add21e05e98604929038b131b2d0be3d5ca3e1463d7e81589b27828e6b2f509b

General

Target

23fa4286ebd1ab5f89e5052692b3d4b0N.exe
Size

501KB
MD5

23fa4286ebd1ab5f89e5052692b3d4b0
SHA1

11d8684e778d53dd8db97c9029c7db097b9e4771
SHA256

add21e05e98604929038b131b2d0be3d5ca3e1463d7e81589b27828e6b2f509b
SHA512

c88e60d1eae82c6e180213270b1dbba9a545a1318f9796bea797a5f2f7da64151ce0effad709d35021122bba4011677ed115ab2d0f5e7eed4a1c4bfff95be365
SSDEEP

12288:0UKMeQiwQSwCfodYgMD/G3hu/Gg5p+ou/Tco7u4Li:0Uw1wQSwCGE/I8b+LI2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3956	23fa4286ebd1ab5f89e5052692b3d4b0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3956	23fa4286ebd1ab5f89e5052692b3d4b0N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/972-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x00080000000234d4-12.dat	upx
behavioral2/memory/3956-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4220	3956	WerFault.exe	85
3852	3956	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23fa4286ebd1ab5f89e5052692b3d4b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23fa4286ebd1ab5f89e5052692b3d4b0N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1516	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
972	23fa4286ebd1ab5f89e5052692b3d4b0N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
972	23fa4286ebd1ab5f89e5052692b3d4b0N.exe
3956	23fa4286ebd1ab5f89e5052692b3d4b0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 3956	972	23fa4286ebd1ab5f89e5052692b3d4b0N.exe	85
PID 972 wrote to memory of 3956	972	23fa4286ebd1ab5f89e5052692b3d4b0N.exe	85
PID 972 wrote to memory of 3956	972	23fa4286ebd1ab5f89e5052692b3d4b0N.exe	85
PID 3956 wrote to memory of 1516	3956	23fa4286ebd1ab5f89e5052692b3d4b0N.exe	86
PID 3956 wrote to memory of 1516	3956	23fa4286ebd1ab5f89e5052692b3d4b0N.exe	86
PID 3956 wrote to memory of 1516	3956	23fa4286ebd1ab5f89e5052692b3d4b0N.exe	86
PID 3956 wrote to memory of 3464	3956	23fa4286ebd1ab5f89e5052692b3d4b0N.exe	88
PID 3956 wrote to memory of 3464	3956	23fa4286ebd1ab5f89e5052692b3d4b0N.exe	88
PID 3956 wrote to memory of 3464	3956	23fa4286ebd1ab5f89e5052692b3d4b0N.exe	88
PID 3464 wrote to memory of 2952	3464	cmd.exe	90
PID 3464 wrote to memory of 2952	3464	cmd.exe	90
PID 3464 wrote to memory of 2952	3464	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\23fa4286ebd1ab5f89e5052692b3d4b0N.exe
"C:\Users\Admin\AppData\Local\Temp\23fa4286ebd1ab5f89e5052692b3d4b0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:972
- C:\Users\Admin\AppData\Local\Temp\23fa4286ebd1ab5f89e5052692b3d4b0N.exe
  C:\Users\Admin\AppData\Local\Temp\23fa4286ebd1ab5f89e5052692b3d4b0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\23fa4286ebd1ab5f89e5052692b3d4b0N.exe" /TN 4k6UDcnU35b0 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN 4k6UDcnU35b0 > C:\Users\Admin\AppData\Local\Temp\mTSar5Wd.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN 4k6UDcnU35b0
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 608
    3⤵
    - Program crash
    PID:4220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 628
    3⤵
    - Program crash
    PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3956 -ip 3956
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3956 -ip 3956
1⤵
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23fa4286ebd1ab5f89e5052692b3d4b0N.exe

Filesize
501KB

MD5
53730763e2a3cb19bbfbf441bd5488d1

SHA1
5eab0b1af2abdd89d48ccca3b90dfd2d30324217

SHA256
54bbe8fc13a3bf955dbfac10e743f551e29d926b1fd34e25afdb51d0e4e60bd9

SHA512
96cd0f3ad9af8811b6614621fbae155eb7a164a6ef044755ba73fac8c9daae3485c32391ffa2e6088e7ed1594e7296ff8d8a33a62e17abc0f3bb0dec0eadd098

Download Submit
C:\Users\Admin\AppData\Local\Temp\mTSar5Wd.xml

Filesize
1KB

MD5
580c58419e91c7ab3747f7a68628df8f

SHA1
70873d8e7aba82c4a1d1ff0c92ab7d438d843fc9

SHA256
1761b2b30b89feefebebe156377a5bdef06c07d5910eed05cb7ab81da1d7f4bf

SHA512
537b4720d95824982f2ac28878c5736f93289de90a69d09d1b716a36bca1fa4c6944b9c8c051821b0f19c5c62a3c1ae7afc5e5b50cadbcc76687b24c9ebf9e63

Download Submit
memory/972-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/972-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/972-7-0x0000000026030000-0x00000000260AE000-memory.dmp

Filesize
504KB

Download
memory/972-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3956-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3956-21-0x0000000025050000-0x00000000250CE000-memory.dmp

Filesize
504KB

Download
memory/3956-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3956-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3956-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads