a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae

General

Target

a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe
Size

4.0MB
MD5

a36419c388ee0297b88226ad1bb9eaa1
SHA1

158ba0f3f35f50f8d45be5e128a19ce472942f85
SHA256

a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae
SHA512

e0b330fdcd146f176e7bffb42cb96e635267fded3b07e9f5f28e7934bf8326c7647920c910cf0b62ccc7d28e484eab10a3d6bfa10df5d15bd22409363bc66fdb
SSDEEP

49152:3RMOyk5TpnskRAi+1ghbq4TTow+lsghbyV8qXdTt/P9afxiMghbq4TTow+lsghbD:Jp92chTWROV8qtx9aYhTWRH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
732	a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe

Executes dropped EXE 1 IoCs

pid	Process
732	a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
4048	4208	WerFault.exe	87
4916	732	WerFault.exe	96
3548	732	WerFault.exe	96
1920	732	WerFault.exe	96
4084	732	WerFault.exe	96
3112	732	WerFault.exe	96
4268	732	WerFault.exe	96
4700	732	WerFault.exe	96
1192	732	WerFault.exe	96
440	732	WerFault.exe	96
3136	732	WerFault.exe	96
3208	732	WerFault.exe	96
5040	732	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
732	a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe
732	a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4208	a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
732	a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 732	4208	a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe	96
PID 4208 wrote to memory of 732	4208	a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe	96
PID 4208 wrote to memory of 732	4208	a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe	96

C:\Users\Admin\AppData\Local\Temp\a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe
"C:\Users\Admin\AppData\Local\Temp\a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 344
  2⤵
  - Program crash
  PID:4048
- C:\Users\Admin\AppData\Local\Temp\a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe
  C:\Users\Admin\AppData\Local\Temp\a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 344
    3⤵
    - Program crash
    PID:4916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 636
    3⤵
    - Program crash
    PID:3548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 664
    3⤵
    - Program crash
    PID:1920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 656
    3⤵
    - Program crash
    PID:4084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 720
    3⤵
    - Program crash
    PID:3112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 920
    3⤵
    - Program crash
    PID:4268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1404
    3⤵
    - Program crash
    PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1464
    3⤵
    - Program crash
    PID:1192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1656
    3⤵
    - Program crash
    PID:440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1476
    3⤵
    - Program crash
    PID:3136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1512
    3⤵
    - Program crash
    PID:3208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1508
    3⤵
    - Program crash
    PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4208 -ip 4208
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 732 -ip 732
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 732 -ip 732
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 732 -ip 732
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 732 -ip 732
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 732 -ip 732
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 732 -ip 732
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 732 -ip 732
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 732 -ip 732
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 732 -ip 732
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 732 -ip 732
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 732 -ip 732
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 732 -ip 732
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a02879c2ed78b8079b85ae4fc1ed2cd3198f1e9f8d83b864f7734c67f3feedae.exe

Filesize
4.0MB

MD5
5ac393e086dc2096fcb3f96dea0dd69a

SHA1
522be858ec0b21f19b0e9529f568c36f2f0b4cb6

SHA256
899928c7d2a681e9a605754c1d2f5d84c3e944ef5363747cf57515e9df3d8c1b

SHA512
ca9708df197c3b40d4551a2c39ba02b40194656f6e96fb7f1ed5f7ff429d0c9da6d9cc9727cedda9aaf5767f017d85b72c31010911a5de78bd6c57d481c81232

Download Submit
memory/732-11-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/732-12-0x0000000005060000-0x0000000005145000-memory.dmp

Filesize
916KB

Download
memory/732-13-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/732-23-0x000000000B9E0000-0x000000000BA83000-memory.dmp

Filesize
652KB

Download
memory/732-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4208-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4208-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4208-10-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing