crash
    PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4056 -ip 4056
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4176 -ip 4176
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4176 -ip 4176
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4176 -ip 4176
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4176 -ip 4176
1⤵
PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4176 -ip 4176
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4176 -ip 4176
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4176 -ip 4176
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4176 -ip 4176
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4176 -ip 4176
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4176 -ip 4176
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4176 -ip 4176
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4176 -ip 4176
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4176 -ip 4176
1⤵
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f320e5bf0b04959fee08c1a5f83a809ccb84c62c5f793f39ca33d8b5bbbe6264.exe

Filesize
6.2MB

MD5
e482b2658ab374d53c0258c2c9ea5f50

SHA1
51550ada52261702909a7507601497ce44fd3b00

SHA256
0b76a693acdec1df5782bf293cb7c4349501b631c6defceb2c699114c387f617

SHA512
4d6a8e9e47422d3b0c2778ead8ac45a0f9c4f5d6042d469defea7336db2baccd9b9da0882f88a3a6ff396e3bccce7de6eb98d3e60a9827a0f051354218a9c2f2

Download Submit
memory/4056-0-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4056-6-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4176-7-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4176-8-0x0000000005110000-0x00000000051F4000-memory.dmp

Filesize
912KB

Download
memory/4176-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4176-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4176-21-0x000000000B9E0000-0x000000000BA83000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing