8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b

General

Target

8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe
Size

1.2MB
MD5

7fcbcb240c76cb44e1b092c8dddb5310
SHA1

5674ba5b947e0fff3e3649b4c1cf56fd9a32c30f
SHA256

8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b
SHA512

3929c380609b1ac85e85f21e6a71f8ac2c10334c5e9b18a8483160775962608dd1b9b16cd524316da3e5003cf6e8f16f61a6e9e41e7d285706fb6b942fe1c7cf
SSDEEP

24576:VdubV+/mOo7KA3IgpGw0FZt7oHKix+BzAIGdTnuiND:j0V+/I7T3NpVw7o70BcFhnZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4624	8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe

Executes dropped EXE 1 IoCs

pid	Process
4624	8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 14 IoCs

pid	pid_target	Process	procid_target
4440	2696	WerFault.exe	86
3392	4624	WerFault.exe	95
1888	4624	WerFault.exe	95
5008	4624	WerFault.exe	95
1608	4624	WerFault.exe	95
388	4624	WerFault.exe	95
4472	4624	WerFault.exe	95
4280	4624	WerFault.exe	95
532	4624	WerFault.exe	95
3628	4624	WerFault.exe	95
1444	4624	WerFault.exe	95
4936	4624	WerFault.exe	95
1644	4624	WerFault.exe	95
2464	4624	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4624	8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe
4624	8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2696	8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4624	8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 4624	2696	8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe	95
PID 2696 wrote to memory of 4624	2696	8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe	95
PID 2696 wrote to memory of 4624	2696	8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe	95

C:\Users\Admin\AppData\Local\Temp\8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe
"C:\Users\Admin\AppData\Local\Temp\8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 344
  2⤵
  - Program crash
  PID:4440
- C:\Users\Admin\AppData\Local\Temp\8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe
  C:\Users\Admin\AppData\Local\Temp\8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 344
    3⤵
    - Program crash
    PID:3392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 624
    3⤵
    - Program crash
    PID:1888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 624
    3⤵
    - Program crash
    PID:5008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 652
    3⤵
    - Program crash
    PID:1608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 720
    3⤵
    - Program crash
    PID:388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 928
    3⤵
    - Program crash
    PID:4472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1400
    3⤵
    - Program crash
    PID:4280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1412
    3⤵
    - Program crash
    PID:532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1684
    3⤵
    - Program crash
    PID:3628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1508
    3⤵
    - Program crash
    PID:1444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1448
    3⤵
    - Program crash
    PID:4936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1644
    3⤵
    - Program crash
    PID:1644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 632
    3⤵
    - Program crash
    PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2696 -ip 2696
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4624 -ip 4624
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4624 -ip 4624
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4624 -ip 4624
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4624 -ip 4624
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4624 -ip 4624
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4624 -ip 4624
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4624 -ip 4624
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4624 -ip 4624
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4624 -ip 4624
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4624 -ip 4624
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4624 -ip 4624
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4624 -ip 4624
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4624 -ip 4624
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8a26f0de546bd2349a654d8012dc5d28197221a678c33e8371e411d180ffd79b.exe

Filesize
1.2MB

MD5
843f9be704b0b73bb2cdaf6ad5638778

SHA1
804635a95caf38edc496051fa910c622578883f2

SHA256
e29ea87c0db9a10e2be39fa59f907ff0aae50a3505245ebe5cf84c61fbe67c94

SHA512
c872b8f9b678e148846d89002c079a679a34f250489fb85c12c12202ebec383217e0dd647c2e5e82f9ef34186b103a923e5056f8fa3bf841f4bd9c9c1bccf439

Download Submit
memory/2696-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2696-6-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4624-7-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4624-8-0x0000000004FA0000-0x0000000005072000-memory.dmp

Filesize
840KB

Download
memory/4624-9-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4624-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4624-20-0x000000000EAA0000-0x000000000EB38000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing