cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0

General

Target

cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe
Size

832KB
MD5

f1d2852e595418213505c3e30680ba36
SHA1

950feaf29dfe3154aab85fc09d46142f2c3a152b
SHA256

cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0
SHA512

d409d6b7d002e3caf59034c65ac79b55c065f6006b4a354afb5f40212598cc1c1852deed84aabcd7aa9cedc46a969d893ab520e7b11664770df43e59e414154f
SSDEEP

12288:ybPyrea3cWkYLZGuLt1Es9yUvpkEVRSw6OttkqHBzjE:APyndN0unyUv1Rp5Bzg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1436	cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe

Executes dropped EXE 1 IoCs

pid	Process
1436	cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1416	3612	WerFault.exe	36
432	1436	WerFault.exe	94
2304	1436	WerFault.exe	94
1888	1436	WerFault.exe	94
2340	1436	WerFault.exe	94
2836	1436	WerFault.exe	94
740	1436	WerFault.exe	94
1288	1436	WerFault.exe	94
3988	1436	WerFault.exe	94
2132	1436	WerFault.exe	94
1416	1436	WerFault.exe	94
4368	1436	WerFault.exe	94
4696	1436	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1436	cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe
1436	cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3612	cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1436	cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1436	3612	cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe	94
PID 3612 wrote to memory of 1436	3612	cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe	94
PID 3612 wrote to memory of 1436	3612	cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe	94

C:\Users\Admin\AppData\Local\Temp\cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe
"C:\Users\Admin\AppData\Local\Temp\cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 352
  2⤵
  - Program crash
  PID:1416
- C:\Users\Admin\AppData\Local\Temp\cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe
  C:\Users\Admin\AppData\Local\Temp\cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 356
    3⤵
    - Program crash
    PID:432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 636
    3⤵
    - Program crash
    PID:2304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 672
    3⤵
    - Program crash
    PID:1888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 660
    3⤵
    - Program crash
    PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 736
    3⤵
    - Program crash
    PID:2836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 904
    3⤵
    - Program crash
    PID:740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1396
    3⤵
    - Program crash
    PID:1288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1484
    3⤵
    - Program crash
    PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1524
    3⤵
    - Program crash
    PID:2132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1504
    3⤵
    - Program crash
    PID:1416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1676
    3⤵
    - Program crash
    PID:4368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 640
    3⤵
    - Program crash
    PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3612 -ip 3612
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1436 -ip 1436
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1436 -ip 1436
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1436 -ip 1436
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1436 -ip 1436
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1436 -ip 1436
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1436 -ip 1436
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1436 -ip 1436
1⤵
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1436 -ip 1436
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1436 -ip 1436
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1436 -ip 1436
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1436 -ip 1436
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1436 -ip 1436
1⤵
PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdbbf666b85cf7782c71612315a1413b67772a445f8cd0a9238bbf595f7523b0.exe

Filesize
832KB

MD5
b149cfb6e597fa5ac2a9ae9f257f92ca

SHA1
833b6f8694efb9b89f5a97894b9f4996df15f6a1

SHA256
525fe0e48535c1fc186fdb3600fabfd562778ce12bd9b2b33f5adba3e7266af3

SHA512
4a72c1ed1da7fe68f16deb3d77f91da3aa40179829711d27b3a400f389a06062659380b043785d78fb55672e5d373b94f3c3e51707456b125fa0becd8b71c7f9

Download Submit
memory/1436-7-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1436-8-0x0000000004FA0000-0x0000000005072000-memory.dmp

Filesize
840KB

Download
memory/1436-9-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1436-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-19-0x000000000B990000-0x000000000BA28000-memory.dmp

Filesize
608KB

Download
memory/3612-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3612-6-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing