3952095abe30bc7af7ed1bd9de8d9075054f0c78478c5e471459a996423318a4

General

Target

4f9cbcf50a8051861ac332ba69a1a9fa.exe
Size

1003KB
MD5

4f9cbcf50a8051861ac332ba69a1a9fa
SHA1

8a6ac6793b6a6f5e80db6bdbc19c796b85d3c1e9
SHA256

3952095abe30bc7af7ed1bd9de8d9075054f0c78478c5e471459a996423318a4
SHA512

e854b80b64d053fdd3bd0303970f85246ccc177ea3eb8a2956aa29381db812fb962a4aab7ca1006eaeb858e4a32f86c05c4fee4c4119f1f04aa9580349ba79e3
SSDEEP

24576:FuJb2LsGxY6ThY8FzyGQoadai7D3uITjIFOxo53ApIj:F+2pxYehYkzyGQ7ai7D3xTgOxYwpK

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3420	4f9cbcf50a8051861ac332ba69a1a9fa.exe

Executes dropped EXE 1 IoCs

pid	Process
3420	4f9cbcf50a8051861ac332ba69a1a9fa.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4976-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x00080000000231f9-12.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3948	3420	WerFault.exe
3644	3420	WerFault.exe
2992	3420	WerFault.exe	29

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2472	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4976	4f9cbcf50a8051861ac332ba69a1a9fa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4976	4f9cbcf50a8051861ac332ba69a1a9fa.exe
3420	4f9cbcf50a8051861ac332ba69a1a9fa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 3420	4976	4f9cbcf50a8051861ac332ba69a1a9fa.exe	29
PID 4976 wrote to memory of 3420	4976	4f9cbcf50a8051861ac332ba69a1a9fa.exe	29
PID 4976 wrote to memory of 3420	4976	4f9cbcf50a8051861ac332ba69a1a9fa.exe	29
PID 3420 wrote to memory of 2472	3420	4f9cbcf50a8051861ac332ba69a1a9fa.exe	17
PID 3420 wrote to memory of 2472	3420	4f9cbcf50a8051861ac332ba69a1a9fa.exe	17
PID 3420 wrote to memory of 2472	3420	4f9cbcf50a8051861ac332ba69a1a9fa.exe	17
PID 3420 wrote to memory of 944	3420	4f9cbcf50a8051861ac332ba69a1a9fa.exe	26
PID 3420 wrote to memory of 944	3420	4f9cbcf50a8051861ac332ba69a1a9fa.exe	26
PID 3420 wrote to memory of 944	3420	4f9cbcf50a8051861ac332ba69a1a9fa.exe	26
PID 944 wrote to memory of 3892	944	cmd.exe	23
PID 944 wrote to memory of 3892	944	cmd.exe	23
PID 944 wrote to memory of 3892	944	cmd.exe	23

C:\Users\Admin\AppData\Local\Temp\4f9cbcf50a8051861ac332ba69a1a9fa.exe
"C:\Users\Admin\AppData\Local\Temp\4f9cbcf50a8051861ac332ba69a1a9fa.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Local\Temp\4f9cbcf50a8051861ac332ba69a1a9fa.exe
  C:\Users\Admin\AppData\Local\Temp\4f9cbcf50a8051861ac332ba69a1a9fa.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1020
    3⤵
    - Program crash
    PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\4f9cbcf50a8051861ac332ba69a1a9fa.exe" /TN 0Su7L8S745c1 /F
1⤵
- Creates scheduled task(s)
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3420 -ip 3420
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 604
1⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN 0Su7L8S745c1
1⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN 0Su7L8S745c1 > C:\Users\Admin\AppData\Local\Temp\P553X3.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3420 -ip 3420
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 632
1⤵
- Program crash
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3420 -ip 3420
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f9cbcf50a8051861ac332ba69a1a9fa.exe

Filesize
1003KB

MD5
a300389e0160c21aee976bcf093bead1

SHA1
fcd9a59ae92e6cfaaeac8f5ff6d569254f4b22d8

SHA256
3dbf7032771b29386e335af578f0bf7240604f0f55b176e2c84161d25dc8eb8c

SHA512
880e1b018b2c999eb33184b95459416200ba565779541c10c9ea6270351dec7aafc6ef8e845a0d6253c6d22a83c2b2c40de18e1e3de358a43896a4f142f0e77c

Download Submit
memory/3420-17-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3420-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3420-22-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/3420-15-0x00000000016E0000-0x000000000175E000-memory.dmp

Filesize
504KB

Download
memory/3420-40-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4976-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4976-6-0x0000000025060000-0x00000000250DE000-memory.dmp

Filesize
504KB

Download
memory/4976-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4976-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads