4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474

General

Target

4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
Size

2.1MB
MD5

9e5b8bd11d639d2c2a8b5847011260c9
SHA1

3ced05bb135af8ab9bc78bdf0f7085faa62bcc19
SHA256

4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474
SHA512

43da35faffeb8c6964ddc8b31872bf6db0dd3983dc6bedeaf4bbda5c21b9f60efef2e43d3ca9f80e158f42b3d9c43235016dfc9a5e8eae64f9c2a3817629483f
SSDEEP

49152:eYsjh8tjYNswedQNvvrueSnjECzs/EtL+U14w+loiTFd69/EtH:wOKedQ5unj0oM6e

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Executes dropped EXE 1 IoCs

pid	Process
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2884	2876	WerFault.exe	85
2680	3880	WerFault.exe	95
4804	3880	WerFault.exe	95
2556	3880	WerFault.exe	95
3816	3880	WerFault.exe	95
116	3880	WerFault.exe	95
1488	3880	WerFault.exe	95
552	3880	WerFault.exe	95
4292	3880	WerFault.exe	95
1208	3880	WerFault.exe	95
4928	3880	WerFault.exe	95
4708	3880	WerFault.exe	95
812	3880	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2876	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3880	2876	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe	95
PID 2876 wrote to memory of 3880	2876	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe	95
PID 2876 wrote to memory of 3880	2876	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe	95

C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
"C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 344
  2⤵
  - Program crash
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
  C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 344
    3⤵
    - Program crash
    PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 636
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 644
    3⤵
    - Program crash
    PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 644
    3⤵
    - Program crash
    PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 688
    3⤵
    - Program crash
    PID:116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 936
    3⤵
    - Program crash
    PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1396
    3⤵
    - Program crash
    PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1392
    3⤵
    - Program crash
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1492
    3⤵
    - Program crash
    PID:1208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1720
    3⤵
    - Program crash
    PID:4928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1700
    3⤵
    - Program crash
    PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1108
    3⤵
    - Program crash
    PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2876 -ip 2876
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3880 -ip 3880
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3880 -ip 3880
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3880 -ip 3880
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3880 -ip 3880
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3880 -ip 3880
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3880 -ip 3880
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3880 -ip 3880
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3880 -ip 3880
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3880 -ip 3880
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3880 -ip 3880
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3880 -ip 3880
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3880 -ip 3880
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Filesize
2.1MB

MD5
800295b92b8f6449b5da6876d0b204b6

SHA1
a7120b92be6c821e6327220ca0f72820b4abe277

SHA256
7c7a01c47ebc721d61806c9d5d04492617ba225eaca1edfbfbc72742bb67b1a1

SHA512
41dd3f8c7d72b90d2a54060cf1fb831d1e92595f34721d78249a7886f30795b435dcf4bbf9f8ea3db300743ce6b1ec45fa70c6055541c191dff8abaa7eba961a

Download Submit
memory/2876-0-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2876-6-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3880-7-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3880-8-0x0000000004FC0000-0x00000000050CE000-memory.dmp

Filesize
1.1MB

Download
memory/3880-9-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3880-19-0x000000000BAF0000-0x000000000BBB0000-memory.dmp

Filesize
768KB

Download
memory/3880-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing