19679cbc4b7cd73fd4501ed735c351aaf8335f2adbf8a1d25965e87b683cd5bd

General

Target

4df392aaa1d685e96cdc2cfbd98b75eb.exe
Size

3.9MB
MD5

4df392aaa1d685e96cdc2cfbd98b75eb
SHA1

4f5f91388dc11eac90e8d288b82ee51b007c41f6
SHA256

19679cbc4b7cd73fd4501ed735c351aaf8335f2adbf8a1d25965e87b683cd5bd
SHA512

b2f10bfc9597f4c4885496a1c8d9b6e0e826ee4c3461830601b45a7b595c9722edfd2436d101d10bb202bc2fd4e720422a903c8d631223b79d08c7c2dd6f16dd
SSDEEP

98304:2QXkDgpaCcakcibiqhGccFd3ucakcibiqh0V314pLG9cakcibiqhGccFd3ucakcO:2RgpxdlirRM5udlirqVl4g9dlirRM5u+

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5024	4df392aaa1d685e96cdc2cfbd98b75eb.exe

Executes dropped EXE 1 IoCs

pid	Process
5024	4df392aaa1d685e96cdc2cfbd98b75eb.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/816-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/memory/5024-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 18 IoCs

pid	pid_target	Process	procid_target
1952	5024	WerFault.exe
2284	5024	WerFault.exe
1992	5024	WerFault.exe
1228	5024	WerFault.exe
2908	5024	WerFault.exe	33
3204	5024	WerFault.exe	33
1040	5024	WerFault.exe	33
2120	5024	WerFault.exe	33
4776	5024	WerFault.exe	33
2668	5024	WerFault.exe	33
4708	5024	WerFault.exe	33
2748	5024	WerFault.exe	33
1140	5024	WerFault.exe	33
4320	5024	WerFault.exe	33
1476	5024	WerFault.exe	33
3964	5024	WerFault.exe	33
2668	5024	WerFault.exe	33
540	5024	WerFault.exe	33

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5112	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
816	4df392aaa1d685e96cdc2cfbd98b75eb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
816	4df392aaa1d685e96cdc2cfbd98b75eb.exe
5024	4df392aaa1d685e96cdc2cfbd98b75eb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 5024	816	4df392aaa1d685e96cdc2cfbd98b75eb.exe	33
PID 816 wrote to memory of 5024	816	4df392aaa1d685e96cdc2cfbd98b75eb.exe	33
PID 816 wrote to memory of 5024	816	4df392aaa1d685e96cdc2cfbd98b75eb.exe	33
PID 5024 wrote to memory of 5112	5024	4df392aaa1d685e96cdc2cfbd98b75eb.exe	25
PID 5024 wrote to memory of 5112	5024	4df392aaa1d685e96cdc2cfbd98b75eb.exe	25
PID 5024 wrote to memory of 5112	5024	4df392aaa1d685e96cdc2cfbd98b75eb.exe	25
PID 5024 wrote to memory of 1052	5024	4df392aaa1d685e96cdc2cfbd98b75eb.exe	24
PID 5024 wrote to memory of 1052	5024	4df392aaa1d685e96cdc2cfbd98b75eb.exe	24
PID 5024 wrote to memory of 1052	5024	4df392aaa1d685e96cdc2cfbd98b75eb.exe	24
PID 1052 wrote to memory of 1300	1052	cmd.exe	19
PID 1052 wrote to memory of 1300	1052	cmd.exe	19
PID 1052 wrote to memory of 1300	1052	cmd.exe	19

C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe
"C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe
  C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 724
    3⤵
    - Program crash
    PID:2908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 756
    3⤵
    - Program crash
    PID:3204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1464
    3⤵
    - Program crash
    PID:1040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1916
    3⤵
    - Program crash
    PID:2120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2144
    3⤵
    - Program crash
    PID:4776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2148
    3⤵
    - Program crash
    PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1956
    3⤵
    - Program crash
    PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2144
    3⤵
    - Program crash
    PID:2748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1972
    3⤵
    - Program crash
    PID:1140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1904
    3⤵
    - Program crash
    PID:4320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2104
    3⤵
    - Program crash
    PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2168
    3⤵
    - Program crash
    PID:3964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1984
    3⤵
    - Program crash
    PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 632
    3⤵
    - Program crash
    PID:540

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN nMQUF5AE494a
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5024 -ip 5024
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 604
1⤵
- Program crash
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN nMQUF5AE494a > C:\Users\Admin\AppData\Local\Temp\QDI4MHx.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4df392aaa1d685e96cdc2cfbd98b75eb.exe" /TN nMQUF5AE494a /F
1⤵
- Creates scheduled task(s)
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5024 -ip 5024
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 620
1⤵
- Program crash
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5024 -ip 5024
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 736
1⤵
- Program crash
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5024 -ip 5024
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 740
1⤵
- Program crash
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5024 -ip 5024
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5024 -ip 5024
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5024 -ip 5024
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5024 -ip 5024
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5024 -ip 5024
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5024 -ip 5024
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5024 -ip 5024
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5024 -ip 5024
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5024 -ip 5024
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5024 -ip 5024
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5024 -ip 5024
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5024 -ip 5024
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5024 -ip 5024
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5024 -ip 5024
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/816-7-0x0000000001750000-0x00000000017CE000-memory.dmp

Filesize
504KB

Download
memory/816-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/816-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5024-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/5024-21-0x00000000018C0000-0x000000000193E000-memory.dmp

Filesize
504KB

Download
memory/5024-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5024-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/5024-40-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads