cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932

General

Target

cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe
Size

1.0MB
MD5

3a4786b0120f106747deaa7e059c02a0
SHA1

6d183f47de863d6044411e82d1a35779e900907b
SHA256

cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932
SHA512

537dde6e66d0fdfce67ee934a3a674de3f5f0c9f49ed958064dd5c29f9586a4799384bd9ac1c23f038eb4a0d9d82bb745e157a46f21d704b2b4c58446762f13d
SSDEEP

24576:Qs+m1Ja4CQx7VqZkB8kv3Jw3cX6qUADtOk:Qd49p5TqsX1UEtH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
392	cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe

Executes dropped EXE 1 IoCs

pid	Process
392	cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1088	2632	WerFault.exe	83
4988	392	WerFault.exe	90
2868	392	WerFault.exe	90
3172	392	WerFault.exe	90
2860	392	WerFault.exe	90
2080	392	WerFault.exe	90
1628	392	WerFault.exe	90
4812	392	WerFault.exe	90
5048	392	WerFault.exe	90
2220	392	WerFault.exe	90
3400	392	WerFault.exe	90
1440	392	WerFault.exe	90
4428	392	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
392	cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe
392	cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2632	cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
392	cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 392	2632	cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe	90
PID 2632 wrote to memory of 392	2632	cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe	90
PID 2632 wrote to memory of 392	2632	cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe	90

C:\Users\Admin\AppData\Local\Temp\cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe
"C:\Users\Admin\AppData\Local\Temp\cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 344
  2⤵
  - Program crash
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe
  C:\Users\Admin\AppData\Local\Temp\cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 348
    3⤵
    - Program crash
    PID:4988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 620
    3⤵
    - Program crash
    PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 636
    3⤵
    - Program crash
    PID:3172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 636
    3⤵
    - Program crash
    PID:2860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 720
    3⤵
    - Program crash
    PID:2080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 896
    3⤵
    - Program crash
    PID:1628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1400
    3⤵
    - Program crash
    PID:4812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1412
    3⤵
    - Program crash
    PID:5048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1492
    3⤵
    - Program crash
    PID:2220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1460
    3⤵
    - Program crash
    PID:3400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1512
    3⤵
    - Program crash
    PID:1440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1048
    3⤵
    - Program crash
    PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2632 -ip 2632
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 392 -ip 392
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 392 -ip 392
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 392 -ip 392
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 392 -ip 392
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 392 -ip 392
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 392 -ip 392
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 392 -ip 392
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 392 -ip 392
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 392 -ip 392
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 392 -ip 392
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 392 -ip 392
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 392 -ip 392
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cf73d15e76d0da3f31f6baf0d860c76cd22baaa870170b51b19cdb4c0ed56932.exe

Filesize
1.0MB

MD5
241e9085597094d33138acd18f492c77

SHA1
4b6493a4fe2cc7f3d760fe06cd21daef0eab6c67

SHA256
5b9d5e8e741928a36d315c4672b35572cd35e4e7bd4374c6fb22a1f3f83b6fb4

SHA512
c4fc2d563529eced059ad1af7129a8ada0ef406dbc42f9e68470185fa717e8c412063e14ee42a37a0cc1276b0ea9fd7e2865c87dd0ac71cda4839f4c115ce702

Download Submit
memory/392-7-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/392-9-0x0000000005130000-0x000000000523E000-memory.dmp

Filesize
1.1MB

Download
memory/392-8-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/392-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/392-19-0x000000000BAF0000-0x000000000BBB0000-memory.dmp

Filesize
768KB

Download
memory/2632-0-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2632-6-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing