e91f362c64fc5681796f90cc10222cb123f92b1227f7f7611c05a10e791c37dd

General

Target

1171e22c349904548e63384c12179029.exe
Size

2.5MB
MD5

1171e22c349904548e63384c12179029
SHA1

4980faf8dc06b737055a86e83cabce22695415dc
SHA256

e91f362c64fc5681796f90cc10222cb123f92b1227f7f7611c05a10e791c37dd
SHA512

abff221b867a31dffaf6355beb8ee38c858aa3ade34485de0c678075a5ac7a8ab93ae6d51ad2292018d16d7ab6af5c7ae5e7a49b20b7e77f04968b94ba910a95
SSDEEP

49152:XIWxTdDQkIZXuve4D7vd3faTbKsjzFYs0Qhn3QZP5H:aZ+W4VaTfzFh0QOx5H

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/508-2-0x0000000000400000-0x000000000066D000-memory.dmp	upx
behavioral2/memory/508-0-0x0000000000400000-0x000000000066D000-memory.dmp	upx
behavioral2/memory/508-58-0x0000000005BD0000-0x0000000005C2B000-memory.dmp	upx
behavioral2/memory/508-36-0x0000000005BD0000-0x0000000005C2B000-memory.dmp	upx
behavioral2/memory/508-98-0x0000000000400000-0x000000000066D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2632	508	WerFault.exe	14
1684	508	WerFault.exe	14
3800	508	WerFault.exe	14
4084	508	WerFault.exe	14
2688	508	WerFault.exe	14
4608	508	WerFault.exe	14
5024	508	WerFault.exe	14
3796	508	WerFault.exe	14
5072	508	WerFault.exe	14
4404	508	WerFault.exe	14
464	508	WerFault.exe	14
1276	508	WerFault.exe	14
460	508	WerFault.exe	14
4804	508	WerFault.exe	14
3940	508	WerFault.exe	14

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
508	1171e22c349904548e63384c12179029.exe
508	1171e22c349904548e63384c12179029.exe
508	1171e22c349904548e63384c12179029.exe

C:\Users\Admin\AppData\Local\Temp\1171e22c349904548e63384c12179029.exe
"C:\Users\Admin\AppData\Local\Temp\1171e22c349904548e63384c12179029.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 952
  2⤵
  - Program crash
  PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 960
  2⤵
  - Program crash
  PID:1684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1004
  2⤵
  - Program crash
  PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1012
  2⤵
  - Program crash
  PID:4084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1100
  2⤵
  - Program crash
  PID:2688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1104
  2⤵
  - Program crash
  PID:4608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1108
  2⤵
  - Program crash
  PID:5024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1848
  2⤵
  - Program crash
  PID:3796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1876
  2⤵
  - Program crash
  PID:5072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 2060
  2⤵
  - Program crash
  PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 2140
  2⤵
  - Program crash
  PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 2160
  2⤵
  - Program crash
  PID:1276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 2180
  2⤵
  - Program crash
  PID:460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 2208
  2⤵
  - Program crash
  PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 996
  2⤵
  - Program crash
  PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 508 -ip 508
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 508 -ip 508
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 508 -ip 508
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 508 -ip 508
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 508 -ip 508
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 508 -ip 508
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 508 -ip 508
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 508 -ip 508
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 508 -ip 508
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 508 -ip 508
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 508 -ip 508
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 508 -ip 508
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 508 -ip 508
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 508 -ip 508
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 508 -ip 508
1⤵
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-1-0x0000000002590000-0x00000000026D0000-memory.dmp

Filesize
1.2MB

Download
memory/508-2-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/508-3-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/508-0-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/508-58-0x0000000005BD0000-0x0000000005C2B000-memory.dmp

Filesize
364KB

Download
memory/508-36-0x0000000005BD0000-0x0000000005C2B000-memory.dmp

Filesize
364KB

Download
memory/508-98-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/508-100-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/508-101-0x0000000005BD0000-0x0000000005C2B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing