d51eff0aa1f9bcf2a3d4b6fbe4bc182b9d143fec77e32f925470162015bc01e3

General

Target

819349010582ddcb4e0505b581b34670N.exe
Size

1.4MB
MD5

819349010582ddcb4e0505b581b34670
SHA1

3f530bd5dc2b56f81365d2372455df478d3b877a
SHA256

d51eff0aa1f9bcf2a3d4b6fbe4bc182b9d143fec77e32f925470162015bc01e3
SHA512

08a227caf82114a0aa631883743e8be478e04f8d4f068753603a1b80afdeaeda91c5ec8668346c3bf2a605ed8b04eb3364b2aa8b2b43eb0de9ab30eeb979fe87
SSDEEP

24576:DZ+k1bZfp943uaVy+nZFdiNOa/ZSNHFp77Lv+f6T8Qnskb2i6OBKaBBbxQ:DZ+WpObasgCHFpbq4TTJbG

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4760	819349010582ddcb4e0505b581b34670N.exe

Executes dropped EXE 1 IoCs

pid	Process
4760	819349010582ddcb4e0505b581b34670N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
12	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
3780	4952	WerFault.exe	83
3636	4760	WerFault.exe	91
4596	4760	WerFault.exe	91
4404	4760	WerFault.exe	91
2008	4760	WerFault.exe	91
4508	4760	WerFault.exe	91
4588	4760	WerFault.exe	91
3572	4760	WerFault.exe	91
1348	4760	WerFault.exe	91
3844	4760	WerFault.exe	91
3600	4760	WerFault.exe	91
824	4760	WerFault.exe	91
4676	4760	WerFault.exe	91
664	4760	WerFault.exe	91
1300	4760	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	819349010582ddcb4e0505b581b34670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	819349010582ddcb4e0505b581b34670N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4760	819349010582ddcb4e0505b581b34670N.exe
4760	819349010582ddcb4e0505b581b34670N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4952	819349010582ddcb4e0505b581b34670N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4760	819349010582ddcb4e0505b581b34670N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4760	4952	819349010582ddcb4e0505b581b34670N.exe	91
PID 4952 wrote to memory of 4760	4952	819349010582ddcb4e0505b581b34670N.exe	91
PID 4952 wrote to memory of 4760	4952	819349010582ddcb4e0505b581b34670N.exe	91

C:\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe
"C:\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 352
  2⤵
  - Program crash
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe
  C:\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 344
    3⤵
    - Program crash
    PID:3636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 628
    3⤵
    - Program crash
    PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 676
    3⤵
    - Program crash
    PID:4404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 696
    3⤵
    - Program crash
    PID:2008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 688
    3⤵
    - Program crash
    PID:4508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 980
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1408
    3⤵
    - Program crash
    PID:3572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1392
    3⤵
    - Program crash
    PID:1348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1460
    3⤵
    - Program crash
    PID:3844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1692
    3⤵
    - Program crash
    PID:3600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1472
    3⤵
    - Program crash
    PID:824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1668
    3⤵
    - Program crash
    PID:4676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1448
    3⤵
    - Program crash
    PID:664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1468
    3⤵
    - Program crash
    PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4952 -ip 4952
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4760 -ip 4760
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4760 -ip 4760
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4760 -ip 4760
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4760 -ip 4760
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4760 -ip 4760
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4760 -ip 4760
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4760 -ip 4760
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4760 -ip 4760
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4760 -ip 4760
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4760 -ip 4760
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4760 -ip 4760
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4760 -ip 4760
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4760 -ip 4760
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4760 -ip 4760
1⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe

Filesize
1.4MB

MD5
361089fd3c2d15f2964c718a22f08dfa

SHA1
874f96e013e983de2033d9da52e3f03fc899f88d

SHA256
db932dec8747ab514a36a6d06cf530941c986930016566cca8f6e1d21ae109eb

SHA512
c1f61614e7a2d037333fbb03d1c9d101c51ba5d6ac09e2439d9c152aefda134439ec11e492bc1b3a81128046eeb787bf1ce4a218537652bc383d50285ffa941a

Download Submit
memory/4760-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4760-8-0x0000000005070000-0x000000000515D000-memory.dmp

Filesize
948KB

Download
memory/4760-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4760-29-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download
memory/4760-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-30-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4952-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4952-6-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing