e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678

General

Target

e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe
Size

2.0MB
MD5

6dec320ad6b3a7e329ee38e2e8c024e6
SHA1

d0f6e4e2ae2b219804ce3a371195038e45fdebdf
SHA256

e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678
SHA512

cf52abcf1091981fabd0ee08633a8156812983e31c0e217e20fa9b46c57ad50621d6be3cc3f884cc38786d5a8fb3bfd9747d829bceab29aa6a261ed6422eae79
SSDEEP

49152:XHEoiVO15C0sXU9nBghbq4TTow+lsghbD:XHePpmIhTWRH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1440	e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe

Executes dropped EXE 1 IoCs

pid	Process
1440	e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 12 IoCs

pid	pid_target	Process	procid_target
4072	1440	WerFault.exe	96
3428	1440	WerFault.exe	96
4228	1440	WerFault.exe	96
4300	1440	WerFault.exe	96
2204	1440	WerFault.exe	96
1836	1440	WerFault.exe	96
1572	1440	WerFault.exe	96
932	1440	WerFault.exe	96
4840	1440	WerFault.exe	96
1452	1440	WerFault.exe	96
2204	1440	WerFault.exe	96
1744	1440	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1440	e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe
1440	e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4208	e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1440	e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 1440	4208	e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe	96
PID 4208 wrote to memory of 1440	4208	e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe	96
PID 4208 wrote to memory of 1440	4208	e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe	96

C:\Users\Admin\AppData\Local\Temp\e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe
"C:\Users\Admin\AppData\Local\Temp\e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe
  C:\Users\Admin\AppData\Local\Temp\e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 344
    3⤵
    - Program crash
    PID:4072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 628
    3⤵
    - Program crash
    PID:3428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 648
    3⤵
    - Program crash
    PID:4228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 628
    3⤵
    - Program crash
    PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 764
    3⤵
    - Program crash
    PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 924
    3⤵
    - Program crash
    PID:1836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1412
    3⤵
    - Program crash
    PID:1572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1492
    3⤵
    - Program crash
    PID:932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1680
    3⤵
    - Program crash
    PID:4840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1452
    3⤵
    - Program crash
    PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1656
    3⤵
    - Program crash
    PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1516
    3⤵
    - Program crash
    PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4208 -ip 4208
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1440 -ip 1440
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1440 -ip 1440
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1440 -ip 1440
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1440 -ip 1440
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1440 -ip 1440
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1440 -ip 1440
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1440 -ip 1440
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1440 -ip 1440
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1440 -ip 1440
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1440 -ip 1440
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1440 -ip 1440
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1440 -ip 1440
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e05256f677af036c48e1533f0e3d328f5fa26732dad58a65b65bb35a7b039678.exe

Filesize
2.0MB

MD5
6c9bde0bb556d49ba55a560422adcf68

SHA1
f63673107a9af5c03b429f5261c52fb848583e0a

SHA256
1b0aaebedc0b8afdaf9e697376380d1440e3f849af3d2c455104be6ba694146e

SHA512
778cb35b21762a1524879f5e8d465434f572008c9058cf255d8ff77ced42908c6d9c1c1ccf8ed3535c1faeec84418b8b3623c40aee0c106a6cf5670a919a54ee

Download Submit
memory/1440-9-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1440-13-0x0000000001570000-0x0000000001655000-memory.dmp

Filesize
916KB

Download
memory/1440-14-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1440-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1440-26-0x000000000B8E0000-0x000000000B983000-memory.dmp

Filesize
652KB

Download
memory/4208-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4208-1-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4208-2-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4208-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing