bc35abe8e74dd38d3a5862239b54265a15f609a10b5dd4a585add83863fe608c

General

Target

6cc5acc27e84771c37fd40e610019ae2.exe
Size

1003KB
MD5

6cc5acc27e84771c37fd40e610019ae2
SHA1

4ec9bd04680ff344eb389b5b971454301240afa4
SHA256

bc35abe8e74dd38d3a5862239b54265a15f609a10b5dd4a585add83863fe608c
SHA512

a87011362bb4ceeb889b9c2714018a952240a5a10f29c0f401c3cfc8e4c5c2fbbcece4fadb783394bcedb1aaf24519b79147ec186e2ac71c59e274271c64144a
SSDEEP

24576:ff2DpM2xlaZujFoGQoadai7D3uITjIFOxo53ApIj:fuDO2xy6CGQ7ai7D3xTgOxYwpK

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2240	6cc5acc27e84771c37fd40e610019ae2.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	6cc5acc27e84771c37fd40e610019ae2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3196-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x00070000000231f3-11.dat	upx
behavioral2/memory/2240-15-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
556	2240	WerFault.exe	91
2884	2240	WerFault.exe	91
2288	2240	WerFault.exe	91
4216	2240	WerFault.exe	91
940	2240	WerFault.exe	91
2008	2240	WerFault.exe	91
3504	2240	WerFault.exe	91
2824	2240	WerFault.exe	91
4672	2240	WerFault.exe	91
392	2240	WerFault.exe	91
1580	2240	WerFault.exe	91
3768	2240	WerFault.exe	91
1764	2240	WerFault.exe	91

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4672	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3196	6cc5acc27e84771c37fd40e610019ae2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3196	6cc5acc27e84771c37fd40e610019ae2.exe
2240	6cc5acc27e84771c37fd40e610019ae2.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2240	3196	6cc5acc27e84771c37fd40e610019ae2.exe	91
PID 3196 wrote to memory of 2240	3196	6cc5acc27e84771c37fd40e610019ae2.exe	91
PID 3196 wrote to memory of 2240	3196	6cc5acc27e84771c37fd40e610019ae2.exe	91
PID 2240 wrote to memory of 4672	2240	6cc5acc27e84771c37fd40e610019ae2.exe	93
PID 2240 wrote to memory of 4672	2240	6cc5acc27e84771c37fd40e610019ae2.exe	93
PID 2240 wrote to memory of 4672	2240	6cc5acc27e84771c37fd40e610019ae2.exe	93
PID 2240 wrote to memory of 3428	2240	6cc5acc27e84771c37fd40e610019ae2.exe	96
PID 2240 wrote to memory of 3428	2240	6cc5acc27e84771c37fd40e610019ae2.exe	96
PID 2240 wrote to memory of 3428	2240	6cc5acc27e84771c37fd40e610019ae2.exe	96
PID 3428 wrote to memory of 1316	3428	cmd.exe	99
PID 3428 wrote to memory of 1316	3428	cmd.exe	99
PID 3428 wrote to memory of 1316	3428	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\6cc5acc27e84771c37fd40e610019ae2.exe
"C:\Users\Admin\AppData\Local\Temp\6cc5acc27e84771c37fd40e610019ae2.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\6cc5acc27e84771c37fd40e610019ae2.exe
  C:\Users\Admin\AppData\Local\Temp\6cc5acc27e84771c37fd40e610019ae2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\6cc5acc27e84771c37fd40e610019ae2.exe" /TN EftJtVnu5bdb /F
    3⤵
    - Creates scheduled task(s)
    PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN EftJtVnu5bdb > C:\Users\Admin\AppData\Local\Temp\uGAqnF4.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN EftJtVnu5bdb
      4⤵
      PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 608
    3⤵
    - Program crash
    PID:556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 652
    3⤵
    - Program crash
    PID:2884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 752
    3⤵
    - Program crash
    PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 660
    3⤵
    - Program crash
    PID:4216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 780
    3⤵
    - Program crash
    PID:940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 800
    3⤵
    - Program crash
    PID:2008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1460
    3⤵
    - Program crash
    PID:3504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1644
    3⤵
    - Program crash
    PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1468
    3⤵
    - Program crash
    PID:4672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 2012
    3⤵
    - Program crash
    PID:392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 2020
    3⤵
    - Program crash
    PID:1580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 2188
    3⤵
    - Program crash
    PID:3768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1916
    3⤵
    - Program crash
    PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2240 -ip 2240
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2240 -ip 2240
1⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2240 -ip 2240
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2240 -ip 2240
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2240 -ip 2240
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2240 -ip 2240
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2240 -ip 2240
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2240 -ip 2240
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2240 -ip 2240
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2240 -ip 2240
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2240 -ip 2240
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2240 -ip 2240
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2240 -ip 2240
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6cc5acc27e84771c37fd40e610019ae2.exe

Filesize
1003KB

MD5
6a6451a06d8debbc63fdeacb05bc0c7a

SHA1
e21224d15d7965d398438dae10b8c88172229755

SHA256
8275febc3ed0f583abf5ea31ba7c837f36a8985b535e45b9c716d435c8eb904c

SHA512
e32cb660f116df685cb12d0094afc82c51a75dac9685bafcc3246e72db0527eae04facee04ad247f8e25fd2566ef615546a98aae1735bed81718814d3a304577

Download Submit
C:\Users\Admin\AppData\Local\Temp\uGAqnF4.xml

Filesize
1KB

MD5
4cfb24de330fd0953b0c9a26afe01d01

SHA1
4d69182ae2de8509e6153c116d6acc5115a3dc01

SHA256
a5a70d5092d68b45d6f805bd96a2e07eacadf7447f28629f87a02344ff721612

SHA512
708622654e8f073f5de4a70bfcb7ef2056cd1b257a33599cc6508b0064ead66e034a009eee00edcedffea4a5a70b26394652e4bf231be0690ff77016fc8e6d2a

Download Submit
memory/2240-15-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2240-16-0x0000000025060000-0x00000000250DE000-memory.dmp

Filesize
504KB

Download
memory/2240-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2240-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2240-28-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3196-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3196-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3196-6-0x0000000024FF0000-0x000000002506E000-memory.dmp

Filesize
504KB

Download
memory/3196-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads