a8e2a996c913eb390bd0074d461a97156ad7395ae5ca856c2a6e6c14be534e2d

General

Target

09614e70ccc217403b852420ff7c9a94.exe
Size

402KB
MD5

09614e70ccc217403b852420ff7c9a94
SHA1

e8a5691810a49873d4bdccf6776510a2db6c17d4
SHA256

a8e2a996c913eb390bd0074d461a97156ad7395ae5ca856c2a6e6c14be534e2d
SHA512

d51c22dd923b2733c60d8e185f64e45a34158119852e721bfdae80e893e8c1d779063bc2a84c2cb593bd05dcc64f1bf47da32bdd903eb8b5976c058d1995afc7
SSDEEP

6144:lw/1POelIqtW+YPjXbs0CsgEn4yr2BdjRbv2ixvD3OR6DF7DSeFr7knGyHM:lw/1PmPLssgETrA5Rl66VS+I

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3144	33A2E4F0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{7C046CF8-759C-4301-A95C-2D5FD8AD23DE} = "C:\\ProgramData\\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\\33A2E4F0.exe"	09614e70ccc217403b852420ff7c9a94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7C046CF8-759C-4301-A95C-2D5FD8AD23DE} = "C:\\ProgramData\\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\\33A2E4F0.exe"	09614e70ccc217403b852420ff7c9a94.exe

Program crash 11 IoCs

pid	pid_target	Process	procid_target
3136	4536	WerFault.exe	85
552	3144	WerFault.exe	91
3160	3144	WerFault.exe	91
2472	3144	WerFault.exe	91
3676	3144	WerFault.exe	91
1648	3144	WerFault.exe	91
1844	3144	WerFault.exe	91
2176	3144	WerFault.exe	91
3684	3144	WerFault.exe	91
4300	3144	WerFault.exe	91
228	3144	WerFault.exe	91

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3144	4536	09614e70ccc217403b852420ff7c9a94.exe	91
PID 4536 wrote to memory of 3144	4536	09614e70ccc217403b852420ff7c9a94.exe	91
PID 4536 wrote to memory of 3144	4536	09614e70ccc217403b852420ff7c9a94.exe	91

C:\Users\Admin\AppData\Local\Temp\09614e70ccc217403b852420ff7c9a94.exe
"C:\Users\Admin\AppData\Local\Temp\09614e70ccc217403b852420ff7c9a94.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4536
- C:\ProgramData\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\33A2E4F0.exe
  "C:\ProgramData\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\33A2E4F0.exe"
  2⤵
  - Executes dropped EXE
  PID:3144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 748
    3⤵
    - Program crash
    PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 756
    3⤵
    - Program crash
    PID:3160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 784
    3⤵
    - Program crash
    PID:2472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 764
    3⤵
    - Program crash
    PID:3676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 756
    3⤵
    - Program crash
    PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 832
    3⤵
    - Program crash
    PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 840
    3⤵
    - Program crash
    PID:2176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 756
    3⤵
    - Program crash
    PID:3684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 820
    3⤵
    - Program crash
    PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 796
    3⤵
    - Program crash
    PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 640
  2⤵
  - Program crash
  PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4536 -ip 4536
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3144 -ip 3144
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3144 -ip 3144
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3144 -ip 3144
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3144 -ip 3144
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3144 -ip 3144
1⤵
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3144 -ip 3144
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3144 -ip 3144
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3144 -ip 3144
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3144 -ip 3144
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3144 -ip 3144
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\33A2E4F0.exe

Filesize
24KB

MD5
c3cf8183baf6531801f0401fbf849ae7

SHA1
6dab5307d3b68f3530649ec56b7ae51f1c8b60f9

SHA256
5691ae398da36bbb117cb0110776abb74b0c02be37558263da56cd0baa5b7d0d

SHA512
382a1f3dffd1846c2dbdfd1491a0d77dff40ea38069eb53edd225eaafdd7972377eace8dae9911000d37c4918bb9da24e106ff6be333ef28f422583b3e1ab93a

Download Submit
C:\ProgramData\{1D7BD5EC-1EA9-44E8-9114-08DDFBD26AB9}\33A2E4F0.exe

Filesize
107KB

MD5
a389d17d52e18d08f946145e1199187a

SHA1
598d14ceaeb5c68bace49fb348b93e8353971270

SHA256
4a99929a110dba4f21191c8bef3b23363e30f43b08d06b7c621a1a5a8a8424e8

SHA512
cbfe88a2731c005027e7ba5fabe4162cb444ad613c587a1d50de54649c5ce6513366ea78a1b3ecc3ce7d93aab84bfc02e25b5e8399d3912c8c3d8c2deeed8262

Download Submit
C:\Users\Admin\AppData\Local\Temp\A56FE8E8E07249AFA0AC27

Filesize
140B

MD5
7a6cbef7be65263118e3d87e1156df64

SHA1
43088af10901409b2d8f2235a1f3f0d900ac7046

SHA256
0f63a150adc323fa90ed1a312250edb34def2e9b29ba7103de7e77c54c12f683

SHA512
be22c7fd78c7dd4976cfac4515f127bf4eb8ff4e23a8fa8e3db89a76309646064578542d73a249420f1c11d69f394420525d1a0d4b209bf19cadb6283dd9d754

Download Submit
memory/3144-10-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

Filesize
1024KB

Download
memory/3144-11-0x0000000000400000-0x0000000002C9B000-memory.dmp

Filesize
40.6MB

Download
memory/3144-15-0x0000000000400000-0x0000000002C9B000-memory.dmp

Filesize
40.6MB

Download
memory/3144-17-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

Filesize
1024KB

Download
memory/4536-2-0x00000000049F0000-0x0000000004A40000-memory.dmp

Filesize
320KB

Download
memory/4536-1-0x0000000002D00000-0x0000000002E00000-memory.dmp

Filesize
1024KB

Download
memory/4536-3-0x0000000000400000-0x0000000002C9B000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads