fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82

General

Target

fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.exe
Size

3.2MB
MD5

13ca60d73776b420ada5cc15848f8dfb
SHA1

22bece82795e9c60d76c19f22f777f3b19af10d8
SHA256

fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82
SHA512

7074d3fb777563a94dde036cab647cfc72c115e140343ec25f6921a5689b4d381b60012dfa0fb2b1ea17621ff90ca4c225cd3f2e71c1a6bab935c33610f4dafc
SSDEEP

98304:VSiRz+JwCh4p8zdpHzEugKdTHvjgJLTiH7BUB:3zI48v1r1EsY

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

14 api.keen.io
16 api.keen.io
Executes dropped EXE 1 IoCs

Processes:

fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp

pid process

2324 fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp

flow	ioc
14	api.keen.io
16	api.keen.io

Loads dropped DLL 3 IoCs

Processes:

fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp

pid	process
2324	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp
2324	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp
2324	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3132	2324	WerFault.exe	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp
516	2324	WerFault.exe	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.exe

description	pid	process	target process
PID 972 wrote to memory of 2324	972	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.exe	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp
PID 972 wrote to memory of 2324	972	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.exe	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp
PID 972 wrote to memory of 2324	972	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.exe	fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp

C:\Users\Admin\AppData\Local\Temp\fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.exe
"C:\Users\Admin\AppData\Local\Temp\fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\is-1O73J.tmp\fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1O73J.tmp\fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp" /SL5="$601EC,2484196,893952,C:\Users\Admin\AppData\Local\Temp\fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1960
3⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1980
3⤵
- Program crash
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2324 -ip 2324
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2324 -ip 2324
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1O73J.tmp\fbb5302b06f7e6824ecdaf59162f3a08557cac0efe6b40b4502eab60ecd04d82.tmp

Filesize
3.0MB

MD5
5c6dc4f810bf08224a748763e915d294

SHA1
57e9256e9aeaafd45e4bdc8461f5fcb73f65302e

SHA256
44f80edcbb47c543b362916340af40e5e0f5fa38c1c17713af1ab463d1389e9d

SHA512
8a834ad640ea17ff74d4956d968fe4f5dc657f8fe152eaab778363b2d301733eca2ae01227e20ed9ed88b9eaabe2914a1e388ecea214effdce6725dd28164a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PISMH.tmp\Win32Library.dll

Filesize
46KB

MD5
564f2dfb6bef1f47798dfb5d182232f0

SHA1
290a5ad705a85e7fb26efcdc5374cd39738ad242

SHA256
671fb4649ddd8428c7f6fd1e14b30fd4735efbbb8c142e2662e157d87f96c9c0

SHA512
492091b1ecb0e36f3d01a7b6d516d836224966dc6e8ec9bcdc2254d252f9530c9b9b45ac10d5216761d557cda2454e3d53060b42e55f6a95631baca29199926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PISMH.tmp\onelaunch.png

Filesize
70KB

MD5
d3110fb775ee7fd24426503d67840c25

SHA1
54f649c8bf3af2ad3a4d92cd8b1397bad1a49a75

SHA256
f8392390dc81756e79ec5f359dbdcac3b4bd219b5188a429b814fc51aabb6e36

SHA512
f6b79f728be17c9060edb2df2dac2b0f59a4dffd8c416e7e957bc3fa4696f4237e5969647309f5425a6297f189e351e20c99c642f90d1476050285929657c32f

Download Submit
memory/972-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/972-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/972-47-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2324-6-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2324-25-0x00000000740A0000-0x00000000740B4000-memory.dmp

Filesize
80KB

Download
memory/2324-26-0x0000000008FE0000-0x0000000009072000-memory.dmp

Filesize
584KB

Download
memory/2324-24-0x0000000008FC0000-0x0000000008FD4000-memory.dmp

Filesize
80KB

Download
memory/2324-42-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/2324-43-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/2324-45-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2324-20-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads