ab58fcf41f468d22512910665ca2c2e01265fb295b6d3a6a93401f7208926206

General

Target

8f9a9fa8eb2a1ac736d550dfb20730c5.exe
Size

7.9MB
MD5

8f9a9fa8eb2a1ac736d550dfb20730c5
SHA1

1c8a178456752a2ef5d926ff858b03c7495f5fe4
SHA256

ab58fcf41f468d22512910665ca2c2e01265fb295b6d3a6a93401f7208926206
SHA512

3d4388a9341937f515211a7b64fc5d445136e98fa1f2e612741dc939aa6e100c7c3c3d8af891adcd48ee484c13f59a147cee84ee19a5859d4992c6b2638c1912
SSDEEP

98304:loNH1oTiMUazLNzfzYUazSErc/ZLUazLNzfzYUazH:KNVoTiMJLBEJ6ZLJLBEJH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2528	8f9a9fa8eb2a1ac736d550dfb20730c5.exe

Executes dropped EXE 1 IoCs

pid	Process
2528	8f9a9fa8eb2a1ac736d550dfb20730c5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
15	pastebin.com

Program crash 14 IoCs

pid	pid_target	Process	procid_target
5008	4032	WerFault.exe	28
4432	2528	WerFault.exe	94
1284	2528	WerFault.exe	94
1212	2528	WerFault.exe	94
1904	2528	WerFault.exe	94
876	2528	WerFault.exe	94
3896	2528	WerFault.exe	94
1184	2528	WerFault.exe	94
4740	2528	WerFault.exe	94
3192	2528	WerFault.exe	94
2680	2528	WerFault.exe	94
1288	2528	WerFault.exe	94
4744	2528	WerFault.exe	94
5108	2528	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2528	8f9a9fa8eb2a1ac736d550dfb20730c5.exe
2528	8f9a9fa8eb2a1ac736d550dfb20730c5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4032	8f9a9fa8eb2a1ac736d550dfb20730c5.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2528	8f9a9fa8eb2a1ac736d550dfb20730c5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 2528	4032	8f9a9fa8eb2a1ac736d550dfb20730c5.exe	94
PID 4032 wrote to memory of 2528	4032	8f9a9fa8eb2a1ac736d550dfb20730c5.exe	94
PID 4032 wrote to memory of 2528	4032	8f9a9fa8eb2a1ac736d550dfb20730c5.exe	94

C:\Users\Admin\AppData\Local\Temp\8f9a9fa8eb2a1ac736d550dfb20730c5.exe
"C:\Users\Admin\AppData\Local\Temp\8f9a9fa8eb2a1ac736d550dfb20730c5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 348
  2⤵
  - Program crash
  PID:5008
- C:\Users\Admin\AppData\Local\Temp\8f9a9fa8eb2a1ac736d550dfb20730c5.exe
  C:\Users\Admin\AppData\Local\Temp\8f9a9fa8eb2a1ac736d550dfb20730c5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 344
    3⤵
    - Program crash
    PID:4432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 636
    3⤵
    - Program crash
    PID:1284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 644
    3⤵
    - Program crash
    PID:1212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 684
    3⤵
    - Program crash
    PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 680
    3⤵
    - Program crash
    PID:876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 896
    3⤵
    - Program crash
    PID:3896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1404
    3⤵
    - Program crash
    PID:1184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1464
    3⤵
    - Program crash
    PID:4740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1680
    3⤵
    - Program crash
    PID:3192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1516
    3⤵
    - Program crash
    PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1504
    3⤵
    - Program crash
    PID:1288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1512
    3⤵
    - Program crash
    PID:4744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1688
    3⤵
    - Program crash
    PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4032 -ip 4032
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2528 -ip 2528
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2528 -ip 2528
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2528 -ip 2528
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2528 -ip 2528
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2528 -ip 2528
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2528 -ip 2528
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2528 -ip 2528
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2528 -ip 2528
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2528 -ip 2528
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2528 -ip 2528
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2528 -ip 2528
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2528 -ip 2528
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2528 -ip 2528
1⤵
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f9a9fa8eb2a1ac736d550dfb20730c5.exe

Filesize
314KB

MD5
691224614c82ba8e885aab56399b07a2

SHA1
4d245eb0d151e83aeb5c1e405e3e46a434d1a4ae

SHA256
781f0338a307101ec45ff19b1069685457aa0860f4cb3aa67d78d669910aa3dd

SHA512
8adbb7e34235bdecee9e6f4d9a54a2ae8cf237aec99cda8e8f986ddefdde1be28b8fd7fcdf67f6591d812970a63b9d7be286df357b07b341a810c9de87aa3982

Download Submit
memory/2528-7-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2528-12-0x0000000001680000-0x0000000001765000-memory.dmp

Filesize
916KB

Download
memory/2528-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2528-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-20-0x000000000EAC0000-0x000000000EB63000-memory.dmp

Filesize
652KB

Download
memory/4032-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4032-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing