f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e

General

Target

f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe
Size

1.2MB
MD5

07fed83fa95f9544acf4bdf0edee40d1
SHA1

5bbe875e5bf9e05a3d02c189e456a594657874a5
SHA256

f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e
SHA512

e42af03333926e36b40955fd6d45ccdae11d35dc02bcf9aadc20e094129067afc187fd8091dd83cf7397b354d63321e49c0face44889e647631352ecbee8fcb4
SSDEEP

24576:N2VThyaS9gJkjC6w8axxx7dKoua/ZSW77Lv+f6T8Qnskb2i6OEE:N2VThyTgiOPxxx0ghbq4TyE

Score

9^/10

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs

resource	yara_rule
behavioral2/memory/3924-9-0x0000000000400000-0x00000000004A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/3924-22-0x000000000B9B0000-0x000000000BA53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Deletes itself 1 IoCs

pid	Process
3924	f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe

Executes dropped EXE 1 IoCs

pid	Process
3924	f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	pastebin.com
34	pastebin.com

Program crash 13 IoCs

pid	pid_target	Process	procid_target
4956	548	WerFault.exe	83
4816	3924	WerFault.exe	95
3796	3924	WerFault.exe	95
2656	3924	WerFault.exe	95
4508	3924	WerFault.exe	95
4092	3924	WerFault.exe	95
1492	3924	WerFault.exe	95
4656	3924	WerFault.exe	95
3268	3924	WerFault.exe	95
520	3924	WerFault.exe	95
2188	3924	WerFault.exe	95
520	3924	WerFault.exe	95
4568	3924	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3924	f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe
3924	f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
548	f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3924	f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 3924	548	f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe	95
PID 548 wrote to memory of 3924	548	f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe	95
PID 548 wrote to memory of 3924	548	f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe	95

C:\Users\Admin\AppData\Local\Temp\f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe
"C:\Users\Admin\AppData\Local\Temp\f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 344
  2⤵
  - Program crash
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe
  C:\Users\Admin\AppData\Local\Temp\f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 344
    3⤵
    - Program crash
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 628
    3⤵
    - Program crash
    PID:3796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 648
    3⤵
    - Program crash
    PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 640
    3⤵
    - Program crash
    PID:4508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 648
    3⤵
    - Program crash
    PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 864
    3⤵
    - Program crash
    PID:1492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1396
    3⤵
    - Program crash
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1420
    3⤵
    - Program crash
    PID:3268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1464
    3⤵
    - Program crash
    PID:520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1480
    3⤵
    - Program crash
    PID:2188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1532
    3⤵
    - Program crash
    PID:520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1124
    3⤵
    - Program crash
    PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3924 -ip 3924
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3924 -ip 3924
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3924 -ip 3924
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3924 -ip 3924
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3924 -ip 3924
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3924 -ip 3924
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3924 -ip 3924
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3924 -ip 3924
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3924 -ip 3924
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3924 -ip 3924
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3924 -ip 3924
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3924 -ip 3924
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f9052cede772597a2c2d7f4254bd096c436b5c68398dd72be1ebc0f7efdfa40e.exe

Filesize
1.2MB

MD5
bcd9c0347035ea91b0bb05d8eba3d71d

SHA1
b21d0ddcd678bf30c0e4348fd817958d159f8445

SHA256
8cc30817aa6d48290ec29c29f84e7ce4194085c26e673ee1cf8750dcf346999f

SHA512
bafdb4033163f0cb0ef31864fe62ef3e5e4539a8fca02b58a57405f8c3aff2094cc26eb6bd3795073da53a4926a2131191575a897edcc67d37fdff3b2289764c

Download Submit
memory/548-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/548-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3924-6-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3924-8-0x0000000005030000-0x000000000511D000-memory.dmp

Filesize
948KB

Download
memory/3924-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3924-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-22-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing