995511db559b813eaee05284623eb9029a8974595cbc93a81d6e4e8b5b1b054a

General

Target

7c7de9fb63aa568e0e67e32be3bb23a0N.exe
Size

960KB
MD5

7c7de9fb63aa568e0e67e32be3bb23a0
SHA1

980e7de3c22a6bb00840fab8a6581550566ae97f
SHA256

995511db559b813eaee05284623eb9029a8974595cbc93a81d6e4e8b5b1b054a
SHA512

c3283df4d13291e6cf290e39ccf64ed3d61762c9f2f08f1e88de1337cc44d907dd96a0a541aa8a4a6db6d7bb0cc1d9dc8fb80ca125f8d06a71fed38f1be00bec
SSDEEP

12288:Wwi0UWab4+HQu9pAbjp0EPME/2VNz7JjAOUyxX/x5SgfPjVDa/ZSjXuUC77L9:Wr0UHwu0qE3/GJJcM6u9a/ZSjXuF77L9

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1968	7c7de9fb63aa568e0e67e32be3bb23a0N.exe

Executes dropped EXE 1 IoCs

pid	Process
1968	7c7de9fb63aa568e0e67e32be3bb23a0N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	pastebin.com
24	pastebin.com

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2400	3120	WerFault.exe	83
1552	1968	WerFault.exe	91
3136	1968	WerFault.exe	91
4180	1968	WerFault.exe	91
3568	1968	WerFault.exe	91
1852	1968	WerFault.exe	91
1768	1968	WerFault.exe	91
2040	1968	WerFault.exe	91
3972	1968	WerFault.exe	91
4816	1968	WerFault.exe	91
3796	1968	WerFault.exe	91
3456	1968	WerFault.exe	91
2504	1968	WerFault.exe	91
2940	1968	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c7de9fb63aa568e0e67e32be3bb23a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c7de9fb63aa568e0e67e32be3bb23a0N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1968	7c7de9fb63aa568e0e67e32be3bb23a0N.exe
1968	7c7de9fb63aa568e0e67e32be3bb23a0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3120	7c7de9fb63aa568e0e67e32be3bb23a0N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1968	7c7de9fb63aa568e0e67e32be3bb23a0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 1968	3120	7c7de9fb63aa568e0e67e32be3bb23a0N.exe	91
PID 3120 wrote to memory of 1968	3120	7c7de9fb63aa568e0e67e32be3bb23a0N.exe	91
PID 3120 wrote to memory of 1968	3120	7c7de9fb63aa568e0e67e32be3bb23a0N.exe	91

C:\Users\Admin\AppData\Local\Temp\7c7de9fb63aa568e0e67e32be3bb23a0N.exe
"C:\Users\Admin\AppData\Local\Temp\7c7de9fb63aa568e0e67e32be3bb23a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 344
  2⤵
  - Program crash
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\7c7de9fb63aa568e0e67e32be3bb23a0N.exe
  C:\Users\Admin\AppData\Local\Temp\7c7de9fb63aa568e0e67e32be3bb23a0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 344
    3⤵
    - Program crash
    PID:1552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 632
    3⤵
    - Program crash
    PID:3136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 632
    3⤵
    - Program crash
    PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 632
    3⤵
    - Program crash
    PID:3568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 732
    3⤵
    - Program crash
    PID:1852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 904
    3⤵
    - Program crash
    PID:1768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1396
    3⤵
    - Program crash
    PID:2040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1412
    3⤵
    - Program crash
    PID:3972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1464
    3⤵
    - Program crash
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1456
    3⤵
    - Program crash
    PID:3796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1528
    3⤵
    - Program crash
    PID:3456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1532
    3⤵
    - Program crash
    PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1636
    3⤵
    - Program crash
    PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3120 -ip 3120
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1968 -ip 1968
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1968 -ip 1968
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1968 -ip 1968
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1968 -ip 1968
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 1968
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1968 -ip 1968
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1968 -ip 1968
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1968 -ip 1968
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1968 -ip 1968
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1968 -ip 1968
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1968 -ip 1968
1⤵
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7c7de9fb63aa568e0e67e32be3bb23a0N.exe

Filesize
960KB

MD5
09603de9e83bdb374fc3a7786e6f9d9b

SHA1
e99120a370d20156beb1571cbf52a0acbdd62d56

SHA256
5c2c7651a501e024effb0cccf41bbae6fae8b5e3392d5d70854a1714a836663b

SHA512
db59595da786451f4ca2e61fa21abdc50a0e3db236e487c356e1cae8c9ee7548c0d57c990a65e44adf89102f28fd44c7f97fc05a8fbace721075a2a87ddba1c4

Download Submit
memory/1968-7-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1968-8-0x0000000004FB0000-0x000000000509F000-memory.dmp

Filesize
956KB

Download
memory/1968-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1968-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1968-27-0x000000000B9C0000-0x000000000BA63000-memory.dmp

Filesize
652KB

Download
memory/1968-28-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3120-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3120-6-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing