fc92d3d8f7e2fbe4fb3c383f2356e4be26b1e25d56c055063f8a3749d3aac85f

General

Target

a1d1f8bef1fbd0d181295a3b804a2c30N.exe
Size

1.4MB
MD5

a1d1f8bef1fbd0d181295a3b804a2c30
SHA1

be5c8c98517770065b6b0051d55ed2762a3d9f70
SHA256

fc92d3d8f7e2fbe4fb3c383f2356e4be26b1e25d56c055063f8a3749d3aac85f
SHA512

aca3c03e431c6516075c55bc954c14e60d961aecbbc9882e74a624b824170479926745414f6f61f2f99a08b3ed732ccd1882669a0e250f1febde570f48b855f0
SSDEEP

24576:tOdwVp+OzfQUbTbJGAuYiXFUdPCFsbO3a/ZS1iT77Lv+f6T8Qnskb2i6OBKaBuL:Eap+Onb85YiXFUCFsbagsiTbq4TTC

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3684	a1d1f8bef1fbd0d181295a3b804a2c30N.exe

Executes dropped EXE 1 IoCs

pid	Process
3684	a1d1f8bef1fbd0d181295a3b804a2c30N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
21	pastebin.com

Program crash 14 IoCs

pid	pid_target	Process	procid_target
1824	1772	WerFault.exe	83
4204	3684	WerFault.exe	91
64	3684	WerFault.exe	91
3048	3684	WerFault.exe	91
832	3684	WerFault.exe	91
472	3684	WerFault.exe	91
1464	3684	WerFault.exe	91
4332	3684	WerFault.exe	91
456	3684	WerFault.exe	91
4064	3684	WerFault.exe	91
1176	3684	WerFault.exe	91
1640	3684	WerFault.exe	91
2124	3684	WerFault.exe	91
4076	3684	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1d1f8bef1fbd0d181295a3b804a2c30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1d1f8bef1fbd0d181295a3b804a2c30N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3684	a1d1f8bef1fbd0d181295a3b804a2c30N.exe
3684	a1d1f8bef1fbd0d181295a3b804a2c30N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1772	a1d1f8bef1fbd0d181295a3b804a2c30N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3684	a1d1f8bef1fbd0d181295a3b804a2c30N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3684	1772	a1d1f8bef1fbd0d181295a3b804a2c30N.exe	91
PID 1772 wrote to memory of 3684	1772	a1d1f8bef1fbd0d181295a3b804a2c30N.exe	91
PID 1772 wrote to memory of 3684	1772	a1d1f8bef1fbd0d181295a3b804a2c30N.exe	91

C:\Users\Admin\AppData\Local\Temp\a1d1f8bef1fbd0d181295a3b804a2c30N.exe
"C:\Users\Admin\AppData\Local\Temp\a1d1f8bef1fbd0d181295a3b804a2c30N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 344
  2⤵
  - Program crash
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\a1d1f8bef1fbd0d181295a3b804a2c30N.exe
  C:\Users\Admin\AppData\Local\Temp\a1d1f8bef1fbd0d181295a3b804a2c30N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 344
    3⤵
    - Program crash
    PID:4204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 616
    3⤵
    - Program crash
    PID:64
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 636
    3⤵
    - Program crash
    PID:3048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 700
    3⤵
    - Program crash
    PID:832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 760
    3⤵
    - Program crash
    PID:472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 892
    3⤵
    - Program crash
    PID:1464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1404
    3⤵
    - Program crash
    PID:4332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1412
    3⤵
    - Program crash
    PID:456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1492
    3⤵
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1464
    3⤵
    - Program crash
    PID:1176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1648
    3⤵
    - Program crash
    PID:1640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1484
    3⤵
    - Program crash
    PID:2124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1640
    3⤵
    - Program crash
    PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1772 -ip 1772
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3684 -ip 3684
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3684 -ip 3684
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3684 -ip 3684
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3684 -ip 3684
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3684 -ip 3684
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3684 -ip 3684
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3684 -ip 3684
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3684 -ip 3684
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3684 -ip 3684
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3684 -ip 3684
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3684 -ip 3684
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3684 -ip 3684
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3684 -ip 3684
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a1d1f8bef1fbd0d181295a3b804a2c30N.exe

Filesize
1.4MB

MD5
8d1391b2c95238a042c935d8a08a3ad9

SHA1
dfc0f703159a8642657eb8338cbaeeec60ca0685

SHA256
4ffb2216a8564c6808a7e4ee8c08633ef116d6faf7a19e69f2576f39cd07c2ba

SHA512
ef1a43ca3181fe72648c7635bbbd8c25649d3f2357a0114b9fdf4e99e74a82ae5482e55290cdce8da3a851eb69fd3b48f45742faeb4899773f3a7521cc554e06

Download Submit
memory/1772-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1772-6-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3684-7-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3684-8-0x0000000004F70000-0x0000000005060000-memory.dmp

Filesize
960KB

Download
memory/3684-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3684-27-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download
memory/3684-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3684-28-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing