8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0

General

Target

8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe
Size

4.3MB
MD5

6470b0d01b2b1525dfaccb9071144639
SHA1

10fc19beb2d23f7fb13a9aacb007dac11c86d1cc
SHA256

8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0
SHA512

54f59b40ef2356881f760dd9884071c8b75a829d4d8433b198844fe85df6b492a56acf0c380addff8787decc716ecb15c14d982fb84a94ccc61ea71c5c9780d6
SSDEEP

98304:gZD0WoT7o0Fu1W8XED7DyRhT7o0Fu1W8XEm:g90WoT8ED7Dy7T8Em

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3408	8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe

Executes dropped EXE 1 IoCs

pid	Process
3408	8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 11 IoCs

pid	pid_target	Process	procid_target
1888	3408	WerFault.exe	93
1972	3408	WerFault.exe	93
4524	3408	WerFault.exe	93
2260	3408	WerFault.exe	93
4708	3408	WerFault.exe	93
4056	3408	WerFault.exe	93
2636	3408	WerFault.exe	93
2368	3408	WerFault.exe	93
1948	3408	WerFault.exe	93
4184	3408	WerFault.exe	93
4256	3408	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3408	8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe
3408	8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1128	8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3408	8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 3408	1128	8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe	93
PID 1128 wrote to memory of 3408	1128	8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe	93
PID 1128 wrote to memory of 3408	1128	8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe	93

C:\Users\Admin\AppData\Local\Temp\8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe
"C:\Users\Admin\AppData\Local\Temp\8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe
  C:\Users\Admin\AppData\Local\Temp\8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 344
    3⤵
    - Program crash
    PID:1888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 636
    3⤵
    - Program crash
    PID:1972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 636
    3⤵
    - Program crash
    PID:4524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 656
    3⤵
    - Program crash
    PID:2260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 720
    3⤵
    - Program crash
    PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 884
    3⤵
    - Program crash
    PID:4056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1340
    3⤵
    - Program crash
    PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1480
    3⤵
    - Program crash
    PID:2368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1468
    3⤵
    - Program crash
    PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1484
    3⤵
    - Program crash
    PID:4184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1676
    3⤵
    - Program crash
    PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1128 -ip 1128
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3408 -ip 3408
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3408 -ip 3408
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3408 -ip 3408
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3408 -ip 3408
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3408 -ip 3408
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3408 -ip 3408
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3408 -ip 3408
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3408 -ip 3408
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3408 -ip 3408
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3408 -ip 3408
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3408 -ip 3408
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8e4394a0e07fbe17d0e3a0b367e033bb7c3fb750814717acf6d8dcb3396401b0.exe

Filesize
4.3MB

MD5
61b58bfdc63fc89ddc76bb18c5c0e658

SHA1
28354425cfce4414b2f6b9f2ab5ef349862ef49f

SHA256
2f9393dd855d369d50ca40334ea652a18c8f081f5fd4074731371d8a11e9f44f

SHA512
165690e7cc1b968797a7cee17d81bb591cda3fae849f91e97d13975efee9b080e70e28da31327167cff58b44a136e1f1882afad5a8a2075b940e0841ee40eeb4

Download Submit
memory/1128-0-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1128-6-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/3408-7-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/3408-8-0x0000000005120000-0x0000000005204000-memory.dmp

Filesize
912KB

Download
memory/3408-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3408-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3408-21-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing