380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576

General

Target

380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe
Size

3.0MB
MD5

376a49a832884a682712a3e275eaf0b5
SHA1

989320065e02df72da404166cfdaa6b4237e318f
SHA256

380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576
SHA512

4c35d48e593e8e732f0e3c5a68182cb888c9949e71f91d598f16c824d7aa33aba341e00faee6c86f9cad8f74488994d3a0a3d6c78ee4a2059251e370547e8ed1
SSDEEP

49152:xIrk7QA9OgRbP77a4usjFu1gMZAP2p+fgbYUEksH+gJYUtuuLZz:xmkL9bT7o0Fu1W8XEfYKlz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1256	4660	WerFault.exe	19
1216	2264	WerFault.exe	91
4412	2264	WerFault.exe	91
4588	2264	WerFault.exe	91
2196	2264	WerFault.exe	91
1016	2264	WerFault.exe	91
2420	2264	WerFault.exe	91
4060	2264	WerFault.exe	91
3716	2264	WerFault.exe	91
1668	2264	WerFault.exe	91
2492	2264	WerFault.exe	91
1064	2264	WerFault.exe	91
4580	2264	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2264	380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe
2264	380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4660	380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2264	380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 2264	4660	380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe	91
PID 4660 wrote to memory of 2264	4660	380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe	91
PID 4660 wrote to memory of 2264	4660	380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe	91

C:\Users\Admin\AppData\Local\Temp\380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe
"C:\Users\Admin\AppData\Local\Temp\380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 344
  2⤵
  - Program crash
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe
  C:\Users\Admin\AppData\Local\Temp\380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 348
    3⤵
    - Program crash
    PID:1216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 628
    3⤵
    - Program crash
    PID:4412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 628
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 668
    3⤵
    - Program crash
    PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 728
    3⤵
    - Program crash
    PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 944
    3⤵
    - Program crash
    PID:2420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1408
    3⤵
    - Program crash
    PID:4060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1420
    3⤵
    - Program crash
    PID:3716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1476
    3⤵
    - Program crash
    PID:1668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1656
    3⤵
    - Program crash
    PID:2492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1644
    3⤵
    - Program crash
    PID:1064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 632
    3⤵
    - Program crash
    PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4660 -ip 4660
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2264 -ip 2264
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2264 -ip 2264
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2264 -ip 2264
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2264 -ip 2264
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2264 -ip 2264
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2264 -ip 2264
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2264 -ip 2264
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2264 -ip 2264
1⤵
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2264 -ip 2264
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2264 -ip 2264
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2264 -ip 2264
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2264 -ip 2264
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\380eb59ed23a813fe5f0aed034b140c78c18f27515ebb16207d2a0e3c4f34576.exe

Filesize
3.0MB

MD5
54f01145fd13b03784c03b2fd71d9bc0

SHA1
5365c2fb1712553a2bace73ed5a21f93e371b3f0

SHA256
be38a0d574f05b29c5725d380ddc89b64c67798c2ff3c7f02de1b1723d5a104d

SHA512
2748af8e7226ae5447d9015e412555ecfeb4fe0f8e20696982a7355ac395a4d8f95af2487916c90906408fba3b580e6dae4360edb861b2db8bfbeac8a203da5c

Download Submit
memory/2264-6-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2264-8-0x00000000050C0000-0x00000000051A4000-memory.dmp

Filesize
912KB

Download
memory/2264-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2264-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-20-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download
memory/4660-0-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4660-7-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download

Analysis

Sharing