14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196

General

Target

14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
Size

6.6MB
MD5

5f6aacd3106f727d45c295fd0f25054d
SHA1

0d584d72fe321332df0b0a17720191ad96737f47
SHA256

14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196
SHA512

8eaa103be426a037b5ee1b99b0949672af1b674491dab8d5f24f5bf6f13e5817800574c0c779d54ef1f9ada7a6150ba3a6a63bf90eb6a5885465f6e2275764b0
SSDEEP

98304:QSiEgahK0fCLAeApJe/i7t5/xPUa5BDul4X0CnewymF+ATMM9LWmZSWNQs5Ia/Ba:T/PfCEl5o3TwymFrX9L5sWB0Uy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmpmathparser.exe

pid	process
2916	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
2396	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
2012	mathparser.exe

Loads dropped DLL 12 IoCs

Processes:

14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmpmathparser.exeWerFault.exe

pid	process
2660	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
2596	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
2396	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
2396	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
2012	mathparser.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1412 2012 WerFault.exe mathparser.exe

pid	pid_target	process	target process
1412	2012	WerFault.exe	mathparser.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

pid	process
2396	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
2396	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

pid process

2396 14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmpmathparser.exe

C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
"C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp" /SL5="$50150,6104050,943104,C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
    "C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp" /SL5="$60150,6104050,943104,C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe
        
        "C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 260
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

Filesize
3.1MB

MD5
10a0c7f88554ff904404989bb8a504ea

SHA1
dc810dc1f2bf2dc37f69669e6c8e588943053a49

SHA256
596b99105a085e245e744c4d0c49fd7260616c0849d80d485986f2773c387a4b

SHA512
0a9b45796fb4b0d710d48fe1b730cefd4ccca9b9c16d627d5eb443b22661bb948151a7d6d478106196ef6e956d099b03c6d376abca2a32a7424ea6c2d5ff2dc4

Download Submit
\Users\Admin\AppData\Roaming\mX Parser\JxCnv40.dll

Filesize
3.1MB

MD5
7052d63610b063c859af7f128a0c05cd

SHA1
7d44391b76368b8331c4f468f8ddbaf6ee5a6793

SHA256
6e3917257f9239ff1c0ec0c17a7d9b6b01dead526c56218a11b0676174440112

SHA512
8d34fdd4a48835b6db7ceda48716959e8c50bee04d10aa66044a880a78c13760cf314781f8e347644c5a2d71ff467577e431c70beaafcd52db72cb8044c9bc05

Download Submit
\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe

Filesize
5.9MB

MD5
5d735d8c7243f61a30f5e91539f76df9

SHA1
26474ba449682e82ca38fef32836dcb23ee24012

SHA256
f00b523635707cf97be5877c9dea1abec7abf8d0e6bcce529cc96826344511a0

SHA512
a7bc38389f8905bc98a3742243fa1fd810241908578656c509c022855aeb1c97b8a3519456488b9cdef3e8b64824f8d2bb48e846d5b0f63e3b7d38041220b13f

Download Submit
memory/2012-593-0x0000000000D60000-0x000000000161B000-memory.dmp

Filesize
8.7MB

Download
memory/2396-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2396-584-0x00000000038F0000-0x0000000003900000-memory.dmp

Filesize
64KB

Download
memory/2396-591-0x0000000004840000-0x00000000050FB000-memory.dmp

Filesize
8.7MB

Download
memory/2396-595-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/2596-13-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2596-597-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2660-16-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2660-1-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2916-11-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/2916-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 2660 wrote to memory of 2916	2660	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916	2660	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916	2660	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916	2660	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916	2660	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916	2660	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916	2660	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2916 wrote to memory of 2596	2916	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596	2916	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596	2916	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596	2916	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596	2916	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596	2916	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596	2916	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2596 wrote to memory of 2396	2596	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396	2596	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396	2596	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396	2596	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396	2596	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396	2596	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396	2596	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2396 wrote to memory of 2012	2396	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	mathparser.exe
PID 2396 wrote to memory of 2012	2396	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	mathparser.exe
PID 2396 wrote to memory of 2012	2396	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	mathparser.exe
PID 2396 wrote to memory of 2012	2396	14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp	mathparser.exe
PID 2012 wrote to memory of 1412	2012	mathparser.exe	WerFault.exe
PID 2012 wrote to memory of 1412	2012	mathparser.exe	WerFault.exe
PID 2012 wrote to memory of 1412	2012	mathparser.exe	WerFault.exe
PID 2012 wrote to memory of 1412	2012	mathparser.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads