ec0f1f32294a1e1edc444f2053be661f01545ef6d2fafc26ac9eadc599a9d122

General

Target

17cd0709ebbf638da495ba5c2fc26c60.exe
Size

4.6MB
MD5

17cd0709ebbf638da495ba5c2fc26c60
SHA1

8aaf01f9fd9ce8d026f8377b618b37db65a872f3
SHA256

ec0f1f32294a1e1edc444f2053be661f01545ef6d2fafc26ac9eadc599a9d122
SHA512

f9a832b913fe1942f8615903c6bbb93430621a8fce5a4a811ac7f33cefd93d9ec4070b35407bb492dfc123f8b3243f9512a86a5ca5d114c138ac9d41437236fc
SSDEEP

49152:BcZQ1xFz4h0wl+LrZpBrjgygRbNsm+kwjK23gygRbS+wWExz0IOIfGwDsLgygRbh:Bcy1xiZYLdpBrAZshuGZjxpPZshuH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1136	17cd0709ebbf638da495ba5c2fc26c60.exe

Executes dropped EXE 1 IoCs

pid	Process
1136	17cd0709ebbf638da495ba5c2fc26c60.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 11 IoCs

pid	pid_target	Process	procid_target
2696	1136	WerFault.exe	96
2608	1136	WerFault.exe	96
4164	1136	WerFault.exe	96
3112	1136	WerFault.exe	96
1716	1136	WerFault.exe	96
2972	1136	WerFault.exe	96
2040	1136	WerFault.exe	96
2468	1136	WerFault.exe	96
4604	1136	WerFault.exe	96
2696	1136	WerFault.exe	96
4208	1136	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1136	17cd0709ebbf638da495ba5c2fc26c60.exe
1136	17cd0709ebbf638da495ba5c2fc26c60.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
436	17cd0709ebbf638da495ba5c2fc26c60.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1136	17cd0709ebbf638da495ba5c2fc26c60.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 1136	436	17cd0709ebbf638da495ba5c2fc26c60.exe	96
PID 436 wrote to memory of 1136	436	17cd0709ebbf638da495ba5c2fc26c60.exe	96
PID 436 wrote to memory of 1136	436	17cd0709ebbf638da495ba5c2fc26c60.exe	96

C:\Users\Admin\AppData\Local\Temp\17cd0709ebbf638da495ba5c2fc26c60.exe
"C:\Users\Admin\AppData\Local\Temp\17cd0709ebbf638da495ba5c2fc26c60.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\17cd0709ebbf638da495ba5c2fc26c60.exe
  C:\Users\Admin\AppData\Local\Temp\17cd0709ebbf638da495ba5c2fc26c60.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 344
    3⤵
    - Program crash
    PID:2696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 636
    3⤵
    - Program crash
    PID:2608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 656
    3⤵
    - Program crash
    PID:4164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 656
    3⤵
    - Program crash
    PID:3112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 724
    3⤵
    - Program crash
    PID:1716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 888
    3⤵
    - Program crash
    PID:2972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1408
    3⤵
    - Program crash
    PID:2040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1412
    3⤵
    - Program crash
    PID:2468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1644
    3⤵
    - Program crash
    PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1492
    3⤵
    - Program crash
    PID:2696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1712
    3⤵
    - Program crash
    PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 436 -ip 436
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1136 -ip 1136
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1136 -ip 1136
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1136 -ip 1136
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1136 -ip 1136
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1136 -ip 1136
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1136 -ip 1136
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1136 -ip 1136
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1136 -ip 1136
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1136 -ip 1136
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1136 -ip 1136
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1136 -ip 1136
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17cd0709ebbf638da495ba5c2fc26c60.exe

Filesize
4.6MB

MD5
20f36afffc5b452b65ee3f8cac0a19a3

SHA1
427418ab63a3324030e0ef7d2eb80431f933740f

SHA256
9f4494b39733e7098819c5527b3eb5613b6fe2a45da84bae343cbcd77ece6ec0

SHA512
80595eebf7b4a8247512e8907a87166fd8e6f2a0914bffe6622007f126286218f3931df369e6cb42d1c3c63a086d95305c3b5ab4764ee57890f9e5cb307207d4

Download Submit
memory/436-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/436-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/436-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/436-6-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1136-10-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1136-11-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1136-14-0x0000000005180000-0x000000000528D000-memory.dmp

Filesize
1.1MB

Download
memory/1136-15-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1136-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1136-29-0x000000000B920000-0x000000000B9C3000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing