9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2

General

Target

9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe
Size

2.0MB
MD5

80cc9106f8ab6224329eb4052710bb64
SHA1

45e785a11ea81910c1b7c04d9749807f9c4ca5ea
SHA256

9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2
SHA512

2030e53a66d5bc8dcadc6fddbadf727b378e3304ad5a431345139593edd8cf79e0fa6768fe5d85fb40d4ff895e530767ae88beb367ec8af433768706dfc14813
SSDEEP

24576:nfVkcS63uV/BMoLUojCEONB8csa/ZSC77Lv+f6T8Qnskb2i6OBKaBudep+dnsa/1:fVnSyuV5L1jG8csghbq4TTow+lsghbD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4464	9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe

Executes dropped EXE 1 IoCs

pid	Process
4464	9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 12 IoCs

pid	pid_target	Process	procid_target
3796	4464	WerFault.exe	95
232	4464	WerFault.exe	95
4188	4464	WerFault.exe	95
1908	4464	WerFault.exe	95
4124	4464	WerFault.exe	95
3932	4464	WerFault.exe	95
4352	4464	WerFault.exe	95
3944	4464	WerFault.exe	95
1200	4464	WerFault.exe	95
232	4464	WerFault.exe	95
3676	4464	WerFault.exe	95
400	4464	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4464	9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe
4464	9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
648	9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4464	9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 4464	648	9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe	95
PID 648 wrote to memory of 4464	648	9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe	95
PID 648 wrote to memory of 4464	648	9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe	95

C:\Users\Admin\AppData\Local\Temp\9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe
"C:\Users\Admin\AppData\Local\Temp\9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe
  C:\Users\Admin\AppData\Local\Temp\9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 344
    3⤵
    - Program crash
    PID:3796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 636
    3⤵
    - Program crash
    PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 648
    3⤵
    - Program crash
    PID:4188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 692
    3⤵
    - Program crash
    PID:1908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 700
    3⤵
    - Program crash
    PID:4124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 884
    3⤵
    - Program crash
    PID:3932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1408
    3⤵
    - Program crash
    PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1412
    3⤵
    - Program crash
    PID:3944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1500
    3⤵
    - Program crash
    PID:1200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1400
    3⤵
    - Program crash
    PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1448
    3⤵
    - Program crash
    PID:3676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1484
    3⤵
    - Program crash
    PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 648 -ip 648
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4464 -ip 4464
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4464 -ip 4464
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4464 -ip 4464
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4464 -ip 4464
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4464 -ip 4464
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4464 -ip 4464
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4464 -ip 4464
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4464 -ip 4464
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4464 -ip 4464
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4464 -ip 4464
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4464 -ip 4464
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4464 -ip 4464
1⤵
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9111a33d540a5de55a2cd86c937c29878d7368e2242de686dcfbf124d10531e2.exe

Filesize
2.0MB

MD5
182578b71f843b0355e60314fcc3ef66

SHA1
e96cf43852fa8b828bf4d6dfcd653e6e6fc1aaef

SHA256
585cf4c91df0de1aa2fec8eea514677d7b2658524858f341ead8118bf1b13334

SHA512
459427ee9ac66d1ffdd44809934c04576b9e32439b092433ebe8eca53aa2b10e0930465b0bf7f0c64457cf7857c261c8f0ed48f8e8a3df8c80bb46eb38217f86

Download Submit
memory/648-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/648-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/648-2-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/648-8-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4464-9-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4464-10-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4464-15-0x0000000005060000-0x0000000005145000-memory.dmp

Filesize
916KB

Download
memory/4464-14-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4464-27-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-30-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing