8f8551b5d2ef1ebcad0089037b8bab22d43f56b70b77745c0348873632981e26

General

Target

53133fe14b92748168da549e48f9d0f7.exe
Size

3.9MB
MD5

53133fe14b92748168da549e48f9d0f7
SHA1

a02d47678a49eb04be1f4a93edc9c91bec850046
SHA256

8f8551b5d2ef1ebcad0089037b8bab22d43f56b70b77745c0348873632981e26
SHA512

6cac0d968d101b700166c4dbd00c56e6b65d9a4943e51bcc8441d71201f562af36e9e5002072c31f93222dd2f245aebdee78ea7763b58c2a0a29d4f387d3da0e
SSDEEP

98304:+0lVLVwMF9cakcibiqhMbMgOn7n0bcakcibiqhsEgxrBcakcibiqhMbMgOn7n0b2:3P1F9dlirybMgOnkdlirOdlirybMgOnD

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
996	53133fe14b92748168da549e48f9d0f7.exe

Executes dropped EXE 1 IoCs

pid	Process
996	53133fe14b92748168da549e48f9d0f7.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1716-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/memory/996-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3656	996	WerFault.exe
1140	996	WerFault.exe
3684	996	WerFault.exe
2568	996	WerFault.exe	32
2008	996	WerFault.exe	32

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
624	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1716	53133fe14b92748168da549e48f9d0f7.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1716	53133fe14b92748168da549e48f9d0f7.exe
996	53133fe14b92748168da549e48f9d0f7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 996	1716	53133fe14b92748168da549e48f9d0f7.exe	32
PID 1716 wrote to memory of 996	1716	53133fe14b92748168da549e48f9d0f7.exe	32
PID 1716 wrote to memory of 996	1716	53133fe14b92748168da549e48f9d0f7.exe	32
PID 996 wrote to memory of 624	996	53133fe14b92748168da549e48f9d0f7.exe	26
PID 996 wrote to memory of 624	996	53133fe14b92748168da549e48f9d0f7.exe	26
PID 996 wrote to memory of 624	996	53133fe14b92748168da549e48f9d0f7.exe	26
PID 996 wrote to memory of 3328	996	53133fe14b92748168da549e48f9d0f7.exe	24
PID 996 wrote to memory of 3328	996	53133fe14b92748168da549e48f9d0f7.exe	24
PID 996 wrote to memory of 3328	996	53133fe14b92748168da549e48f9d0f7.exe	24
PID 3328 wrote to memory of 4868	3328	cmd.exe	23
PID 3328 wrote to memory of 4868	3328	cmd.exe	23
PID 3328 wrote to memory of 4868	3328	cmd.exe	23

C:\Users\Admin\AppData\Local\Temp\53133fe14b92748168da549e48f9d0f7.exe
"C:\Users\Admin\AppData\Local\Temp\53133fe14b92748168da549e48f9d0f7.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\53133fe14b92748168da549e48f9d0f7.exe
  C:\Users\Admin\AppData\Local\Temp\53133fe14b92748168da549e48f9d0f7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 628
    3⤵
    - Program crash
    PID:2568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 716
    3⤵
    - Program crash
    PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 996 -ip 996
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 600
1⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN nMQUF5AE494a
1⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c schtasks.exe /Query /XML /TN nMQUF5AE494a > C:\Users\Admin\AppData\Local\Temp\dgjxJZQ.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\53133fe14b92748168da549e48f9d0f7.exe" /TN nMQUF5AE494a /F
1⤵
- Creates scheduled task(s)
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 996 -ip 996
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 632
1⤵
- Program crash
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 716
1⤵
- Program crash
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 996 -ip 996
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 996 -ip 996
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 996 -ip 996
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/996-23-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/996-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/996-17-0x0000000025010000-0x000000002508E000-memory.dmp

Filesize
504KB

Download
memory/996-40-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1716-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1716-2-0x0000000001720000-0x000000000179E000-memory.dmp

Filesize
504KB

Download
memory/1716-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1716-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads