507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6

General

Target

507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe
Size

1.0MB
MD5

55ea552c28a453b193fc5c3f198bec50
SHA1

40d947bb42ea364eeb68dec2f51fb397a046f7fa
SHA256

507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6
SHA512

2f1272d722ba05807c9ff2fd0cff4aa8f975b2a48294ff5ae19e5c8fb37f223037acf3c8a354ae72aed64137bd745932cc4fb9bdc4d4a6c77269c40120aea881
SSDEEP

24576:msVaXLsJR0z/WbtibEQY7Cny+8a/ZSbH77Lv+f6T8f:mWJR0z/Wbki7+8g4Hbg

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2904	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
12	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
3192	2000	WerFault.exe	84
3064	2904	WerFault.exe	89
4688	2904	WerFault.exe	89
3916	2904	WerFault.exe	89
3584	2904	WerFault.exe	89
4120	2904	WerFault.exe	89
4004	2904	WerFault.exe	89
4892	2904	WerFault.exe	89
2892	2904	WerFault.exe	89
4904	2904	WerFault.exe	89
4732	2904	WerFault.exe	89
4884	2904	WerFault.exe	89
4428	2904	WerFault.exe	89
368	2904	WerFault.exe	89
3108	2904	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2904	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe
2904	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2000	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2904	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2904	2000	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe	89
PID 2000 wrote to memory of 2904	2000	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe	89
PID 2000 wrote to memory of 2904	2000	507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe	89

C:\Users\Admin\AppData\Local\Temp\507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe
"C:\Users\Admin\AppData\Local\Temp\507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 344
  2⤵
  - Program crash
  PID:3192
- C:\Users\Admin\AppData\Local\Temp\507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe
  C:\Users\Admin\AppData\Local\Temp\507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 344
    3⤵
    - Program crash
    PID:3064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 636
    3⤵
    - Program crash
    PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 644
    3⤵
    - Program crash
    PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 688
    3⤵
    - Program crash
    PID:3584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 736
    3⤵
    - Program crash
    PID:4120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 920
    3⤵
    - Program crash
    PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1408
    3⤵
    - Program crash
    PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1496
    3⤵
    - Program crash
    PID:2892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1684
    3⤵
    - Program crash
    PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1448
    3⤵
    - Program crash
    PID:4732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1440
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1500
    3⤵
    - Program crash
    PID:4428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1464
    3⤵
    - Program crash
    PID:368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1648
    3⤵
    - Program crash
    PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2000 -ip 2000
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2904 -ip 2904
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2904 -ip 2904
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2904 -ip 2904
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2904 -ip 2904
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2904 -ip 2904
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2904 -ip 2904
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2904 -ip 2904
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2904 -ip 2904
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2904 -ip 2904
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2904 -ip 2904
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2904 -ip 2904
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2904 -ip 2904
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2904 -ip 2904
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2904 -ip 2904
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\507f1cf490012b139c9b33e5ef980e7375535379ae2a3854ce0204289f3a61a6N.exe

Filesize
1.0MB

MD5
1d7ae4a87f454b434738ee684fe774ab

SHA1
ca4b80ea1c96c6ddd28a73219114329e8f90a56c

SHA256
c628aaac2a90c1ae1f648636eef515dd97e37ce0edc7d3af5cb488b18ad4d6d6

SHA512
0f817ace12148254b4299b32a681d0413b16e04701f18bc4941cec7e8bd48d87934f1d93f7f871b930aa075d984f46bcaba4a80a5748efab90759c4d1c74b60d

Download Submit
memory/2000-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2000-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2904-6-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2904-8-0x0000000005140000-0x000000000522D000-memory.dmp

Filesize
948KB

Download
memory/2904-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2904-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-27-0x000000000B9C0000-0x000000000BA63000-memory.dmp

Filesize
652KB

Download
memory/2904-28-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing