30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476

General

Target

30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe
Size

883KB
MD5

a0a1ec9b7cc37fa22bc6e0121d5e709f
SHA1

fbe9c7e94b313b3677377de2c4368fd4011ed95c
SHA256

30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476
SHA512

2703a718aa71bfe793edd5aec5d3d95a0b5d6411df3d080f7e7f7e7fdf4ea6909c407cb8240645c4d236bdda120a89295cdb19a40b29f9d7759c4c02c30426b0
SSDEEP

24576:n0xFKA7aSZbFjO5E3H4xeImmMF02n5a/ZS:n0yFKRjOj1mng

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1716	30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe

Executes dropped EXE 1 IoCs

pid	Process
1716	30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 14 IoCs

pid	pid_target	Process	procid_target
396	3320	WerFault.exe	86
3236	1716	WerFault.exe	95
2244	1716	WerFault.exe	95
3324	1716	WerFault.exe	95
1992	1716	WerFault.exe	95
828	1716	WerFault.exe	95
1260	1716	WerFault.exe	95
3524	1716	WerFault.exe	95
4092	1716	WerFault.exe	95
216	1716	WerFault.exe	95
4732	1716	WerFault.exe	95
5016	1716	WerFault.exe	95
2084	1716	WerFault.exe	95
2924	1716	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1716	30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe
1716	30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3320	30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1716	30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 1716	3320	30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe	95
PID 3320 wrote to memory of 1716	3320	30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe	95
PID 3320 wrote to memory of 1716	3320	30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe	95

C:\Users\Admin\AppData\Local\Temp\30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe
"C:\Users\Admin\AppData\Local\Temp\30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 348
  2⤵
  - Program crash
  PID:396
- C:\Users\Admin\AppData\Local\Temp\30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe
  C:\Users\Admin\AppData\Local\Temp\30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 344
    3⤵
    - Program crash
    PID:3236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 636
    3⤵
    - Program crash
    PID:2244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 664
    3⤵
    - Program crash
    PID:3324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 656
    3⤵
    - Program crash
    PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 720
    3⤵
    - Program crash
    PID:828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 864
    3⤵
    - Program crash
    PID:1260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1396
    3⤵
    - Program crash
    PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1492
    3⤵
    - Program crash
    PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1684
    3⤵
    - Program crash
    PID:216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1404
    3⤵
    - Program crash
    PID:4732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1520
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1512
    3⤵
    - Program crash
    PID:2084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 640
    3⤵
    - Program crash
    PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3320 -ip 3320
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1716 -ip 1716
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1716 -ip 1716
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1716 -ip 1716
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1716 -ip 1716
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1716 -ip 1716
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1716 -ip 1716
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1716 -ip 1716
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1716 -ip 1716
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1716 -ip 1716
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1716 -ip 1716
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1716 -ip 1716
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1716 -ip 1716
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1716 -ip 1716
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30b1fefebbe1124f0715cf6cc3b9f6d793ee8104fc91e2f153ec9a33e98f8476.exe

Filesize
883KB

MD5
8e56fd17ac688faeef5d262233b8a82f

SHA1
e8ceebad1632c270ba608569ddd3cff2fe3c2765

SHA256
2b78d4d874e5789b7a92555575c53283fbc8daada09892a5388988340ea21b91

SHA512
b3f0fe1dc552ead344579046365b1554d3b475f8d103b37008933f4323ff917c93df3005d4763a59c813c5e05c7d84f98314563ab6a38b83f9a43c1cce0cc3b6

Download Submit
memory/1716-8-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1716-9-0x0000000001560000-0x0000000001645000-memory.dmp

Filesize
916KB

Download
memory/1716-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1716-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1716-20-0x000000000B9C0000-0x000000000BA63000-memory.dmp

Filesize
652KB

Download
memory/3320-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3320-4-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing