42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57

General

Target

42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe
Size

3.3MB
MD5

15d0718deafddf7e74ed1f1c6d5c2573
SHA1

73e064626345f4953067c3b6642e347796c64b78
SHA256

42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57
SHA512

68a9e77432ee88bb0f1bf750618af6b0256bf4069ef7707f735b43c83eedfb9b416f8475a3998a0a75cd785d8fe66e2a78b217ea64744a8bc0b621dbdee7afc0
SSDEEP

49152:kAsB/D3OQEY9gqgRbP77a4usjFu1gMZAP2p+fgbYUEksH+gJYUtuuLZmpYHd:kX3OpY6T7o0Fu1W8XEfYKlmpY9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
832	42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe

Executes dropped EXE 1 IoCs

pid	Process
832	42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
3840	832	WerFault.exe	98
1988	832	WerFault.exe	98
4208	832	WerFault.exe	98
4812	832	WerFault.exe	98
2052	832	WerFault.exe	98
5000	832	WerFault.exe	98
1232	832	WerFault.exe	98
3048	832	WerFault.exe	98
4528	832	WerFault.exe	98
5008	832	WerFault.exe	98
4248	832	WerFault.exe	98
4808	832	WerFault.exe	98
4488	832	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
832	42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe
832	42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3104	42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
832	42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 832	3104	42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe	98
PID 3104 wrote to memory of 832	3104	42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe	98
PID 3104 wrote to memory of 832	3104	42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe	98

C:\Users\Admin\AppData\Local\Temp\42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe
"C:\Users\Admin\AppData\Local\Temp\42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe
  C:\Users\Admin\AppData\Local\Temp\42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 344
    3⤵
    - Program crash
    PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 628
    3⤵
    - Program crash
    PID:1988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 668
    3⤵
    - Program crash
    PID:4208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 688
    3⤵
    - Program crash
    PID:4812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 728
    3⤵
    - Program crash
    PID:2052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 888
    3⤵
    - Program crash
    PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1404
    3⤵
    - Program crash
    PID:1232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1464
    3⤵
    - Program crash
    PID:3048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1644
    3⤵
    - Program crash
    PID:4528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1480
    3⤵
    - Program crash
    PID:5008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1544
    3⤵
    - Program crash
    PID:4248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1668
    3⤵
    - Program crash
    PID:4808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1520
    3⤵
    - Program crash
    PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3104 -ip 3104
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 832 -ip 832
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 832 -ip 832
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 832 -ip 832
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 832 -ip 832
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 832 -ip 832
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 832 -ip 832
1⤵
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 832 -ip 832
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 832 -ip 832
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 832 -ip 832
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 832 -ip 832
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 832 -ip 832
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 832 -ip 832
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 832 -ip 832
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\42be9d17b131f47e3d09b4041e18a696b644776bbed8ad6d12eae58bca1bbf57.exe

Filesize
3.3MB

MD5
9ba9107c193a3f03a1efe4e26298dfbf

SHA1
4519b7355161e0b12d0cd9cb8ac34b512d5be451

SHA256
60f58e6d15161c5cfa3ef79b579edc0f00e233ebbf4fee741473d100b0181c66

SHA512
e77409cdfeed70e52f47b19ed4b401982a0f37a4d359a5786f994d6e3d37b54fffa9bac23e090174a40265c4449bbb2cf103b26f51acd35f31500fe5acb50d7e

Download Submit
memory/832-7-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/832-8-0x0000000004F90000-0x000000000509C000-memory.dmp

Filesize
1.0MB

Download
memory/832-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/832-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/832-24-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download
memory/3104-0-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/3104-6-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing