3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc

General

Target

3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe
Size

3.3MB
MD5

cf5de2e88cb4b7e0055f16d58d983aa2
SHA1

f77871c93ca90cbe676c365e09ab931f2a71d728
SHA256

3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc
SHA512

3a7928592e50fcb1b73515101881bac6071cc75bb58135a12e8c8d231164676b4947f4ecc704eb34a632a77593cdba1ddb9677dee2cc1517649b306521b0fd11
SSDEEP

49152:v9d0ayyYokh60agQbExL5IaVpZjJ0YytZHgbG+HR9/UI8gQbExL5IaVpZjJ0YyC:v9vjcaQQMFoZuG+07QQMFD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5096	3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe

Executes dropped EXE 1 IoCs

pid	Process
5096	3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 14 IoCs

pid	pid_target	Process	procid_target
3540	2316	WerFault.exe	84
4696	5096	WerFault.exe	94
2500	5096	WerFault.exe	94
5000	5096	WerFault.exe	94
1844	5096	WerFault.exe	94
4372	5096	WerFault.exe	94
1452	5096	WerFault.exe	94
316	5096	WerFault.exe	94
3920	5096	WerFault.exe	94
2096	5096	WerFault.exe	94
676	5096	WerFault.exe	94
4536	5096	WerFault.exe	94
2260	5096	WerFault.exe	94
3024	5096	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5096	3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe
5096	3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2316	3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
5096	3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 5096	2316	3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe	94
PID 2316 wrote to memory of 5096	2316	3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe	94
PID 2316 wrote to memory of 5096	2316	3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe	94

C:\Users\Admin\AppData\Local\Temp\3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe
"C:\Users\Admin\AppData\Local\Temp\3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 352
  2⤵
  - Program crash
  PID:3540
- C:\Users\Admin\AppData\Local\Temp\3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe
  C:\Users\Admin\AppData\Local\Temp\3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 344
    3⤵
    - Program crash
    PID:4696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 636
    3⤵
    - Program crash
    PID:2500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 628
    3⤵
    - Program crash
    PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 676
    3⤵
    - Program crash
    PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 720
    3⤵
    - Program crash
    PID:4372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 900
    3⤵
    - Program crash
    PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1400
    3⤵
    - Program crash
    PID:316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1420
    3⤵
    - Program crash
    PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1688
    3⤵
    - Program crash
    PID:2096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1468
    3⤵
    - Program crash
    PID:676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1460
    3⤵
    - Program crash
    PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1520
    3⤵
    - Program crash
    PID:2260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 640
    3⤵
    - Program crash
    PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2316 -ip 2316
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5096 -ip 5096
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5096 -ip 5096
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5096 -ip 5096
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5096 -ip 5096
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5096 -ip 5096
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5096 -ip 5096
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5096 -ip 5096
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5096 -ip 5096
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5096 -ip 5096
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5096 -ip 5096
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5096 -ip 5096
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5096 -ip 5096
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5096 -ip 5096
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3a24125bd8de40d3f513ea903a49a3d7b23d4bcc4441b5e48c57996ccf107bfc.exe

Filesize
3.3MB

MD5
da50d6d9fd42a2bfac94a52e3f4d0c3e

SHA1
99a510e51166061b683343c794754d0addaf9fa5

SHA256
10152684557ea4071aed758db77b4084602d1bc713fc616149d597cc7bf7a6ed

SHA512
50ba061c6066065fa96468e172d60d6abe3fc2c6672a6cd6bfbec0c36ad3b9cb4e78a7d892215ea35be60306046587903e220d30bf385d7d326f489324fb7013

Download Submit
memory/2316-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2316-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5096-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5096-8-0x00000000050B0000-0x0000000005195000-memory.dmp

Filesize
916KB

Download
memory/5096-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/5096-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5096-19-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing