Analysis
-
max time kernel
100s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 15:02
Static task
static1
Behavioral task
behavioral1
Sample
3abccfd3a85f85888dcbc2836859d290N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3abccfd3a85f85888dcbc2836859d290N.exe
Resource
win10v2004-20240802-en
General
-
Target
3abccfd3a85f85888dcbc2836859d290N.exe
-
Size
5.0MB
-
MD5
3abccfd3a85f85888dcbc2836859d290
-
SHA1
75e8d70dc3f27adc32f34f346248bee7cb45f27d
-
SHA256
81f99c5b0327626eb7d5a5e804df898ae26229f9e5f4a0f42c374ee9f8387d63
-
SHA512
f47ae1ddd50d4c4ae29ad04777a7d14cdd78198bb9c1a2391da00ac187594432c1ee465c0b8964135b001268c614567232269e7a72a36e68f1312486e2292d10
-
SSDEEP
98304:W2igfeezuE4KFtaEkQQQAEXytvZi8eue8RQQW1SjPI5VZhQQAEXytvZi8eue8:W2igGgxFtaEkQpOfpPChpO
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3196 3abccfd3a85f85888dcbc2836859d290N.exe -
Executes dropped EXE 1 IoCs
pid Process 3196 3abccfd3a85f85888dcbc2836859d290N.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 14 pastebin.com 15 pastebin.com -
Program crash 15 IoCs
pid pid_target Process procid_target 3936 1412 WerFault.exe 86 3300 3196 WerFault.exe 93 1320 3196 WerFault.exe 93 1884 3196 WerFault.exe 93 4184 3196 WerFault.exe 93 3176 3196 WerFault.exe 93 1488 3196 WerFault.exe 93 1668 3196 WerFault.exe 93 3468 3196 WerFault.exe 93 3660 3196 WerFault.exe 93 1756 3196 WerFault.exe 93 640 3196 WerFault.exe 93 1604 3196 WerFault.exe 93 3772 3196 WerFault.exe 93 1704 3196 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3abccfd3a85f85888dcbc2836859d290N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3abccfd3a85f85888dcbc2836859d290N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3196 3abccfd3a85f85888dcbc2836859d290N.exe 3196 3abccfd3a85f85888dcbc2836859d290N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1412 3abccfd3a85f85888dcbc2836859d290N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3196 3abccfd3a85f85888dcbc2836859d290N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1412 wrote to memory of 3196 1412 3abccfd3a85f85888dcbc2836859d290N.exe 93 PID 1412 wrote to memory of 3196 1412 3abccfd3a85f85888dcbc2836859d290N.exe 93 PID 1412 wrote to memory of 3196 1412 3abccfd3a85f85888dcbc2836859d290N.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe"C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 3522⤵
- Program crash
PID:3936
-
-
C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exeC:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 3443⤵
- Program crash
PID:3300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 6363⤵
- Program crash
PID:1320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 6763⤵
- Program crash
PID:1884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 6683⤵
- Program crash
PID:4184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 7003⤵
- Program crash
PID:3176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 9043⤵
- Program crash
PID:1488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 14083⤵
- Program crash
PID:1668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 15243⤵
- Program crash
PID:3468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 14803⤵
- Program crash
PID:3660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 16963⤵
- Program crash
PID:1756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 16563⤵
- Program crash
PID:640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 15283⤵
- Program crash
PID:1604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 14083⤵
- Program crash
PID:3772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 14923⤵
- Program crash
PID:1704
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1412 -ip 14121⤵PID:3704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3196 -ip 31961⤵PID:4420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3196 -ip 31961⤵PID:656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3196 -ip 31961⤵PID:1380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3196 -ip 31961⤵PID:668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3196 -ip 31961⤵PID:2404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3196 -ip 31961⤵PID:5088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3196 -ip 31961⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3196 -ip 31961⤵PID:4280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3196 -ip 31961⤵PID:1052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3196 -ip 31961⤵PID:3532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3196 -ip 31961⤵PID:1044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3196 -ip 31961⤵PID:4044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3196 -ip 31961⤵PID:2536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3196 -ip 31961⤵PID:1056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD5baf476cba1ddf00e2ecef6da2fc0abda
SHA1e2d5eaa7c2fc77ba0598e6dafa40d4b03875c62c
SHA2565e6fbd6bbcc3fd80e3f0d1cf408be6cbe31262e63bca60525fe21a33f86cc426
SHA51256acacb6d55fbba2cd0efbae16c8e4e653a2bf81e55d7646dd3ae18d6f828371fe622baa032274d896f179b6dbaef4ecb6e16f02657984a31327f61f8e014551