b17abcf6553d41bccdef45fbf48314821b4a65679e1be96985039d1d4236abe5

General

Target

5f6be08e89d6c97292f1c3fde3bf19d0.exe
Size

3.2MB
MD5

5f6be08e89d6c97292f1c3fde3bf19d0
SHA1

a246dc29e35eddc0c275114f2654d922b550df6c
SHA256

b17abcf6553d41bccdef45fbf48314821b4a65679e1be96985039d1d4236abe5
SHA512

15df529c2fbf6577a389fdd1614fcd83f4bc2496608c222c8079a773fb726d7d706fb3dbfa860f85a281f4d7725ab4404cdb7c0e02615c53cc8ebfe101d0bf02
SSDEEP

98304:hjWDRJgTp0cakc2G6pfFmcakchzHxcrz9GMMcakc2G6pfFmcakcO:hGSTp0dlAfcdlhzU9GNdlAfcdlO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1896	5f6be08e89d6c97292f1c3fde3bf19d0.exe

Executes dropped EXE 1 IoCs

pid	Process
1896	5f6be08e89d6c97292f1c3fde3bf19d0.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3940-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000f000000023124-12.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 18 IoCs

pid	pid_target	Process	procid_target
2872	1896	WerFault.exe
3880	1896	WerFault.exe
2552	1896	WerFault.exe
2672	1896	WerFault.exe
3624	1896	WerFault.exe	36
3440	1896	WerFault.exe	36
3948	1896	WerFault.exe	36
716	1896	WerFault.exe	36
3228	1896	WerFault.exe	36
1556	1896	WerFault.exe	36
3680	1896	WerFault.exe	36
2940	1896	WerFault.exe	36
4024	1896	WerFault.exe	36
2444	1896	WerFault.exe	36
1280	1896	WerFault.exe	36
2216	1896	WerFault.exe	36
232	1896	WerFault.exe	36
1856	1896	WerFault.exe	36

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1280	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3940	5f6be08e89d6c97292f1c3fde3bf19d0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3940	5f6be08e89d6c97292f1c3fde3bf19d0.exe
1896	5f6be08e89d6c97292f1c3fde3bf19d0.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 1896	3940	5f6be08e89d6c97292f1c3fde3bf19d0.exe	36
PID 3940 wrote to memory of 1896	3940	5f6be08e89d6c97292f1c3fde3bf19d0.exe	36
PID 3940 wrote to memory of 1896	3940	5f6be08e89d6c97292f1c3fde3bf19d0.exe	36
PID 1896 wrote to memory of 1280	1896	5f6be08e89d6c97292f1c3fde3bf19d0.exe	98
PID 1896 wrote to memory of 1280	1896	5f6be08e89d6c97292f1c3fde3bf19d0.exe	98
PID 1896 wrote to memory of 1280	1896	5f6be08e89d6c97292f1c3fde3bf19d0.exe	98
PID 1896 wrote to memory of 1532	1896	5f6be08e89d6c97292f1c3fde3bf19d0.exe	27
PID 1896 wrote to memory of 1532	1896	5f6be08e89d6c97292f1c3fde3bf19d0.exe	27
PID 1896 wrote to memory of 1532	1896	5f6be08e89d6c97292f1c3fde3bf19d0.exe	27
PID 1532 wrote to memory of 4544	1532	cmd.exe	22
PID 1532 wrote to memory of 4544	1532	cmd.exe	22
PID 1532 wrote to memory of 4544	1532	cmd.exe	22

C:\Users\Admin\AppData\Local\Temp\5f6be08e89d6c97292f1c3fde3bf19d0.exe
"C:\Users\Admin\AppData\Local\Temp\5f6be08e89d6c97292f1c3fde3bf19d0.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\5f6be08e89d6c97292f1c3fde3bf19d0.exe
  C:\Users\Admin\AppData\Local\Temp\5f6be08e89d6c97292f1c3fde3bf19d0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 608
    3⤵
    - Program crash
    PID:3624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 728
    3⤵
    - Program crash
    PID:3440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1460
    3⤵
    - Program crash
    PID:3948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1912
    3⤵
    - Program crash
    PID:716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2144
    3⤵
    - Program crash
    PID:3228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1916
    3⤵
    - Program crash
    PID:1556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2140
    3⤵
    - Program crash
    PID:3680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2212
    3⤵
    - Program crash
    PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2220
    3⤵
    - Program crash
    PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2132
    3⤵
    - Program crash
    PID:2444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1948
    3⤵
    - Program crash
    PID:1280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2152
    3⤵
    - Program crash
    PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2144
    3⤵
    - Program crash
    PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 604
    3⤵
    - Program crash
    PID:1856

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN qPTTkyZ9c33c
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1896 -ip 1896
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 600
1⤵
- Program crash
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN qPTTkyZ9c33c > C:\Users\Admin\AppData\Local\Temp\SwBGSbChl.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5f6be08e89d6c97292f1c3fde3bf19d0.exe" /TN qPTTkyZ9c33c /F
1⤵
- Creates scheduled task(s)
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1896 -ip 1896
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 616
1⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 644
1⤵
- Program crash
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1896 -ip 1896
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1896 -ip 1896
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 608
1⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1896 -ip 1896
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1896 -ip 1896
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1896 -ip 1896
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1896 -ip 1896
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1896 -ip 1896
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1896 -ip 1896
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1896 -ip 1896
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1896 -ip 1896
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1896 -ip 1896
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1896 -ip 1896
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1896 -ip 1896
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1896 -ip 1896
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1896 -ip 1896
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1896 -ip 1896
1⤵
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5f6be08e89d6c97292f1c3fde3bf19d0.exe

Filesize
9KB

MD5
d6610c2e80753054e3a01cb361453d4a

SHA1
32b67e3c70f1ef7caf17f66beb491d2e02710e9b

SHA256
3ba75113a81959942b71c6ebab552162e7c1ba0e1052522ac21dd257eb96d1e4

SHA512
8b263225ed6145417cd7296d3a53ff2c44533fd6f4c060337173db218bd2394703d5269f472d8a6ce56000975d46f09e4da679b14eb77ea2518a3a2f761df19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwBGSbChl.xml

Filesize
1KB

MD5
b4b8e15c7e6563c53bc74818fd074b0c

SHA1
19960cbb311fb67bac6aa46622630a7184bd0eae

SHA256
28f116141abc9f47166035a0d4a6c931a3b77bfaae2ab4824fe31ee705767842

SHA512
17257d912f352b15af931c1fabd0e6b6b3f670197822299ceaec3cbb42e8bfe048c8c45b8660d34d0a0536499492ec9ef53d0e247916fc720fe350bda5310309

Download Submit
memory/1896-15-0x0000000001730000-0x00000000017AE000-memory.dmp

Filesize
504KB

Download
memory/1896-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1896-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/1896-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1896-40-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3940-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3940-5-0x0000000025030000-0x00000000250AE000-memory.dmp

Filesize
504KB

Download
memory/3940-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3940-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads