9529272735e60b1640ddafa4c73aec9f0a8dbceef790402e7632899597cdec17

General

Target

e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe
Size

4.6MB
MD5

e0d18ca93ad7ce55c1d8de4f06cfd4d3
SHA1

a43f0e63630e32755dc5940f2f5b0947cba915ce
SHA256

9529272735e60b1640ddafa4c73aec9f0a8dbceef790402e7632899597cdec17
SHA512

3a4ad66f135c06d46f77c23aa99325c45ab820da8bfa9388c30634ec48d59e04a5c133a7b1ce386d024f44ec35a55c0decd3a661f1285b4fe0be6ee2ecf6c8b9
SSDEEP

49152:zq4Z04vjXcMgygRbNsm+kwjK23gygRbO9ZP+eekgygRbNsm+kwjK23gygRbD:e42Zshu4+pZshuH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4516	e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	pastebin.com
31	pastebin.com

Program crash 13 IoCs

pid	pid_target	Process	procid_target
5116	2456	WerFault.exe	94
1184	4516	WerFault.exe	103
1744	4516	WerFault.exe	103
4440	4516	WerFault.exe	103
4868	4516	WerFault.exe	103
4616	4516	WerFault.exe	103
2612	4516	WerFault.exe	103
5116	4516	WerFault.exe	103
208	4516	WerFault.exe	103
2444	4516	WerFault.exe	103
1120	4516	WerFault.exe	103
2652	4516	WerFault.exe	103
1280	4516	WerFault.exe	103

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4516	e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe
4516	e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2456	e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4516	e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 4516	2456	e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe	103
PID 2456 wrote to memory of 4516	2456	e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe	103
PID 2456 wrote to memory of 4516	2456	e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe	103

C:\Users\Admin\AppData\Local\Temp\e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe
"C:\Users\Admin\AppData\Local\Temp\e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 344
  2⤵
  - Program crash
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe
  C:\Users\Admin\AppData\Local\Temp\e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 348
    3⤵
    - Program crash
    PID:1184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 628
    3⤵
    - Program crash
    PID:1744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 648
    3⤵
    - Program crash
    PID:4440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 628
    3⤵
    - Program crash
    PID:4868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 640
    3⤵
    - Program crash
    PID:4616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 904
    3⤵
    - Program crash
    PID:2612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1416
    3⤵
    - Program crash
    PID:5116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1452
    3⤵
    - Program crash
    PID:208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1488
    3⤵
    - Program crash
    PID:2444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1428
    3⤵
    - Program crash
    PID:1120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1532
    3⤵
    - Program crash
    PID:2652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 632
    3⤵
    - Program crash
    PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2456 -ip 2456
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4516 -ip 4516
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4516 -ip 4516
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4516 -ip 4516
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4516 -ip 4516
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4516 -ip 4516
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4516 -ip 4516
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4516 -ip 4516
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4516 -ip 4516
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4516 -ip 4516
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4516 -ip 4516
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4516 -ip 4516
1⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4516 -ip 4516
1⤵
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e0d18ca93ad7ce55c1d8de4f06cfd4d3.exe

Filesize
4.6MB

MD5
0cfb8de9d3fb833cd83912cf4c81fd32

SHA1
97eb400bf8346b077e7100e6ead047636a881845

SHA256
25f03d03caeab11db9f7f3c1eff572b61b13a02b503a62e9bfc31ad4901f3b27

SHA512
b81b0d17f2d2a7046757447a380f13a60d097010392312e36e9f92c703658097e3a889e6fae522480f3f8f9450bd8a737901bfc64b67b38c7f310136adfa894a

Download Submit
memory/2456-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2456-6-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4516-7-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4516-8-0x0000000004F90000-0x000000000509D000-memory.dmp

Filesize
1.1MB

Download
memory/4516-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4516-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-21-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing