4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f

General

Target

4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe
Size

4.7MB
MD5

4d01267756c208ca6ed1d5c10e29b874
SHA1

cf9750e26d2ff4a77b85bb27f325387de2da9a02
SHA256

4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f
SHA512

b2293a996d463a2621830a684411866fb96f4015af708b61308583a4a2f8be229df9206ad0bfe6bef7d6901ea0ec004464b3693f9151840115b5654e37ca83eb
SSDEEP

98304:kkLlfNJniRIKM6L3Up7ienoCpxPyzgaXqWNAyfzDNoS3SfoS:TNriRpdD6XnplMgkay3N73M

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

pid process

2052 4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

Loads dropped DLL 12 IoCs

Processes:

4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmpWerFault.exe

pid	process
2984	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe
2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2680 2052 WerFault.exe 4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

description pid process

Token: SeDebugPrivilege 2052 4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

pid	pid_target	process	target process
2680	2052	WerFault.exe	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

description	pid	process
Token: SeDebugPrivilege	2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

pid	process
2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

description	pid	process	target process
PID 2984 wrote to memory of 2052	2984	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
PID 2984 wrote to memory of 2052	2984	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
PID 2984 wrote to memory of 2052	2984	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
PID 2984 wrote to memory of 2052	2984	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
PID 2984 wrote to memory of 2052	2984	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
PID 2984 wrote to memory of 2052	2984	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
PID 2984 wrote to memory of 2052	2984	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
PID 2052 wrote to memory of 2680	2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp	WerFault.exe
PID 2052 wrote to memory of 2680	2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp	WerFault.exe
PID 2052 wrote to memory of 2680	2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp	WerFault.exe
PID 2052 wrote to memory of 2680	2052	4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe
"C:\Users\Admin\AppData\Local\Temp\4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\is-LSLSG.tmp\4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LSLSG.tmp\4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp" /SL5="$500F8,4024649,806400,C:\Users\Admin\AppData\Local\Temp\4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1008
3⤵
- Loads dropped DLL
- Program crash
PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-36C29.tmp\HtmlInstaller.dll

Filesize
189KB

MD5
b8146f1279af9b9a6d4c7f377b1f93a1

SHA1
df53b28c0ca41e7dfa41223f8b7e467d1d8002dd

SHA256
c5a5f540914d46f93782da9188ec16f75a7ed495512d8d3086be9232ea8e7b8c

SHA512
6e02dbda0e071673bfcf09bb97384ec997082bf7eb53fa623825aa4529411316ef45b08126375757098113b720c61211b7b31ea5fc059de0586cd030fc96e6e3

Download Submit
\Users\Admin\AppData\Local\Temp\is-36C29.tmp\Networking.dll

Filesize
33KB

MD5
6a1be1a08c9a3839f2a4f5ec107c88a2

SHA1
242774120b5c39bcf8a2fe4c964c302538c6725b

SHA256
64dec9190c5d290a11e37ec2933ddfa7abe57153c71c2f49546eec718a0b01ed

SHA512
d57578286847bad46005ca7f6597fd3c4d179e6f9bc4999baa56c56f94493ea73538dfde7336ebb3b6bf91d9cf6d6d94ecf6ac31db8b534e543ee089ce635721

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSLSG.tmp\4735eafe9826d48c494a6ed662f6be40930a3f7234d10c526d2cca5b42d2c46f.tmp

Filesize
3.0MB

MD5
bcfe6d377402b260f454902103b96183

SHA1
85fc860e64abbd7cfa41ea7b75f8e4c3a8338d88

SHA256
eb9401bd3941d116db155a444ce200bacc9e3a3465b723ca7f53c35e59acc0ed

SHA512
dbda484c47d2422a7c34a0dfad7c1442e4230bec6e7030856b90817f7456ad00f71406d8f5dcdbf9a8cfc3a081130a9ed2e535d0665803223afc0eb0761f50f0

Download Submit
memory/2052-9-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/2052-31-0x0000000003680000-0x0000000003690000-memory.dmp

Filesize
64KB

Download
memory/2052-32-0x0000000074AE0000-0x0000000074AF0000-memory.dmp

Filesize
64KB

Download
memory/2052-58-0x0000000004250000-0x0000000004288000-memory.dmp

Filesize
224KB

Download
memory/2052-59-0x0000000074BC0000-0x0000000074BF8000-memory.dmp

Filesize
224KB

Download
memory/2052-67-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/2984-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2984-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2984-66-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads