994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161

General

Target

994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe
Size

1.0MB
MD5

6c8bf9d58bc59cf932c191685e876a12
SHA1

37da75e49436812865bf282bad192184671d4146
SHA256

994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161
SHA512

a147f54fa6269d2f5c75442a37e2aa50171ec40b2758641cfc23016fbf016cc8e4004e55658bdec382992de23dbceb2bb4448ca422a6b90c9d062a87758c6d8f
SSDEEP

12288:gkMpr9r8VmlviN+Kj6Yhx6xrjlDa/ZS8pniF+G4V:+vQrEa/ZS8pniF+t

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2988	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe

Executes dropped EXE 1 IoCs

pid	Process
2988	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe

Loads dropped DLL 4 IoCs

pid	Process
2848	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process
2568	2988	WerFault.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2848	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2988	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2988	2848	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe	29
PID 2848 wrote to memory of 2988	2848	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe	29
PID 2848 wrote to memory of 2988	2848	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe	29
PID 2848 wrote to memory of 2988	2848	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe	29
PID 2988 wrote to memory of 2568	2988	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe	30
PID 2988 wrote to memory of 2568	2988	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe	30
PID 2988 wrote to memory of 2568	2988	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe	30
PID 2988 wrote to memory of 2568	2988	994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe	30

C:\Users\Admin\AppData\Local\Temp\994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe
"C:\Users\Admin\AppData\Local\Temp\994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe
  C:\Users\Admin\AppData\Local\Temp\994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe

Filesize
36KB

MD5
61e6c912614edc02245f70c53b423d86

SHA1
430094be2dfee6993307d91da28dbb299b7938ba

SHA256
fc9601cd9e6f7ba3a24b981d1720380550db4a4cccc0faa5463d004f9a8b3834

SHA512
299d87fe13445d0dcedf998e7c502ecc006d35e78debb287f2596685bdd121db3966d0109cba24c92237ac17d0de234364ea256d4399967f5dfb90467177bbcb

Download Submit
\Users\Admin\AppData\Local\Temp\994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe

Filesize
48KB

MD5
726504f316a1dd139dc71360626d9210

SHA1
e907ff558e97a0968d7334a2a33847101693d8c3

SHA256
a06dbe0b464b19ae84c784213dd4418871f5a8b061d9d853d0f912298cb268cc

SHA512
f25ab29c08b1cd050032e1b0a299af563a5138ac8033336d4a0dc4c0e7ebfc84d6084199d1def5ffa510d82dd802b61073caba8f900ff2f40f10ebec5a554523

Download Submit
\Users\Admin\AppData\Local\Temp\994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe

Filesize
52KB

MD5
5452763b94a5aef5ceb5921fdf29dc4c

SHA1
32b7a427f8a011c0fc2c1124ad066e903c265ec9

SHA256
8c63c95a804cfc4618a7ff8657866715e29a77aac7ff79af9b4608f6cb531d48

SHA512
84ae10615d5ba1075335d3cd6ce7a38114f7c399cc0b8dc2b908173ed50feed91cd5f53f23f5e7aabf8d5cd772ef3aba80c80ef5f51740efa19e1da5887ac0fd

Download Submit
\Users\Admin\AppData\Local\Temp\994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe

Filesize
117KB

MD5
2e207115a61cdbe8c3caf141f2635d48

SHA1
e5bc439e6c508448b6b5fffbc0a6def7107adbf7

SHA256
0173d8f80f12120d1f02ae1cadf2af8e05365220266b7cb1cf4865068bbc3024

SHA512
40faa6f4fc6180770c568e06299d744e6eafae9e619190c8539786067da8d1ef4beb0b7d03c3f43131221d029f2315bf39a0c070671bdc229a18ee1d546be1f7

Download Submit
\Users\Admin\AppData\Local\Temp\994638a560a2ba47c9a85fd601e3efac56ab2afb03a860b4cb7e0f40b392f161.exe

Filesize
41KB

MD5
2ba3aa8299ca5a837ebb64ff94c95132

SHA1
0894c08e62943f5c152cbd06f45a5d7b9b071969

SHA256
c784b07a9f715ef010ecc26fbe42cf9c97ba2b8fde17e29ba1b792d80e431e9c

SHA512
4048e78e1b75510f94c041588d0cc10a742652da3d182b22af0fa13a3e5db49ccd921817b0d707e24acc69d586e95e41a1145458817aa6e0e04c62af5186178f

Download Submit
memory/2848-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2848-8-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2848-7-0x0000000002E70000-0x0000000002F58000-memory.dmp

Filesize
928KB

Download
memory/2988-10-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2988-11-0x0000000002E60000-0x0000000002F48000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing