1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd

General

Target

1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
Size

426KB
MD5

c24b83c585cd7a3043c8081f1fd29d1c
SHA1

5d5fc26a0f6bc7ad8b55abc71a79766c369d3741
SHA256

1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd
SHA512

0c719a352eb1f4b90266a315f4d74d1cc65d7b4d449e0285decd8f1715539326d36a9c843832d0ad4cbd55a0747930157a1bcf278dfced6058e63d7433e24f65
SSDEEP

6144:oquvgPnIN0Q/uBf5WR+KLBMQn4fNgj8ZYN3LifNg/CeV83:oqusIq8of5u+e/8Z44223

Score

9^/10

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 3 IoCs

resource	yara_rule
behavioral2/memory/3488-9-0x0000000000400000-0x000000000045A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/3488-16-0x0000000000400000-0x000000000045A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/3488-23-0x0000000000400000-0x000000000045A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables referencing many IR and analysis tools 3 IoCs

resource	yara_rule
behavioral2/memory/3488-9-0x0000000000400000-0x000000000045A000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral2/memory/3488-16-0x0000000000400000-0x000000000045A000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools
behavioral2/memory/3488-23-0x0000000000400000-0x000000000045A000-memory.dmp	INDICATOR_SUSPICIOUS_References_SecTools

Deletes itself 1 IoCs

pid	Process
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe

Executes dropped EXE 1 IoCs

pid	Process
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\trkcore = "C:\\ProgramData\\Microsoft\\Roaming\\svchost.exe"	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	pastebin.com
31	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe

Program crash 10 IoCs

pid	pid_target	Process	procid_target
696	4816	WerFault.exe	82
1316	3488	WerFault.exe	89
4596	3488	WerFault.exe	89
1772	3488	WerFault.exe	89
1340	3488	WerFault.exe	89
492	3488	WerFault.exe	89
760	3488	WerFault.exe	89
3896	3488	WerFault.exe	89
3812	3488	WerFault.exe	89
2536	3488	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4816	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3488	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3488	4816	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe	89
PID 4816 wrote to memory of 3488	4816	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe	89
PID 4816 wrote to memory of 3488	4816	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe	89

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe

C:\Users\Admin\AppData\Local\Temp\1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
"C:\Users\Admin\AppData\Local\Temp\1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 356
  2⤵
  - Program crash
  PID:696
- C:\Users\Admin\AppData\Local\Temp\1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
  C:\Users\Admin\AppData\Local\Temp\1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - System policy modification
  PID:3488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 324
    3⤵
    - Program crash
    PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 668
    3⤵
    - Program crash
    PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 804
    3⤵
    - Program crash
    PID:1772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 840
    3⤵
    - Program crash
    PID:1340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 932
    3⤵
    - Program crash
    PID:492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 952
    3⤵
    - Program crash
    PID:760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1072
    3⤵
    - Program crash
    PID:3896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1308
    3⤵
    - Program crash
    PID:3812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 140
    3⤵
    - Program crash
    PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4816 -ip 4816
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3488 -ip 3488
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3488 -ip 3488
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3488 -ip 3488
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3488 -ip 3488
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3488 -ip 3488
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3488 -ip 3488
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3488 -ip 3488
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3488 -ip 3488
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3488 -ip 3488
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1623544e05601c27ec7ef4413763e532f527526f838d227ba777480546f710dd.exe

Filesize
426KB

MD5
41b580865806e467968f8e51b7e9f46f

SHA1
fe96ae88cd214bb35345fb44cd21ca7369e21937

SHA256
bbebe5dcae5a7639c106eb73803a504ca4decdf9864a31ad6c5f88f3388abdc7

SHA512
80548cae928bf8f85526038fac7bf467d705b464e3d6a56ae702233e1957d47980b3850f8e50ae5e6a934a203bb499d468dddf22cdf458609463c61b81b4ad0a

Download Submit
memory/3488-7-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3488-8-0x0000000004F30000-0x0000000004FA2000-memory.dmp

Filesize
456KB

Download
memory/3488-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3488-16-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3488-23-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4816-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4816-6-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads