5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3

General

Target

5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe
Size

883KB
MD5

ea4529291f7ac8cdcb25ba807b7d2255
SHA1

05b37f01bdd996193c20c1a01c703f1d6a7f6108
SHA256

5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3
SHA512

386d92d5ce0fb7831b010f31b036a2d443e9add5f3dcddd438d16c5e76497f8d155cda43cb1b79886955f71bbf126d3f3c7c064f67134a08b106f378ee5f26cc
SSDEEP

24576:q3Y4kl109FMq/ps4eCEdhZuf04O1wn4+a/ZS:qo14RpsKEdhsc4O1Ig

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4460	5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe

Executes dropped EXE 1 IoCs

pid	Process
4460	5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
388	396	WerFault.exe	87
3864	4460	WerFault.exe	94
4596	4460	WerFault.exe	94
2764	4460	WerFault.exe	94
456	4460	WerFault.exe	94
1428	4460	WerFault.exe	94
1752	4460	WerFault.exe	94
3800	4460	WerFault.exe	94
4284	4460	WerFault.exe	94
2316	4460	WerFault.exe	94
2228	4460	WerFault.exe	94
2844	4460	WerFault.exe	94
3268	4460	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe
4460	5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
396	5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4460	5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4460	396	5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe	94
PID 396 wrote to memory of 4460	396	5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe	94
PID 396 wrote to memory of 4460	396	5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe	94

C:\Users\Admin\AppData\Local\Temp\5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe
"C:\Users\Admin\AppData\Local\Temp\5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 352
  2⤵
  - Program crash
  PID:388
- C:\Users\Admin\AppData\Local\Temp\5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe
  C:\Users\Admin\AppData\Local\Temp\5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 344
    3⤵
    - Program crash
    PID:3864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 636
    3⤵
    - Program crash
    PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 668
    3⤵
    - Program crash
    PID:2764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 668
    3⤵
    - Program crash
    PID:456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 764
    3⤵
    - Program crash
    PID:1428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 900
    3⤵
    - Program crash
    PID:1752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1400
    3⤵
    - Program crash
    PID:3800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1472
    3⤵
    - Program crash
    PID:4284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1488
    3⤵
    - Program crash
    PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1512
    3⤵
    - Program crash
    PID:2228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1504
    3⤵
    - Program crash
    PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 640
    3⤵
    - Program crash
    PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 396 -ip 396
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4460 -ip 4460
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4460 -ip 4460
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4460 -ip 4460
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4460 -ip 4460
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4460 -ip 4460
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4460 -ip 4460
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4460 -ip 4460
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4460 -ip 4460
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4460 -ip 4460
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4460 -ip 4460
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4460 -ip 4460
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4460 -ip 4460
1⤵
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5a499e1f5c1aeaa0e290b04cf373ecb7127f20b077a6f2838a6656aaf38fe5c3.exe

Filesize
883KB

MD5
4fe1928fe06bd36c937362ea1d22700d

SHA1
7f49c6d5c23e9ee408522d87ce2390ae86a6760e

SHA256
005c2a83cdb1e3db18708196b092c86a47166d056e1543c92032ba623e8a13b8

SHA512
d5e092c91a272e51baefa9d75a68ecef16b1c2b54b37511532876a258a39c9a8069c48281e7fde78974dc56589cb819bf854a7ad2b76ac6439fa015414cbd0b2

Download Submit
memory/396-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/396-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4460-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4460-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4460-8-0x0000000001550000-0x0000000001635000-memory.dmp

Filesize
916KB

Download
memory/4460-20-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download
memory/4460-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing