bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf

General

Target

bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe
Size

988KB
MD5

9196b08b35fca43e042ad03c9a9f764a
SHA1

7adcb6066cbf55df1278058eaa688f44af54e03f
SHA256

bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf
SHA512

58e2aea058ea319707b2fe42266e8b95a0225e248c8d1dca365c11a3baa0339bf6e99ba91824890b6ba3a6c8dd40a973636d9373f332ee0d4778398a30e29850
SSDEEP

24576:EIxFYpi0E/TU4DW4BbhuYa2ntUKYZT1a/ZS6o77LQdmbgrr:EQFIUrth37PYZ1grobqa0r

Score

9^/10

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs

resource	yara_rule
behavioral2/memory/1800-8-0x0000000000400000-0x00000000004A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/1800-21-0x000000000A890000-0x000000000A933000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Deletes itself 1 IoCs

pid	Process
1800	bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe

Executes dropped EXE 1 IoCs

pid	Process
1800	bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2796	4724	WerFault.exe	80
5004	1800	WerFault.exe	88
4624	1800	WerFault.exe	88
4440	1800	WerFault.exe	88
2028	1800	WerFault.exe	88
2088	1800	WerFault.exe	88
5024	1800	WerFault.exe	88
2940	1800	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1800	bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe
1800	bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4724	bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1800	bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1800	4724	bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe	88
PID 4724 wrote to memory of 1800	4724	bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe	88
PID 4724 wrote to memory of 1800	4724	bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe	88

C:\Users\Admin\AppData\Local\Temp\bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe
"C:\Users\Admin\AppData\Local\Temp\bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 208
  2⤵
  - Program crash
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe
  C:\Users\Admin\AppData\Local\Temp\bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 344
    3⤵
    - Program crash
    PID:5004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 628
    3⤵
    - Program crash
    PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 628
    3⤵
    - Program crash
    PID:4440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 656
    3⤵
    - Program crash
    PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 696
    3⤵
    - Program crash
    PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 968
    3⤵
    - Program crash
    PID:5024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 596
    3⤵
    - Program crash
    PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4724 -ip 4724
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1800 -ip 1800
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1800 -ip 1800
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1800 -ip 1800
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1800 -ip 1800
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1800 -ip 1800
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1800 -ip 1800
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1800 -ip 1800
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bc58cc49027a46b7bae44285210beb03df97afadaab8f3a246c35a1527ebf4bf.exe

Filesize
988KB

MD5
90d5cc0602060ac49acfce0d331faec3

SHA1
262e6f557bd887b31c16ed91160f75a0dd61f2f6

SHA256
56f004df3f84d58bf484643b40f3da86a575eb483c90f26454df9de3aea715ae

SHA512
b34a3733ba36dccd578d42529e6ebf098e697b6f8a1e24818ebfff07e0e40e37c41e8e1e77363eced5dae3c2cc30e1f50b5814b49f231e5f99e52d03e2afe071

Download Submit
memory/1800-7-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1800-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1800-14-0x0000000004E70000-0x0000000004F5F000-memory.dmp

Filesize
956KB

Download
memory/1800-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1800-21-0x000000000A890000-0x000000000A933000-memory.dmp

Filesize
652KB

Download
memory/4724-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4724-6-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing