854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe

General

Target

854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe
Size

1.4MB
MD5

379326a1382c4041bc173e46acb40eca
SHA1

c954c5a81c60f775878fc2c86b61c4e9b48027a8
SHA256

854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe
SHA512

a88e680871df9ad9434d67620722fc51aa2736046e8e0cba459553156f1b2bc4eb838d1596110af5ee73afd2fc2fc5d9aa9cf5587c1c9b146006161d7a2a92c8
SSDEEP

24576:LumqXw8ZJiK9/5EBWmVva/ZSNHFp77Lv+f6T8Qnskb2i6OBKaBBbxQ:OwDsxEBWmVvgCHFpbq4TTJbG

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2872	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	pastebin.com
20	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
456	4736	WerFault.exe	83
4996	2872	WerFault.exe	91
4112	2872	WerFault.exe	91
2164	2872	WerFault.exe	91
2420	2872	WerFault.exe	91
1060	2872	WerFault.exe	91
4916	2872	WerFault.exe	91
4672	2872	WerFault.exe	91
3900	2872	WerFault.exe	91
4436	2872	WerFault.exe	91
4620	2872	WerFault.exe	91
3528	2872	WerFault.exe	91
2000	2872	WerFault.exe	91
4288	2872	WerFault.exe	91
3956	2872	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2872	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe
2872	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4736	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2872	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2872	4736	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe	91
PID 4736 wrote to memory of 2872	4736	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe	91
PID 4736 wrote to memory of 2872	4736	854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe	91

C:\Users\Admin\AppData\Local\Temp\854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe
"C:\Users\Admin\AppData\Local\Temp\854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 344
  2⤵
  - Program crash
  PID:456
- C:\Users\Admin\AppData\Local\Temp\854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe
  C:\Users\Admin\AppData\Local\Temp\854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 344
    3⤵
    - Program crash
    PID:4996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 628
    3⤵
    - Program crash
    PID:4112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 628
    3⤵
    - Program crash
    PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 628
    3⤵
    - Program crash
    PID:2420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 720
    3⤵
    - Program crash
    PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 924
    3⤵
    - Program crash
    PID:4916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1404
    3⤵
    - Program crash
    PID:4672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1460
    3⤵
    - Program crash
    PID:3900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1476
    3⤵
    - Program crash
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1540
    3⤵
    - Program crash
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1524
    3⤵
    - Program crash
    PID:3528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1472
    3⤵
    - Program crash
    PID:2000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1532
    3⤵
    - Program crash
    PID:4288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 596
    3⤵
    - Program crash
    PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4736 -ip 4736
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2872 -ip 2872
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2872 -ip 2872
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2872 -ip 2872
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2872 -ip 2872
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2872 -ip 2872
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2872 -ip 2872
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2872 -ip 2872
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2872 -ip 2872
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2872 -ip 2872
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2872 -ip 2872
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2872 -ip 2872
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2872 -ip 2872
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2872 -ip 2872
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2872 -ip 2872
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\854059e0502b82c07b64899a60a3550cb68534b9aac9440f93350bdf920f9bfe.exe

Filesize
1.4MB

MD5
23b85d96828ac2f084d54cd0f51ecc0e

SHA1
d7ebcf0e8797360991a28cf3f51c0589851f8dd7

SHA256
d0fd8d4ecaa42e14c35174a48ff36d64e284dcfd9026923fc7564dd238183cf6

SHA512
0bb337602cbba8f0c5b4fe6a4d2f301968f104fa22426f28413a99972b8d3a1baea39325be740c4c6138b137e622588330f8b781795c212faafa34b5fc8c69cb

Download Submit
memory/2872-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2872-8-0x0000000005060000-0x000000000514D000-memory.dmp

Filesize
948KB

Download
memory/2872-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2872-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-27-0x000000000C9F0000-0x000000000CA93000-memory.dmp

Filesize
652KB

Download
memory/2872-28-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4736-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4736-6-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing