1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f

General

Target

1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe
Size

2.1MB
MD5

4a713cfe191326b86a13e4e6b2c28e1d
SHA1

3581664a1d49cf5f00a15b27e54f4a10d50ac9b0
SHA256

1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f
SHA512

b7b5a23980bbf5d2e9b2c649aa948a7d7139fedad81d9948edca2940abf3c77593839c90ff1a4f15d92ef21b3d895edff461bb05226aea4f40de4fb10ef3b22e
SSDEEP

49152:sltvYbm454AdBubRZh3i7FgOFtaEkQbExL5IOwzC8NDXy/FBhZIFUe8eueq:srvl4xButGBFtaEkQQQAEXytvZi8eueq

Score

9^/10

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs

resource	yara_rule
behavioral2/memory/1456-8-0x0000000000400000-0x00000000004A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/1456-19-0x000000000B9B0000-0x000000000BA53000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Deletes itself 1 IoCs

pid	Process
1456	1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe

Executes dropped EXE 1 IoCs

pid	Process
1456	1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
10	pastebin.com

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2176	368	WerFault.exe	84
4564	1456	WerFault.exe	92
2832	1456	WerFault.exe	92
804	1456	WerFault.exe	92
2384	1456	WerFault.exe	92
3648	1456	WerFault.exe	92
1012	1456	WerFault.exe	92
3236	1456	WerFault.exe	92
1516	1456	WerFault.exe	92
5088	1456	WerFault.exe	92
404	1456	WerFault.exe	92
724	1456	WerFault.exe	92
2172	1456	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1456	1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe
1456	1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
368	1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1456	1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1456	368	1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe	92
PID 368 wrote to memory of 1456	368	1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe	92
PID 368 wrote to memory of 1456	368	1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe	92

C:\Users\Admin\AppData\Local\Temp\1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe
"C:\Users\Admin\AppData\Local\Temp\1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 344
  2⤵
  - Program crash
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe
  C:\Users\Admin\AppData\Local\Temp\1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 344
    3⤵
    - Program crash
    PID:4564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 628
    3⤵
    - Program crash
    PID:2832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 628
    3⤵
    - Program crash
    PID:804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 708
    3⤵
    - Program crash
    PID:2384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 760
    3⤵
    - Program crash
    PID:3648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 904
    3⤵
    - Program crash
    PID:1012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1404
    3⤵
    - Program crash
    PID:3236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1404
    3⤵
    - Program crash
    PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1468
    3⤵
    - Program crash
    PID:5088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1456
    3⤵
    - Program crash
    PID:404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1480
    3⤵
    - Program crash
    PID:724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 632
    3⤵
    - Program crash
    PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 368 -ip 368
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1456 -ip 1456
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1456 -ip 1456
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1456 -ip 1456
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1456 -ip 1456
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1456 -ip 1456
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1456 -ip 1456
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1456 -ip 1456
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1456 -ip 1456
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1456 -ip 1456
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1456 -ip 1456
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1456 -ip 1456
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1456 -ip 1456
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1e453ebb76fccfb1d7c3a9a7a0923fb8a090b849b880ec75dbd1b4129fb7201f.exe

Filesize
2.1MB

MD5
adb8e2a5bca1325bf891beabacc5a45f

SHA1
b5823b9b99eda7c5f9e69fabf62251c3e1434d79

SHA256
5b788eb18abaaadc3eeef2d82360476e63aae20d90e357569535c092fd9e1b57

SHA512
029dd93286a14b1056deb5531e49d0fc94aa899ce04611f4627286aa9e62824d98f3cf8bb453feb6d84968054b1caebb11ddfe42b5099a27d13ae032edfcd3a1

Download Submit
memory/368-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/368-7-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1456-6-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1456-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1456-12-0x0000000005120000-0x0000000005211000-memory.dmp

Filesize
964KB

Download
memory/1456-19-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download
memory/1456-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing