f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c

General

Target

f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe
Size

2.3MB
MD5

319350f9713ac4b84c5d2445c58c5f50
SHA1

31449d902376253ab1ac3f2bdef21fe02582f4eb
SHA256

f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c
SHA512

5da4ceedb71e1c76bf6d134e08d2a12f8999b23b2ffe3aae3f4ef5f96d648495939ba5a385057c3c5e4ef71a1f2dae7f439a65352a0ac240b9de91662e8bdab7
SSDEEP

49152:pN1omeqhq9ZVfJcGug3g/b9bWrRsC8dE3u+g/gRbL/B+p:pTomeIq9DfJnWb9qrRsCvX/B+p

Score

9^/10

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs

resource	yara_rule
behavioral2/memory/4108-8-0x0000000000400000-0x00000000004A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/4108-21-0x000000000B9F0000-0x000000000BA93000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Deletes itself 1 IoCs

pid	Process
4108	f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe

Executes dropped EXE 1 IoCs

pid	Process
4108	f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
12	pastebin.com

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1852	1096	WerFault.exe	84
776	4108	WerFault.exe	89
3036	4108	WerFault.exe	89
1556	4108	WerFault.exe	89
4212	4108	WerFault.exe	89
208	4108	WerFault.exe	89
388	4108	WerFault.exe	89
4552	4108	WerFault.exe	89
2060	4108	WerFault.exe	89
368	4108	WerFault.exe	89
1992	4108	WerFault.exe	89
5392	4108	WerFault.exe	89
4508	4108	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4108	f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe
4108	f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1096	f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4108	f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 4108	1096	f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe	89
PID 1096 wrote to memory of 4108	1096	f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe	89
PID 1096 wrote to memory of 4108	1096	f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe	89

C:\Users\Admin\AppData\Local\Temp\f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe
"C:\Users\Admin\AppData\Local\Temp\f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 344
  2⤵
  - Program crash
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe
  C:\Users\Admin\AppData\Local\Temp\f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 344
    3⤵
    - Program crash
    PID:776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 636
    3⤵
    - Program crash
    PID:3036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 628
    3⤵
    - Program crash
    PID:1556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 636
    3⤵
    - Program crash
    PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 760
    3⤵
    - Program crash
    PID:208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 928
    3⤵
    - Program crash
    PID:388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1396
    3⤵
    - Program crash
    PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1452
    3⤵
    - Program crash
    PID:2060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1476
    3⤵
    - Program crash
    PID:368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1716
    3⤵
    - Program crash
    PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1700
    3⤵
    - Program crash
    PID:5392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 640
    3⤵
    - Program crash
    PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1096 -ip 1096
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4108 -ip 4108
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4108 -ip 4108
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4108 -ip 4108
1⤵
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4108 -ip 4108
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4108 -ip 4108
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4108 -ip 4108
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4108 -ip 4108
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4108 -ip 4108
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4108 -ip 4108
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4108 -ip 4108
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4108 -ip 4108
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4108 -ip 4108
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f68cab419eb82a011bd852e5eccf9e74ff0e1f4c33c6c47925ff11b58e3f4a0c.exe

Filesize
2.3MB

MD5
8f6614bbd31a38e16b8b617bda36354b

SHA1
985f43c6910794b68f644ff5878e178ead6185a8

SHA256
9d614068a0c2c8cf1f4f68a0f3acc33d6b6a4201d86962fe6c584bc9a6dea77e

SHA512
8335138255dcb4e1e555fb6d3ad345a078a2d021d9ceef62cd5e66f8138d4e87e711b3732321a5b4f0dda127f5c50a025a4ae99ff56ffaaedef9007d5d1d6d14

Download Submit
memory/1096-0-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1096-5-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4108-7-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4108-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4108-12-0x0000000005060000-0x0000000005176000-memory.dmp

Filesize
1.1MB

Download
memory/4108-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-21-0x000000000B9F0000-0x000000000BA93000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing