Analysis
-
max time kernel
104s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 10:09
Static task
static1
Behavioral task
behavioral1
Sample
3e5165aeda9ff532d44c0b2a85da72c0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3e5165aeda9ff532d44c0b2a85da72c0N.exe
Resource
win10v2004-20240802-en
General
-
Target
3e5165aeda9ff532d44c0b2a85da72c0N.exe
-
Size
1.2MB
-
MD5
3e5165aeda9ff532d44c0b2a85da72c0
-
SHA1
c9b0573c8b6557ff219e3a91038654fe64ab16b0
-
SHA256
56217fbcfcdcddb213a05093c6b65587a98f96dd46ea819273dcf1db50bfba89
-
SHA512
e676f3dc626d2f3eb6c85ee9e8b1102f73bd3b9acf1bc1cfadd52c0a7786a5931475592cc569b536ffbfcca8da498113996bef55369fad027f984659bb771231
-
SSDEEP
24576:wfrDlLNAzTQdWdzD1t5i3a/ZSW77Lv+f6T8Qnskb2i6OEE:wjAIdWzDNi3ghbq4TyE
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2012 3e5165aeda9ff532d44c0b2a85da72c0N.exe -
Executes dropped EXE 1 IoCs
pid Process 2012 3e5165aeda9ff532d44c0b2a85da72c0N.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 pastebin.com 16 pastebin.com -
Program crash 14 IoCs
pid pid_target Process procid_target 2800 3300 WerFault.exe 83 2188 2012 WerFault.exe 91 1568 2012 WerFault.exe 91 2540 2012 WerFault.exe 91 4676 2012 WerFault.exe 91 4660 2012 WerFault.exe 91 4184 2012 WerFault.exe 91 2760 2012 WerFault.exe 91 4572 2012 WerFault.exe 91 3636 2012 WerFault.exe 91 4664 2012 WerFault.exe 91 1412 2012 WerFault.exe 91 4560 2012 WerFault.exe 91 2960 2012 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e5165aeda9ff532d44c0b2a85da72c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e5165aeda9ff532d44c0b2a85da72c0N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2012 3e5165aeda9ff532d44c0b2a85da72c0N.exe 2012 3e5165aeda9ff532d44c0b2a85da72c0N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3300 3e5165aeda9ff532d44c0b2a85da72c0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2012 3e5165aeda9ff532d44c0b2a85da72c0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3300 wrote to memory of 2012 3300 3e5165aeda9ff532d44c0b2a85da72c0N.exe 91 PID 3300 wrote to memory of 2012 3300 3e5165aeda9ff532d44c0b2a85da72c0N.exe 91 PID 3300 wrote to memory of 2012 3300 3e5165aeda9ff532d44c0b2a85da72c0N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe"C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 3442⤵
- Program crash
PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exeC:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 3443⤵
- Program crash
PID:2188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 6283⤵
- Program crash
PID:1568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 6483⤵
- Program crash
PID:2540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 6483⤵
- Program crash
PID:4676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 7403⤵
- Program crash
PID:4660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 10163⤵
- Program crash
PID:4184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 14083⤵
- Program crash
PID:2760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 15083⤵
- Program crash
PID:4572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 15203⤵
- Program crash
PID:3636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 15123⤵
- Program crash
PID:4664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 16523⤵
- Program crash
PID:1412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 15123⤵
- Program crash
PID:4560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 15363⤵
- Program crash
PID:2960
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3300 -ip 33001⤵PID:940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2012 -ip 20121⤵PID:3144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2012 -ip 20121⤵PID:1836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2012 -ip 20121⤵PID:2116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2012 -ip 20121⤵PID:64
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2012 -ip 20121⤵PID:2004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2012 -ip 20121⤵PID:3136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2012 -ip 20121⤵PID:1512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2012 -ip 20121⤵PID:368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2012 -ip 20121⤵PID:396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2012 -ip 20121⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2012 -ip 20121⤵PID:4396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2012 -ip 20121⤵PID:4992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2012 -ip 20121⤵PID:3264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD56312d7d1f0874f3510bbeb6a899a234f
SHA1c0b475a68085b10c49023b0ea6fd3bdc607333b4
SHA25659d38bcc7fa2cd36c052cae065762fad69a4f35a58d74dfa8dc8e96348251b7d
SHA5123db7c8a55444f6dda61e22cc15465813a88dbf214437b8cf08f64f090089b32b0da72bfe6ddc0d2552740830507a015e9894986121e85cc6b767f6bebd68916c