8e2e630a5c2db04ebfe5bf38bd4521036bd46ce61d80218a9e966e01723c61e7

General

Target

4c86557942337f53a8daa62410618f05.exe
Size

701KB
MD5

4c86557942337f53a8daa62410618f05
SHA1

b083906d7cdefb878d8b920519d3db45b7f1b7e1
SHA256

8e2e630a5c2db04ebfe5bf38bd4521036bd46ce61d80218a9e966e01723c61e7
SHA512

e23af7463e8c35583fc916e4f2a48e8de1658910aa02c08dd0b7e8b5ca7adb5c7027a0c20305005ec16c2dfb4b771b87eb2c915110f6b136a076e1cb2b7a89bc
SSDEEP

12288:mAmCPIqDEXTzxO4t1+cv/RBlQ91p52xA3l7WGp/xnRaSoYCo6aOOpuTtUdiHE7tX:mAFFDERO4tccHRBSb2xmiGpnfCo1Iaof

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2324	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2184	4c86557942337f53a8daa62410618f05.exe
2184	4c86557942337f53a8daa62410618f05.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-0-0x0000000000400000-0x000000000061B000-memory.dmp	upx
behavioral1/memory/2184-10-0x0000000000400000-0x000000000061B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2704	2324	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2324	2184	4c86557942337f53a8daa62410618f05.exe	29
PID 2184 wrote to memory of 2324	2184	4c86557942337f53a8daa62410618f05.exe	29
PID 2184 wrote to memory of 2324	2184	4c86557942337f53a8daa62410618f05.exe	29
PID 2184 wrote to memory of 2324	2184	4c86557942337f53a8daa62410618f05.exe	29
PID 2324 wrote to memory of 2704	2324	b2e.exe	28
PID 2324 wrote to memory of 2704	2324	b2e.exe	28
PID 2324 wrote to memory of 2704	2324	b2e.exe	28
PID 2324 wrote to memory of 2704	2324	b2e.exe	28

C:\Users\Admin\AppData\Local\Temp\4c86557942337f53a8daa62410618f05.exe
"C:\Users\Admin\AppData\Local\Temp\4c86557942337f53a8daa62410618f05.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\4c86557942337f53a8daa62410618f05.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 124
1⤵
- Loads dropped DLL
- Program crash
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe

Filesize
148KB

MD5
830506eb0fc0e24170c9a76de35bc38a

SHA1
426076b6488e8fa437c9ff897e95f6c6a89738bf

SHA256
554c86850185f74ebfd6c8fffb9b20313a98be418a7803e87e51d985bff7dbaa

SHA512
56c5201232af51213277249c13cdb97af66c4890eca04967c9b38da24f4d4ae3f45486203d3789b777041b3aaf02e5554c3ab0a7597f3a094fd8c7f28c0f5296

Download Submit
C:\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe

Filesize
212KB

MD5
c88a99292a80008f897e79211368a58f

SHA1
db150bb056e870e062cf6c8457c19a797299ea43

SHA256
69fffbe070ed04bd9c290d076f2dbbc36cb0a0d764da519f651bb86b79faf0f4

SHA512
6463234cc03e5ae4f880c19f94142d200b310dd8128c1dea44029d567665ceed281f052b4c5432336301e886ef8d23da5e8cb002049cd76e3a0f7e7ce28aad9a

Download Submit
\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe

Filesize
117KB

MD5
16f3d92704916a4b1dfd47058c83859c

SHA1
9d081cb719287264a525a96a3b0410869a39f8c7

SHA256
c5e27e5b513d68cad0b7b0d4680f38df4b3a4b6062e6dc34b555271ce55a395a

SHA512
c5e492203b40bf7d6f9fbc7fde41477f085d368d1be9ba93632aae71cdad71e54dbf059fcd249415bbacb149016d9296f506ea76ef6133a7bd8d7f60f086e047

Download Submit
\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe

Filesize
110KB

MD5
0a3f1738835dbd015cff3083bed08517

SHA1
5fc9524a6a1b5080e906b8a03c59567b85e94bc3

SHA256
24427efa27ea6468d88f5f97eb64db3d82b5beaa63564a30b454c54dc00d77cb

SHA512
fcd2e4662a1c47112af0014e1d59a3692554f198c34c22a4169a95919fc77354d3ea6d0f5b0e7956a600e57e1e8422cae6d0d4a7d0cfad99249c76b63af5766b

Download Submit
\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe

Filesize
19KB

MD5
e7c972fa2bd6ab1bb7ef4fa566b6006b

SHA1
fe32d33c5862bcb814b0f22313a98340d588dcc8

SHA256
04a9eb39146f044d757c711f43b375fc886bed2d7d47104a72df92adf7ab417c

SHA512
f89f844fc4abaabded27a8c3489f6ee537d0d7256fad0355e995979233675571304b3669b774b3bb1dbed8e291bab56555e9b81afeea4564645d794cc6035ea4

Download Submit
\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe

Filesize
110KB

MD5
7204599cd74b95fde2072fcd6f48739d

SHA1
d4a06d05f8a520779ab2f2fb87f2c0b443a7cf7c

SHA256
1d7ef24ddf62d6d0e70574837c947833ec25bdc654c6f2dde7aac73b9bd5f9a4

SHA512
fe662eada77f93c2a74c4a2f600dffe9fe5062b3d17cdb22ac222d051e30f318878ff6bf5a6fc86fd2e2a402e15232c0021ff24bd9858fee373f5c70f611c26f

Download Submit
\Users\Admin\AppData\Local\Temp\5928.tmp\b2e.exe

Filesize
255KB

MD5
d1506368ca3f7ac46674d4ab89025a3d

SHA1
3abd40ce63b86684606ded9bce98a0455b28c612

SHA256
2bdbdfaabfc679583460a59f616f3342b78fc8bfd76588260c56ec34400abc0f

SHA512
38e0c0363b5ba1ec6c779a6f7cb7a09bdfde407290b24ca11e3c97b62947044e13d9f7ed33092d1990a481b703369942aef674cfddde6814cc96c8de2c56e0b0

Download Submit
memory/2184-10-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/2184-12-0x0000000000740000-0x0000000000745000-memory.dmp

Filesize
20KB

Download
memory/2184-11-0x0000000000740000-0x0000000000745000-memory.dmp

Filesize
20KB

Download
memory/2184-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/2184-17-0x0000000000740000-0x0000000000745000-memory.dmp

Filesize
20KB

Download
memory/2324-13-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing