ced82d1fcc72873c19cfb46e1bf5f56602d5a55cc9bd40a410b4cf7f72a9cae7

General

Target

ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
Size

395KB
MD5

85ced175fc50113e11a118e44f83f57a
SHA1

0623207b6b2f59278569b1f431f9cbb97a56baf4
SHA256

ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168
SHA512

6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c
SSDEEP

6144:DLiidECmWHgYTzjJZR2RPKlnQ1CC9QDE2D/4t1VDsVcXgQY:DWiTBHgYTzjw5KKJg1avsGwQ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 32 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2128	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
2472	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
4184	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
2704	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
4320	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
524	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
2344	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
984	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
4932	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
1072	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
4960	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
4584	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
3092	3580	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
4160	1116	WerFault.exe	Utsysc.exe
4360	1116	WerFault.exe	Utsysc.exe
3912	1116	WerFault.exe	Utsysc.exe
3276	1116	WerFault.exe	Utsysc.exe
4224	1116	WerFault.exe	Utsysc.exe
2224	1116	WerFault.exe	Utsysc.exe
2416	1116	WerFault.exe	Utsysc.exe
4868	1116	WerFault.exe	Utsysc.exe
2524	1116	WerFault.exe	Utsysc.exe
2044	1116	WerFault.exe	Utsysc.exe
1188	1116	WerFault.exe	Utsysc.exe
4500	1116	WerFault.exe	Utsysc.exe
3480	1116	WerFault.exe	Utsysc.exe
4356	1200	WerFault.exe	Utsysc.exe
1072	1116	WerFault.exe	Utsysc.exe
3488	1116	WerFault.exe	Utsysc.exe
4756	1116	WerFault.exe	Utsysc.exe
4984	1116	WerFault.exe	Utsysc.exe
1824	1116	WerFault.exe	Utsysc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2548 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe

pid process

3580 ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe

pid	process
2548	schtasks.exe

pid	process
3580	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe

C:\Users\Admin\AppData\Local\Temp\ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
"C:\Users\Admin\AppData\Local\Temp\ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 584
2⤵
- Program crash
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 640
2⤵
- Program crash
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 736
2⤵
- Program crash
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 744
2⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 856
2⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 844
2⤵
- Program crash
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1104
2⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1124
2⤵
- Program crash
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1240
2⤵
- Program crash
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1008
2⤵
- Program crash
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 644
2⤵
- Program crash
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 776
2⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1532
2⤵
- Program crash
PID:3092

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 608
3⤵
- Program crash
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 752
3⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 752
3⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 968
3⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 976
3⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 976
3⤵
- Program crash
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1052
3⤵
- Program crash
PID:2416

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 912
3⤵
- Program crash
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1128
3⤵
- Program crash
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1132
3⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 668
3⤵
- Program crash
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 660
3⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1208
3⤵
- Program crash
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1204
3⤵
- Program crash
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1236
3⤵
- Program crash
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1316
3⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1320
3⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1080
3⤵
- Program crash
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3580 -ip 3580
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3580 -ip 3580
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3580 -ip 3580
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3580 -ip 3580
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3580 -ip 3580
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3580 -ip 3580
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3580 -ip 3580
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3580 -ip 3580
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3580 -ip 3580
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3580 -ip 3580
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3580 -ip 3580
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3580 -ip 3580
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3580 -ip 3580
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1116 -ip 1116
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1116 -ip 1116
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1116 -ip 1116
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1116 -ip 1116
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1116 -ip 1116
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1116 -ip 1116
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1116 -ip 1116
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1116 -ip 1116
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1116 -ip 1116
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1116 -ip 1116
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1116 -ip 1116
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1116 -ip 1116
1⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 432
2⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1116 -ip 1116
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1200 -ip 1200
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1116 -ip 1116
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1116 -ip 1116
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1116 -ip 1116
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1116 -ip 1116
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1116 -ip 1116
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
85ced175fc50113e11a118e44f83f57a

SHA1
0623207b6b2f59278569b1f431f9cbb97a56baf4

SHA256
ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168

SHA512
6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
85ced175fc50113e11a118e44f83f57a

SHA1
0623207b6b2f59278569b1f431f9cbb97a56baf4

SHA256
ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168

SHA512
6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
85ced175fc50113e11a118e44f83f57a

SHA1
0623207b6b2f59278569b1f431f9cbb97a56baf4

SHA256
ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168

SHA512
6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
388KB

MD5
4b0dfeb098c1b608ba9ed19064873047

SHA1
5f820355b296e5dea8771dfe8d94a7741a3e6d47

SHA256
6aff9c5aa1820167c60853f16cdeeaba3579a4ea4ebc3b9f8672b24c3e7852aa

SHA512
c27877940eccd5b23a431de93b9c2c027e80c9178a8d4fa71ca9d36b391c277e57034f51bf0f30c43c32fe1c9e5705e5a6cb690f6784e07363ac9051fab8060d

Download Submit
memory/1116-30-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1116-34-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1116-43-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1116-28-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1116-29-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1200-36-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1200-35-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/3580-26-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3580-3-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3580-6-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/3580-1-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/3580-2-0x0000000002150000-0x00000000021BC000-memory.dmp

Filesize
432KB

Download
memory/3580-17-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3580-7-0x0000000002150000-0x00000000021BC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads