6b16fd76e7286ae01419766ccd8e87ff5a3767b7d2c344add605125a8ce68603

General

Target

b7abf1fad5b898b5d54a54571e3b2890N.exe
Size

1.6MB
MD5

b7abf1fad5b898b5d54a54571e3b2890
SHA1

95b4dcee4b247c831e845b784be651b0dc194638
SHA256

6b16fd76e7286ae01419766ccd8e87ff5a3767b7d2c344add605125a8ce68603
SHA512

ea431bc0d7282fbc94762be49a63f2d3b3a28c113bdcdb0f87945d7350ca8f5575dcc7a41e3c94653d23923844624709627bda052057ee7f295cbafb5141e19c
SSDEEP

49152:k3FvTMFQW5cAFcICbgtWl4mrbYE+3Mq0deC76CHdRyD:GFvoGAZCUWl4mrE9SQC76CHdRyD

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	b7abf1fad5b898b5d54a54571e3b2890N.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	b7abf1fad5b898b5d54a54571e3b2890N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	pastebin.com
26	pastebin.com

Program crash 14 IoCs

pid	pid_target	Process	procid_target
3096	2328	WerFault.exe	84
4832	2992	WerFault.exe	92
3028	2992	WerFault.exe	92
4132	2992	WerFault.exe	92
4796	2992	WerFault.exe	92
2156	2992	WerFault.exe	92
4016	2992	WerFault.exe	92
4684	2992	WerFault.exe	92
2352	2992	WerFault.exe	92
3952	2992	WerFault.exe	92
456	2992	WerFault.exe	92
4768	2992	WerFault.exe	92
1400	2992	WerFault.exe	92
1796	2992	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7abf1fad5b898b5d54a54571e3b2890N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7abf1fad5b898b5d54a54571e3b2890N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2992	b7abf1fad5b898b5d54a54571e3b2890N.exe
2992	b7abf1fad5b898b5d54a54571e3b2890N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2328	b7abf1fad5b898b5d54a54571e3b2890N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2992	b7abf1fad5b898b5d54a54571e3b2890N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2992	2328	b7abf1fad5b898b5d54a54571e3b2890N.exe	92
PID 2328 wrote to memory of 2992	2328	b7abf1fad5b898b5d54a54571e3b2890N.exe	92
PID 2328 wrote to memory of 2992	2328	b7abf1fad5b898b5d54a54571e3b2890N.exe	92

C:\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe
"C:\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 312
  2⤵
  - Program crash
  PID:3096
- C:\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe
  C:\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 344
    3⤵
    - Program crash
    PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 628
    3⤵
    - Program crash
    PID:3028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 628
    3⤵
    - Program crash
    PID:4132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 692
    3⤵
    - Program crash
    PID:4796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 728
    3⤵
    - Program crash
    PID:2156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1012
    3⤵
    - Program crash
    PID:4016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1400
    3⤵
    - Program crash
    PID:4684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1476
    3⤵
    - Program crash
    PID:2352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1448
    3⤵
    - Program crash
    PID:3952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1508
    3⤵
    - Program crash
    PID:456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1496
    3⤵
    - Program crash
    PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1520
    3⤵
    - Program crash
    PID:1400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1472
    3⤵
    - Program crash
    PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2328 -ip 2328
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2992 -ip 2992
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2992 -ip 2992
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2992 -ip 2992
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2992 -ip 2992
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2992 -ip 2992
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2992 -ip 2992
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2992 -ip 2992
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2992 -ip 2992
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2992 -ip 2992
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2992 -ip 2992
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2992 -ip 2992
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2992 -ip 2992
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2992 -ip 2992
1⤵
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe

Filesize
1.6MB

MD5
89fd1e57da064fabc90bd64e6884ab7a

SHA1
4c676398d4dd8cd5ad9fbec801cc3a67c30c31f4

SHA256
194f38615634bf275a6fb62790e069e97d9523d7f762a3f4bfda0dfffb128a55

SHA512
506e24d8c244355de777943ff7fcfbbe3e4e3170f06373b442b670ce5b3f9b2b01ba99dd5cb82485c9dccaf44169aa55c5f1e60bd2d4ce316c41ac104e84e1c8

Download Submit
memory/2328-0-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2328-6-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2992-7-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2992-8-0x0000000005080000-0x0000000005172000-memory.dmp

Filesize
968KB

Download
memory/2992-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2992-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-27-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download
memory/2992-28-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing