32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6

General

Target

32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe
Size

1.9MB
MD5

030d58d0aff7a29efcbdc3febbfb3fd3
SHA1

f8dcc35da70fde2a08ef29222b0fed7f3f47c810
SHA256

32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6
SHA512

5153e247f1661476ea2a1d2f339873da61f244c10c20fa37c7ffe17d8df368e3f5cfa33a285909e2cc3dd7978ea595890668627f6b1cdf2d4e2f0c531eeaf78f
SSDEEP

49152:hltvubm454AdBubRZh3i7HgXgJbNsm+kwjI4TT86lorJ:hrvb4xButGFZshK4n86WrJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4800	32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe

Executes dropped EXE 1 IoCs

pid	Process
4800	32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
18	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
4740	3392	WerFault.exe	81
4208	4800	WerFault.exe	89
4144	4800	WerFault.exe	89
492	4800	WerFault.exe	89
984	4800	WerFault.exe	89
5020	4800	WerFault.exe	89
4804	4800	WerFault.exe	89
1728	4800	WerFault.exe	89
5004	4800	WerFault.exe	89
4052	4800	WerFault.exe	89
4124	4800	WerFault.exe	89
2376	4800	WerFault.exe	89
4984	4800	WerFault.exe	89
1992	4800	WerFault.exe	89
3748	4800	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4800	32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe
4800	32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3392	32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4800	32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4800	3392	32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe	89
PID 3392 wrote to memory of 4800	3392	32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe	89
PID 3392 wrote to memory of 4800	3392	32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe	89

C:\Users\Admin\AppData\Local\Temp\32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe
"C:\Users\Admin\AppData\Local\Temp\32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 344
  2⤵
  - Program crash
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe
  C:\Users\Admin\AppData\Local\Temp\32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 344
    3⤵
    - Program crash
    PID:4208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 628
    3⤵
    - Program crash
    PID:4144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 648
    3⤵
    - Program crash
    PID:492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 648
    3⤵
    - Program crash
    PID:984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 680
    3⤵
    - Program crash
    PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1056
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1396
    3⤵
    - Program crash
    PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1472
    3⤵
    - Program crash
    PID:5004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1488
    3⤵
    - Program crash
    PID:4052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1476
    3⤵
    - Program crash
    PID:4124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1512
    3⤵
    - Program crash
    PID:2376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1516
    3⤵
    - Program crash
    PID:4984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1080
    3⤵
    - Program crash
    PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 672
    3⤵
    - Program crash
    PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3392 -ip 3392
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4800 -ip 4800
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4800 -ip 4800
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4800 -ip 4800
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4800 -ip 4800
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4800 -ip 4800
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4800 -ip 4800
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4800 -ip 4800
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4800 -ip 4800
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4800 -ip 4800
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4800 -ip 4800
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4800 -ip 4800
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4800 -ip 4800
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4800 -ip 4800
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4800 -ip 4800
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32add71d552951286bae14a2dbdb75ad8f9a3fe212c5369a91158ef60d1c12c6.exe

Filesize
1.9MB

MD5
b592ee3d4a646fc17cca2cd55af76bd6

SHA1
dc0e66972e0e4ac954931a8deff79dfb421fbf53

SHA256
b84d0ce41b2339abdfe4c355a8a031fa62e0b97934a642b43ca517ae4075e6c0

SHA512
1d3fd0adfcf2dca5a2bc96de96cbdd6b3d81ba1e8194f063942fa893c9fc2258231bcc1d2e121844e30b1f432b014a9c623b2b482d5c39e24fe79cc7108bff46

Download Submit
memory/3392-0-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3392-6-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4800-7-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4800-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4800-14-0x0000000005020000-0x0000000005135000-memory.dmp

Filesize
1.1MB

Download
memory/4800-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4800-27-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download
memory/4800-28-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing