217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230

General

Target

217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe
Size

879KB
MD5

86e0e2263ee0b776e1c9caabc61de810
SHA1

c8c3ecf598deb1fd7114b65950c54fe0b6bfdb7f
SHA256

217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230
SHA512

aa4cb498662c722ea5b56a12a1139dead5528bc17fd42d478ca4d5c3c832ab662a14396a3c8b92d331f301d417778191160e8b25d2938be3e2f56de1d019bb13
SSDEEP

12288:1lWtL64Vu3gf3kdXpT4iqLCS8nT4p+HHD0rzDz/K31zsj13SuwbxoFjVDa/ZS1:H0LqwfuT4TLCSb+2W3BsIuwlo7a/ZS1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4584	217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe

Executes dropped EXE 1 IoCs

pid	Process
4584	217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1208	4976	WerFault.exe	85
4020	4584	WerFault.exe	94
4024	4584	WerFault.exe	94
1708	4584	WerFault.exe	94
1856	4584	WerFault.exe	94
1472	4584	WerFault.exe	94
4116	4584	WerFault.exe	94
4860	4584	WerFault.exe	94
2980	4584	WerFault.exe	94
4800	4584	WerFault.exe	94
5072	4584	WerFault.exe	94
4200	4584	WerFault.exe	94
564	4584	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4584	217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe
4584	217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4976	217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4584	217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4584	4976	217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe	94
PID 4976 wrote to memory of 4584	4976	217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe	94
PID 4976 wrote to memory of 4584	4976	217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe	94

C:\Users\Admin\AppData\Local\Temp\217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe
"C:\Users\Admin\AppData\Local\Temp\217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 344
  2⤵
  - Program crash
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe
  C:\Users\Admin\AppData\Local\Temp\217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 344
    3⤵
    - Program crash
    PID:4020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 640
    3⤵
    - Program crash
    PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 668
    3⤵
    - Program crash
    PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 716
    3⤵
    - Program crash
    PID:1856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 760
    3⤵
    - Program crash
    PID:1472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 920
    3⤵
    - Program crash
    PID:4116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1408
    3⤵
    - Program crash
    PID:4860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1420
    3⤵
    - Program crash
    PID:2980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1468
    3⤵
    - Program crash
    PID:4800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1532
    3⤵
    - Program crash
    PID:5072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1644
    3⤵
    - Program crash
    PID:4200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 636
    3⤵
    - Program crash
    PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4976 -ip 4976
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4584 -ip 4584
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4584 -ip 4584
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4584 -ip 4584
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4584 -ip 4584
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4584 -ip 4584
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4584 -ip 4584
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4584 -ip 4584
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4584 -ip 4584
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4584 -ip 4584
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4584 -ip 4584
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4584 -ip 4584
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4584 -ip 4584
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\217d560134344a4830be4255e92ee961d8288c82a092917d4a5cfa24177fd230.exe

Filesize
879KB

MD5
775cb1c282e2fae691f191ccf9a1270a

SHA1
0c5eab5d1342692d6cdec90e48c3fcb465bac13f

SHA256
0c9a89f7cd720cd3d53ad5ef55a4e1bdc94ece19c9d2654920e8ac8fdd649159

SHA512
6058ae09a5e3635cd333877460760176b1753535f2b52c22efc85e11e1577f2d26fed5c8578288630d6d8a3bf90ac22df3dc16dfc4ebaf7a776831b5d7b2cdad

Download Submit
memory/4584-7-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4584-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4584-10-0x0000000004FD0000-0x00000000050B4000-memory.dmp

Filesize
912KB

Download
memory/4584-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-21-0x000000000C9F0000-0x000000000CA93000-memory.dmp

Filesize
652KB

Download
memory/4976-0-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4976-6-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download

Analysis

Sharing