40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb

General

Target

40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe
Size

2.4MB
MD5

8274d564cfe76ee9e82fca4ec5132134
SHA1

796d6be60f49fa22944bf5499f3648965e3bf323
SHA256

40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb
SHA512

27b37f4b321c5704def5a2f8ac54a7375dba07baef6c450cb279a70d0405af14c657e063e97cdcc8ca07f852dc43645cd7225bcb8af0191a628c4b32ee7ac119
SSDEEP

49152:mm/cJ/XjKoC3m/g7grNZbNsm+kwjI4TT86lorVlyR0Wx:f+fW32nNZZshK4n86WrWDx

Score

9^/10

Malware Config

Signatures

Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs

resource	yara_rule
behavioral2/memory/4192-8-0x0000000000400000-0x00000000004A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral2/memory/4192-26-0x000000000B9D0000-0x000000000BA73000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Deletes itself 1 IoCs

pid	Process
4192	40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe

Executes dropped EXE 1 IoCs

pid	Process
4192	40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
42	pastebin.com
44	pastebin.com

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1252	4192	WerFault.exe	94
5112	4192	WerFault.exe	94
4380	4192	WerFault.exe	94
2460	4192	WerFault.exe	94
1148	4192	WerFault.exe	94
3620	4192	WerFault.exe	94
4880	4192	WerFault.exe	94
3540	4192	WerFault.exe	94
4840	4192	WerFault.exe	94
864	4192	WerFault.exe	94
4948	4192	WerFault.exe	94
4036	4192	WerFault.exe	94
3284	4192	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4192	40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe
4192	40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3164	40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4192	40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4192	3164	40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe	94
PID 3164 wrote to memory of 4192	3164	40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe	94
PID 3164 wrote to memory of 4192	3164	40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe	94

C:\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe
"C:\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe
  C:\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 344
    3⤵
    - Program crash
    PID:1252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 636
    3⤵
    - Program crash
    PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 660
    3⤵
    - Program crash
    PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 660
    3⤵
    - Program crash
    PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 720
    3⤵
    - Program crash
    PID:1148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 948
    3⤵
    - Program crash
    PID:3620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1404
    3⤵
    - Program crash
    PID:4880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1412
    3⤵
    - Program crash
    PID:3540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1476
    3⤵
    - Program crash
    PID:4840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1708
    3⤵
    - Program crash
    PID:864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1720
    3⤵
    - Program crash
    PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1412
    3⤵
    - Program crash
    PID:4036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1696
    3⤵
    - Program crash
    PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3164 -ip 3164
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4192 -ip 4192
1⤵
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4192 -ip 4192
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4192 -ip 4192
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4192 -ip 4192
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4192 -ip 4192
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4192 -ip 4192
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4192 -ip 4192
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4192 -ip 4192
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4192 -ip 4192
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4192 -ip 4192
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4192 -ip 4192
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4192 -ip 4192
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4192 -ip 4192
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40f1acb19b0b73560142a6924d4c5e31a53ef284ed92ecf8133b9174320e52fb.exe

Filesize
2.4MB

MD5
d556784f9edee7d4ec34dd693bb6e3e3

SHA1
870aad0b7515b52181682b6ee6a2e6ef0c86a9dc

SHA256
dd98bc57103b0fa323e475eaa4af8adb5f1c5b138ed7cfbc497446912f8d0e0a

SHA512
a033ffc344bf86167b3bde34ae4ff8f538ea6edf1c1905ab2f424ee1cc17a124341f0ebf145e28639bc28717975bcd852860c141d69ff85ae7bb9c7d957fe19a

Download Submit
memory/3164-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4192-6-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4192-7-0x0000000004FC0000-0x00000000050D7000-memory.dmp

Filesize
1.1MB

Download
memory/4192-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4192-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4192-26-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing