33c8e9d960d664a8c7059012f28ae668f4c31fdd0d8e930f22098e7045015d8a

General

Target

68675b25fc8578ac2343eaeef553738f.exe
Size

2.7MB
MD5

68675b25fc8578ac2343eaeef553738f
SHA1

a84b27d78d47d10a66d9c542c7f878dee117c951
SHA256

33c8e9d960d664a8c7059012f28ae668f4c31fdd0d8e930f22098e7045015d8a
SHA512

91fa016790089fa49cde0df5730553cebf99587a0b46a50f9538284b0b06f97e2d0275e67444913d7467871c9101c6d7422fcb508eafa0010f2d3792296fb053
SSDEEP

49152:t+axysYC6syUkoPaPS2AJNyxUP+Mkt3ZlPl9Ggj2J3Y2peIu0XSkRDv0N:ytClVkoOSfJNAUW93ZlPP2Jo2wUXSaDv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2396	Updater.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	Updater.exe

Loads dropped DLL 6 IoCs

pid	Process
2196	68675b25fc8578ac2343eaeef553738f.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2396	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	Updater.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2396	2196	68675b25fc8578ac2343eaeef553738f.exe	29
PID 2196 wrote to memory of 2396	2196	68675b25fc8578ac2343eaeef553738f.exe	29
PID 2196 wrote to memory of 2396	2196	68675b25fc8578ac2343eaeef553738f.exe	29
PID 2196 wrote to memory of 2396	2196	68675b25fc8578ac2343eaeef553738f.exe	29
PID 2196 wrote to memory of 2396	2196	68675b25fc8578ac2343eaeef553738f.exe	29
PID 2196 wrote to memory of 2396	2196	68675b25fc8578ac2343eaeef553738f.exe	29
PID 2196 wrote to memory of 2396	2196	68675b25fc8578ac2343eaeef553738f.exe	29
PID 2396 wrote to memory of 2744	2396	Updater.exe	31
PID 2396 wrote to memory of 2744	2396	Updater.exe	31
PID 2396 wrote to memory of 2744	2396	Updater.exe	31
PID 2396 wrote to memory of 2744	2396	Updater.exe	31

C:\Users\Admin\AppData\Local\Temp\68675b25fc8578ac2343eaeef553738f.exe
"C:\Users\Admin\AppData\Local\Temp\68675b25fc8578ac2343eaeef553738f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\Update\Updater.exe
  "C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1204
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Update\Updater.exe

Filesize
640KB

MD5
ac57259a517b2ccab6e535602b124595

SHA1
405e75a6fb96844218e852b43911ed859736c611

SHA256
639e024c31063178983d079e92064ea11479b78a6d34e339f9f1173ba31bba84

SHA512
c67642cef1287dcb7200bb389f6ddb11e193185613a0664622466508266eb12a75528738c9970889596c4ad3ac08bbab6c678e326594885d6823fe0673f15629

Download Submit
C:\Users\Admin\AppData\Roaming\Update\Updater.exe

Filesize
2.7MB

MD5
68675b25fc8578ac2343eaeef553738f

SHA1
a84b27d78d47d10a66d9c542c7f878dee117c951

SHA256
33c8e9d960d664a8c7059012f28ae668f4c31fdd0d8e930f22098e7045015d8a

SHA512
91fa016790089fa49cde0df5730553cebf99587a0b46a50f9538284b0b06f97e2d0275e67444913d7467871c9101c6d7422fcb508eafa0010f2d3792296fb053

Download Submit
C:\Users\Admin\AppData\Roaming\Update\ver.txt

Filesize
6B

MD5
20d4ae0d4dc245fb9c50435f5aa5c8b0

SHA1
fe5ea185e09dd5edd998370add9c9ba9d1840919

SHA256
b043306e62b8d39723c6d1dc4ba65cafb892030ed8aa4d833742d5890c5b5f5a

SHA512
5437e42ea616b1f6fc409cd55a8619b2f6618d5fbfd5466743a63050851d827bc95687028fd3b275a510937d6c6af24726789fd0145683ab6722a2a0d11066ce

Download Submit
\Users\Admin\AppData\Roaming\Update\Updater.exe

Filesize
832KB

MD5
899839a8473b5998f1f47802151463cf

SHA1
4992586a36a4a64139076fd7b34fe830ea426d22

SHA256
195bc32b744a7cf53b51102a75421890f94184696c32d09357d589e91b2d558e

SHA512
a7105a58ee82f6457f4bd30fa2ffdd8afb2be8d425fb4ffd20ece5bb4c57c21bda673e26b63fa3fc79cbb9b75082072d048cddf02dc726e4d33458dc30ed5770

Download Submit
memory/2196-0-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-1-0x0000000000120000-0x00000000003DC000-memory.dmp

Filesize
2.7MB

Download
memory/2196-10-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-16-0x0000000000570000-0x00000000005E0000-memory.dmp

Filesize
448KB

Download
memory/2396-20-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2396-15-0x0000000001150000-0x0000000001190000-memory.dmp

Filesize
256KB

Download
memory/2396-11-0x0000000001250000-0x000000000150C000-memory.dmp

Filesize
2.7MB

Download
memory/2396-17-0x0000000000C00000-0x0000000000CA2000-memory.dmp

Filesize
648KB

Download
memory/2396-18-0x0000000000310000-0x0000000000340000-memory.dmp

Filesize
192KB

Download
memory/2396-19-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2396-12-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-22-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/2396-21-0x00000000006C0000-0x00000000006FC000-memory.dmp

Filesize
240KB

Download
memory/2396-23-0x0000000000DB0000-0x0000000000E5A000-memory.dmp

Filesize
680KB

Download
memory/2396-24-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

Filesize
32KB

Download
memory/2396-30-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-31-0x0000000001150000-0x0000000001190000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing