1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce

General

Target

1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe
Size

1.1MB
MD5

4ab3eef9c90334679506f90095f2f4f4
SHA1

3d8722a74f2178513f84464bcdb32ebf1090d69f
SHA256

1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce
SHA512

af13f921327e5a06ed50d4ad21b7c627613a5c885cf60bfbf198421fc56a0a303b2c2fcd1fef8068908b24f758e9f8be8c9f5517a53dfd4f3476628417711be3
SSDEEP

24576:U08OZQ5CZCoCACSu/d3IAmkC1x4z480fNI:U0NZhWd3IlXO48KK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4084	1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe

Executes dropped EXE 1 IoCs

pid	Process
4084	1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2148	416	WerFault.exe	83
632	4084	WerFault.exe	91
4548	4084	WerFault.exe	91
5024	4084	WerFault.exe	91
4872	4084	WerFault.exe	91
4656	4084	WerFault.exe	91
688	4084	WerFault.exe	91
5076	4084	WerFault.exe	91
2168	4084	WerFault.exe	91
3960	4084	WerFault.exe	91
3912	4084	WerFault.exe	91
3028	4084	WerFault.exe	91
4828	4084	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4084	1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe
4084	1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
416	1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4084	1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 4084	416	1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe	91
PID 416 wrote to memory of 4084	416	1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe	91
PID 416 wrote to memory of 4084	416	1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe	91

C:\Users\Admin\AppData\Local\Temp\1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe
"C:\Users\Admin\AppData\Local\Temp\1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 352
  2⤵
  - Program crash
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe
  C:\Users\Admin\AppData\Local\Temp\1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 344
    3⤵
    - Program crash
    PID:632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 628
    3⤵
    - Program crash
    PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 636
    3⤵
    - Program crash
    PID:5024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 660
    3⤵
    - Program crash
    PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 720
    3⤵
    - Program crash
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 928
    3⤵
    - Program crash
    PID:688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1392
    3⤵
    - Program crash
    PID:5076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1468
    3⤵
    - Program crash
    PID:2168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1436
    3⤵
    - Program crash
    PID:3960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1448
    3⤵
    - Program crash
    PID:3912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1512
    3⤵
    - Program crash
    PID:3028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 652
    3⤵
    - Program crash
    PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 416 -ip 416
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4084 -ip 4084
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4084 -ip 4084
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4084 -ip 4084
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4084 -ip 4084
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4084 -ip 4084
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4084 -ip 4084
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4084 -ip 4084
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4084 -ip 4084
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4084 -ip 4084
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4084 -ip 4084
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4084 -ip 4084
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4084 -ip 4084
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1e69035da18110b6e083498ed1899baa5dda686b86a73a28816c3c68d722a1ce.exe

Filesize
1.1MB

MD5
0ad1cb3d82aa4bce677ceeb79ede57ad

SHA1
57eb54b702cea00f4ce4e74848be520ce02cbca5

SHA256
1e21bc6a2cccbc65537c9825f1562b3023839358565149e42580287bd966cddf

SHA512
55a8b24a5de70232573c8dec386b0146fd510d83ad008ddadf1db795672ffff31e700ee2f11cfbf76568b717de41561e70824c06f889806d0f93275df3b535a1

Download Submit
memory/416-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/416-6-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4084-7-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4084-9-0x0000000005020000-0x0000000005134000-memory.dmp

Filesize
1.1MB

Download
memory/4084-8-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4084-18-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4084-19-0x000000000BB10000-0x000000000BBD4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing