6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06

General

Target

6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe
Size

1012KB
MD5

b14b1391143a45874f0664db05361125
SHA1

1617247c3e82390af0a7aa53c27cdb0d61a6db9e
SHA256

6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06
SHA512

e8bc5e748a80ae71ac79379cb624270212d2660c99d5bec608060cf3d6d1c1ebb6c27596c3fb6a02eb036a4d87bdbb959aba76c1221ed85c50622adb374428db
SSDEEP

24576:sBuIFcu+vsIRIoYf/oNrBkEU4QJ41YBS2tBrwa/ZSX77Lv+f6T8E:sBR2PfRIJHSkEyhDUgQbD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4116	6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe

Executes dropped EXE 1 IoCs

pid	Process
4116	6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 11 IoCs

pid	pid_target	Process	procid_target
2428	4116	WerFault.exe	94
3832	4116	WerFault.exe	94
3884	4116	WerFault.exe	94
4364	4116	WerFault.exe	94
2588	4116	WerFault.exe	94
2276	4116	WerFault.exe	94
3800	4116	WerFault.exe	94
4364	4116	WerFault.exe	94
4856	4116	WerFault.exe	94
5080	4116	WerFault.exe	94
792	4116	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4116	6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe
4116	6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1544	6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4116	6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 4116	1544	6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe	94
PID 1544 wrote to memory of 4116	1544	6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe	94
PID 1544 wrote to memory of 4116	1544	6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe	94

C:\Users\Admin\AppData\Local\Temp\6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe
"C:\Users\Admin\AppData\Local\Temp\6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe
  C:\Users\Admin\AppData\Local\Temp\6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 344
    3⤵
    - Program crash
    PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 628
    3⤵
    - Program crash
    PID:3832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 676
    3⤵
    - Program crash
    PID:3884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 676
    3⤵
    - Program crash
    PID:4364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 720
    3⤵
    - Program crash
    PID:2588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 888
    3⤵
    - Program crash
    PID:2276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1404
    3⤵
    - Program crash
    PID:3800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1468
    3⤵
    - Program crash
    PID:4364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1484
    3⤵
    - Program crash
    PID:4856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1472
    3⤵
    - Program crash
    PID:5080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1540
    3⤵
    - Program crash
    PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1544 -ip 1544
1⤵
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4116 -ip 4116
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4116 -ip 4116
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4116 -ip 4116
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4116 -ip 4116
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4116 -ip 4116
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4116 -ip 4116
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4116 -ip 4116
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4116 -ip 4116
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4116 -ip 4116
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4116 -ip 4116
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4116 -ip 4116
1⤵
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6b556bee01c85dd2c803e602845e7442590feb1a68d5d3cbc63b7dc434818a06.exe

Filesize
1012KB

MD5
41d02ebd4ab6f0a14ec9d1bd60cb26f6

SHA1
81588f0eba820effd26094216fe398d60944ff40

SHA256
5c79f4489d7ce9f13d064703f8d7a558ae3f9defddb06a8ce7ae8686ca61436b

SHA512
41e916f040fbe2ed86df7885e7145d7b0d3e93d8b4ef05bde9af284a8172cc7a48dda34a84844b41207685aedb10b304ebdf5926eeac1586ad5c6fb900e3a3ba

Download Submit
memory/1544-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1544-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1544-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4116-8-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4116-9-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4116-10-0x0000000005100000-0x00000000051E5000-memory.dmp

Filesize
916KB

Download
memory/4116-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4116-21-0x000000000B8E0000-0x000000000B983000-memory.dmp

Filesize
652KB

Download
memory/4116-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing