97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59

General

Target

97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe
Size

1010KB
MD5

da2b5b57f872b6a5ae830bd2b11ba1c0
SHA1

76db8ed5a1e5ce83f551639e4b06c324f80a243f
SHA256

97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59
SHA512

ae97dbf096bd90a92bd419f61345bcaef04699b39d10af80f17a639cf280174d21a20293c44a6c37666ebdbf5c6ea09618a51343b1bb6cc39b6fac7dcaab8d3a
SSDEEP

12288:0a0r6ZDd+c5CPGXAqQJyP1teGPoxIvOA6YONEeKTSyxMtclcAYjInmeVEUkkP/B:BDd2Jy/eGQx6OdYOWPOuMJjeyUkkXB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1752	97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe

Executes dropped EXE 1 IoCs

pid	Process
1752	97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 8 IoCs

pid	pid_target	Process	procid_target
1196	1764	WerFault.exe	85
4960	1752	WerFault.exe	94
1492	1752	WerFault.exe	94
4964	1752	WerFault.exe	94
4764	1752	WerFault.exe	94
1232	1752	WerFault.exe	94
3568	1752	WerFault.exe	94
2440	1752	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1752	97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe
1752	97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1764	97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1752	97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1752	1764	97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe	94
PID 1764 wrote to memory of 1752	1764	97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe	94
PID 1764 wrote to memory of 1752	1764	97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe	94

C:\Users\Admin\AppData\Local\Temp\97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe
"C:\Users\Admin\AppData\Local\Temp\97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 344
  2⤵
  - Program crash
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe
  C:\Users\Admin\AppData\Local\Temp\97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 352
    3⤵
    - Program crash
    PID:4960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 636
    3⤵
    - Program crash
    PID:1492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 668
    3⤵
    - Program crash
    PID:4964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 636
    3⤵
    - Program crash
    PID:4764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 736
    3⤵
    - Program crash
    PID:1232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 920
    3⤵
    - Program crash
    PID:3568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 640
    3⤵
    - Program crash
    PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1764 -ip 1764
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1752 -ip 1752
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1752 -ip 1752
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1752 -ip 1752
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1752 -ip 1752
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1752 -ip 1752
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1752 -ip 1752
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1752 -ip 1752
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97344c8dfd34fff4f69a729e8b07d361bf51e23c83218485b995d59efdd5bd59.exe

Filesize
1010KB

MD5
66537eaea97badff2a20838af4b83950

SHA1
a5d8ed61e0391603dde1fd672328915cb56df753

SHA256
32d53a53826ef9919737d2353ba55fb99ff6000946e83fa8fd7bd5f01db964cb

SHA512
fe46badedbcc885fdaee7d0e7b8909b563191f3e6dac94eef1ca12c9653bea010cad35396f9fdedef2a5427ef4d43bde979587a2fc940e6dd3b95d802c5c0773

Download Submit
memory/1752-7-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1752-8-0x0000000005140000-0x0000000005243000-memory.dmp

Filesize
1.0MB

Download
memory/1752-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1752-16-0x000000000A9E0000-0x000000000AA98000-memory.dmp

Filesize
736KB

Download
memory/1752-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1764-0-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1764-6-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing