e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095

General

Target

e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe
Size

912KB
MD5

bae00cb508379d28ce96324401143377
SHA1

f8097b0dc607f89ff4692cbf19c1c398839dff37
SHA256

e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095
SHA512

026c150863361f2114c2a2ff83f8bc9cb3e0c5741f0f25b16a99e09b094db0f05fd2b732132ec8460d607358b246eb123d528aad02fddb3e831b83a481e646c0
SSDEEP

24576:QuiQB4hufj4t11Siz1f1V0cNxhESF2rahzdp8b3Cbc0TOVXByma/ZSL77i:5fq1Si5f1V/ISoa18byTcXBngwy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4420	e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe

Executes dropped EXE 1 IoCs

pid	Process
4420	e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
856	2108	WerFault.exe	81
3192	4420	WerFault.exe	93
3280	4420	WerFault.exe	93
4588	4420	WerFault.exe	93
2184	4420	WerFault.exe	93
3324	4420	WerFault.exe	93
5036	4420	WerFault.exe	93
1140	4420	WerFault.exe	93
1328	4420	WerFault.exe	93
3120	4420	WerFault.exe	93
3608	4420	WerFault.exe	93
3564	4420	WerFault.exe	93
1520	4420	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4420	e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe
4420	e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2108	e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4420	e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4420	2108	e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe	93
PID 2108 wrote to memory of 4420	2108	e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe	93
PID 2108 wrote to memory of 4420	2108	e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe	93

C:\Users\Admin\AppData\Local\Temp\e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe
"C:\Users\Admin\AppData\Local\Temp\e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 340
  2⤵
  - Program crash
  PID:856
- C:\Users\Admin\AppData\Local\Temp\e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe
  C:\Users\Admin\AppData\Local\Temp\e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 348
    3⤵
    - Program crash
    PID:3192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 636
    3⤵
    - Program crash
    PID:3280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 636
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 636
    3⤵
    - Program crash
    PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 756
    3⤵
    - Program crash
    PID:3324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1008
    3⤵
    - Program crash
    PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1396
    3⤵
    - Program crash
    PID:1140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1424
    3⤵
    - Program crash
    PID:1328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1488
    3⤵
    - Program crash
    PID:3120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1536
    3⤵
    - Program crash
    PID:3608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1532
    3⤵
    - Program crash
    PID:3564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1124
    3⤵
    - Program crash
    PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2108 -ip 2108
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4420 -ip 4420
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4420 -ip 4420
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4420 -ip 4420
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4420 -ip 4420
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4420 -ip 4420
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4420 -ip 4420
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4420 -ip 4420
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4420 -ip 4420
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4420 -ip 4420
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4420 -ip 4420
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4420 -ip 4420
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4420 -ip 4420
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e13cfbc9a24dbdf236913aa7feadb33ee6557ead73c7a66d4f6bf617bb98e095.exe

Filesize
912KB

MD5
f30b961b89b43a274f9004424421fbcd

SHA1
400a2c8567ce41fb150d35385cce77bf7c61220a

SHA256
4960781bfbc738b279bec12df61bc29176b55833790a823886e03ed1ca722b68

SHA512
7073245a968034d1f64bd7c953d5d03040f5716106ca57e08547fe6d390589f32c91253140a4364fcce519bc692df6f9aa33aeabb693330f669d438403c8bb38

Download Submit
memory/2108-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2108-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2108-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4420-8-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4420-10-0x0000000004FE0000-0x00000000050C5000-memory.dmp

Filesize
916KB

Download
memory/4420-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4420-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-20-0x000000000CA30000-0x000000000CAD3000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing