54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190

General

Target

54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe
Size

1.2MB
MD5

0ddf5d5f411f78f2624e779f2a623ebf
SHA1

b31ca286cc5da3f55fd1d4888413bf1aa9e4f4e2
SHA256

54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190
SHA512

1d9e0a29bc067550e12058dee234db38e811628912173ff99f012e0edd099d6602fd76adcb28e8257288238bbf282169a18a8194c5869646db7bddffaac0ea24
SSDEEP

24576:CnmqdDh3y4o8yPG3bnNBCiuB4Sa/ZSya/JXk377Lv+f6T8KBGKXu/B:4TfU84crN4gxg23bnBGKXu/B

Score

9^/10

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs

resource	yara_rule
behavioral2/memory/60-9-0x0000000000400000-0x00000000004A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/60-27-0x000000000BA00000-0x000000000BAA3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Deletes itself 1 IoCs

pid	Process
60	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Executes dropped EXE 1 IoCs

pid	Process
60	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
15	pastebin.com

Program crash 16 IoCs

pid	pid_target	Process	procid_target
3716	3576	WerFault.exe	82
3776	60	WerFault.exe	90
2140	60	WerFault.exe	90
4420	60	WerFault.exe	90
5044	60	WerFault.exe	90
4048	60	WerFault.exe	90
4620	60	WerFault.exe	90
5068	60	WerFault.exe	90
4916	60	WerFault.exe	90
3712	60	WerFault.exe	90
4676	60	WerFault.exe	90
752	60	WerFault.exe	90
2348	60	WerFault.exe	90
4568	60	WerFault.exe	90
2784	60	WerFault.exe	90
2092	60	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
60	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe
60	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3576	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
60	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 60	3576	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe	90
PID 3576 wrote to memory of 60	3576	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe	90
PID 3576 wrote to memory of 60	3576	54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe	90

C:\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe
"C:\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 352
  2⤵
  - Program crash
  PID:3716
- C:\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe
  C:\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:60
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 348
    3⤵
    - Program crash
    PID:3776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 628
    3⤵
    - Program crash
    PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 648
    3⤵
    - Program crash
    PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 668
    3⤵
    - Program crash
    PID:5044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 740
    3⤵
    - Program crash
    PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 892
    3⤵
    - Program crash
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1404
    3⤵
    - Program crash
    PID:5068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1416
    3⤵
    - Program crash
    PID:4916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1644
    3⤵
    - Program crash
    PID:3712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1456
    3⤵
    - Program crash
    PID:4676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1504
    3⤵
    - Program crash
    PID:752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1696
    3⤵
    - Program crash
    PID:2348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1532
    3⤵
    - Program crash
    PID:4568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1528
    3⤵
    - Program crash
    PID:2784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 632
    3⤵
    - Program crash
    PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3576 -ip 3576
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 60 -ip 60
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 60 -ip 60
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 60 -ip 60
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 60 -ip 60
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 60 -ip 60
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 60 -ip 60
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 60 -ip 60
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 60 -ip 60
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 60 -ip 60
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 60 -ip 60
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 60 -ip 60
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 60 -ip 60
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 60 -ip 60
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 60 -ip 60
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 60 -ip 60
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54a9b2022ee9d27c4586d63708227f960154ae5aa9b8339b07526c88add93190.exe

Filesize
1.2MB

MD5
740238fb272743cf9eee9395656440d9

SHA1
7be561f34a3af56d78c7feb74ed7d987dbcd89de

SHA256
844acf091a4f08072cb0f7a97ccf41e9c1cbe59978be3d00762e481991009e04

SHA512
2a962118f16a1940275635c6486ac72602a88b4f5e2f17db66903d8d888489e5c0e4d1c0c4cf2ae073a858d3c3681985fbd9401699f58f1697148263979bee1d

Download Submit
memory/60-7-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/60-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/60-14-0x0000000005150000-0x0000000005264000-memory.dmp

Filesize
1.1MB

Download
memory/60-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/60-27-0x000000000BA00000-0x000000000BAA3000-memory.dmp

Filesize
652KB

Download
memory/60-28-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3576-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3576-6-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing