375e9b2d95623dbbdea44bb55a54e689f4412769ea6b709b0a71a963760c0b05

General

Target

f97c8f5a8fe3c6eb5ecc580e90e22250N.exe
Size

2.1MB
MD5

f97c8f5a8fe3c6eb5ecc580e90e22250
SHA1

f22a95d9d336b59cbf5a195bc95bab6e09f17ded
SHA256

375e9b2d95623dbbdea44bb55a54e689f4412769ea6b709b0a71a963760c0b05
SHA512

e9f1d80a7b7faced723810c569909d211bc62c43f57d7a74a65d58f4ca686bb571a53b9c864cc39a26e8cf2f226a08fd5b2d487f75fe9846890d305a509cee9d
SSDEEP

49152:ZL4PLgVU7Jad3EEGbl+gOFtaEkQbExL5IOwzC8NDXy/FBhZIFUe8eueq:ZU0VU92jYqFtaEkQQQAEXytvZi8eueq

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4892	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe

Executes dropped EXE 1 IoCs

pid	Process
4892	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	pastebin.com
20	pastebin.com

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2012	4288	WerFault.exe	83
720	4892	WerFault.exe	91
1564	4892	WerFault.exe	91
3224	4892	WerFault.exe	91
4548	4892	WerFault.exe	91
3168	4892	WerFault.exe	91
2388	4892	WerFault.exe	91
3520	4892	WerFault.exe	91
1384	4892	WerFault.exe	91
1592	4892	WerFault.exe	91
2288	4892	WerFault.exe	91
4208	4892	WerFault.exe	91
224	4892	WerFault.exe	91
1616	4892	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4892	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe
4892	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4288	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4892	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 4892	4288	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe	91
PID 4288 wrote to memory of 4892	4288	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe	91
PID 4288 wrote to memory of 4892	4288	f97c8f5a8fe3c6eb5ecc580e90e22250N.exe	91

C:\Users\Admin\AppData\Local\Temp\f97c8f5a8fe3c6eb5ecc580e90e22250N.exe
"C:\Users\Admin\AppData\Local\Temp\f97c8f5a8fe3c6eb5ecc580e90e22250N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 344
  2⤵
  - Program crash
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\f97c8f5a8fe3c6eb5ecc580e90e22250N.exe
  C:\Users\Admin\AppData\Local\Temp\f97c8f5a8fe3c6eb5ecc580e90e22250N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 344
    3⤵
    - Program crash
    PID:720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 616
    3⤵
    - Program crash
    PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 616
    3⤵
    - Program crash
    PID:3224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 616
    3⤵
    - Program crash
    PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 704
    3⤵
    - Program crash
    PID:3168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 900
    3⤵
    - Program crash
    PID:2388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1408
    3⤵
    - Program crash
    PID:3520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1468
    3⤵
    - Program crash
    PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1480
    3⤵
    - Program crash
    PID:1592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1648
    3⤵
    - Program crash
    PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1692
    3⤵
    - Program crash
    PID:4208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1732
    3⤵
    - Program crash
    PID:224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1496
    3⤵
    - Program crash
    PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4288 -ip 4288
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4892 -ip 4892
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4892 -ip 4892
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4892 -ip 4892
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4892 -ip 4892
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4892 -ip 4892
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4892 -ip 4892
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4892 -ip 4892
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4892 -ip 4892
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4892 -ip 4892
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4892 -ip 4892
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4892 -ip 4892
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4892 -ip 4892
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4892 -ip 4892
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f97c8f5a8fe3c6eb5ecc580e90e22250N.exe

Filesize
2.1MB

MD5
e1e30f828164ec647172601f5908d154

SHA1
d1c7dc31aed2dc3e7481235a9c673fa0cf30bc17

SHA256
0656909375aaafb41b4c867c7d28337bd83591f8e7b30fdb742c4ab230713573

SHA512
38bde2ee73f52c33c555869be9aed04c828d22fe879762cf6c85dbc8261e0d17a8d68cf800a070d2ea5498d640104ef49da25f520cf538a829063ddac0e50a30

Download Submit
memory/4288-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4288-6-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4892-7-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4892-8-0x0000000005020000-0x0000000005111000-memory.dmp

Filesize
964KB

Download
memory/4892-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4892-27-0x000000000B9C0000-0x000000000BA63000-memory.dmp

Filesize
652KB

Download
memory/4892-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4892-28-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing