e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f

General

Target

e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe
Size

1012KB
MD5

f9bfe127a4a419798b3d63f0e6b942ca
SHA1

155113ec82ceed19da52de49492686ff14d9e0e4
SHA256

e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f
SHA512

d31551e401d4da013d825bf6989e9b517b2dac3f4da6d49cd21a65cffb628d8d20af4e930ea1a1e0f17b25e343461ffba9ee456aee6bffdeca8bd5b9dc707b04
SSDEEP

24576:quSlqFw3kb/s5/5o59ojMKQISIiIVSa/ZSL77Lv+f6T8E:quSl5UbgtMB8iIEgwbD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3616	e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe

Executes dropped EXE 1 IoCs

pid	Process
3616	e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 14 IoCs

pid	pid_target	Process	procid_target
4556	4060	WerFault.exe	85
4948	3616	WerFault.exe	93
1064	3616	WerFault.exe	93
3064	3616	WerFault.exe	93
1264	3616	WerFault.exe	93
5116	3616	WerFault.exe	93
1284	3616	WerFault.exe	93
3368	3616	WerFault.exe	93
2352	3616	WerFault.exe	93
2172	3616	WerFault.exe	93
3416	3616	WerFault.exe	93
1280	3616	WerFault.exe	93
4192	3616	WerFault.exe	93
1924	3616	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3616	e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe
3616	e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4060	e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3616	e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 3616	4060	e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe	93
PID 4060 wrote to memory of 3616	4060	e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe	93
PID 4060 wrote to memory of 3616	4060	e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe	93

C:\Users\Admin\AppData\Local\Temp\e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe
"C:\Users\Admin\AppData\Local\Temp\e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 352
  2⤵
  - Program crash
  PID:4556
- C:\Users\Admin\AppData\Local\Temp\e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe
  C:\Users\Admin\AppData\Local\Temp\e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 344
    3⤵
    - Program crash
    PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 616
    3⤵
    - Program crash
    PID:1064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 668
    3⤵
    - Program crash
    PID:3064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 668
    3⤵
    - Program crash
    PID:1264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 688
    3⤵
    - Program crash
    PID:5116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 944
    3⤵
    - Program crash
    PID:1284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1400
    3⤵
    - Program crash
    PID:3368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1452
    3⤵
    - Program crash
    PID:2352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1684
    3⤵
    - Program crash
    PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1468
    3⤵
    - Program crash
    PID:3416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1484
    3⤵
    - Program crash
    PID:1280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1508
    3⤵
    - Program crash
    PID:4192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 664
    3⤵
    - Program crash
    PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4060 -ip 4060
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3616 -ip 3616
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3616 -ip 3616
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3616 -ip 3616
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3616 -ip 3616
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3616 -ip 3616
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3616 -ip 3616
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3616 -ip 3616
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3616 -ip 3616
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3616 -ip 3616
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3616 -ip 3616
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3616 -ip 3616
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3616 -ip 3616
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3616 -ip 3616
1⤵
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e53ee3d30ffedb00d3b5e5629b3caf375c42fa793752efeb1ae309ba8c99de4f.exe

Filesize
1012KB

MD5
f2b8ec24a740b9ab31e1e145fbd18654

SHA1
3e36be0daf35f46ac7cdaff3a20717d8096e91e5

SHA256
c84a342b0d352f59ce14e6bec8c9e7754a97f04a97f19984c53d487da58e822e

SHA512
21ebb1ece24a057936c46aea574ccab478bdf960792915b512edb338ac47be4bc89b2653bb1f7744fb4a62e48c7a6ae2a22b8f2fb12571a5c9c9218f58c29731

Download Submit
memory/3616-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3616-8-0x00000000051B0000-0x0000000005295000-memory.dmp

Filesize
916KB

Download
memory/3616-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3616-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-21-0x000000000BA10000-0x000000000BAB3000-memory.dmp

Filesize
652KB

Download
memory/4060-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4060-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing