Analysis
-
max time kernel
94s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 11:05
Static task
static1
Behavioral task
behavioral1
Sample
4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe
Resource
win10v2004-20241007-en
General
-
Target
4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe
-
Size
1.8MB
-
MD5
aaa1151dafc7b710bae2335e9e5f8e40
-
SHA1
d44745213115d76814745c1f9c7394377493d507
-
SHA256
4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7
-
SHA512
cdcaa115a22996ccd196af210d3f5a4fec9dd06c9215c4bc2e0cb36d8f505ba321cf6e44b49760760aa2390e10ca58ecd5299c7a67da0682904a615298a3addf
-
SSDEEP
49152:YSGwG9ejgfVL4xl2zWgPyeBhbq4TTow+lsg:YKAL472hyeBhhTW
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2260 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe -
Executes dropped EXE 1 IoCs
pid Process 2260 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 pastebin.com 12 pastebin.com -
Program crash 15 IoCs
pid pid_target Process procid_target 4864 2016 WerFault.exe 82 1656 2260 WerFault.exe 90 4112 2260 WerFault.exe 90 4892 2260 WerFault.exe 90 1816 2260 WerFault.exe 90 1128 2260 WerFault.exe 90 4700 2260 WerFault.exe 90 1360 2260 WerFault.exe 90 3180 2260 WerFault.exe 90 4116 2260 WerFault.exe 90 60 2260 WerFault.exe 90 1688 2260 WerFault.exe 90 2448 2260 WerFault.exe 90 1612 2260 WerFault.exe 90 4316 2260 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2260 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe 2260 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2016 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2260 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2260 2016 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe 90 PID 2016 wrote to memory of 2260 2016 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe 90 PID 2016 wrote to memory of 2260 2016 4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe"C:\Users\Admin\AppData\Local\Temp\4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 3442⤵
- Program crash
PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exeC:\Users\Admin\AppData\Local\Temp\4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 3443⤵
- Program crash
PID:1656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 6203⤵
- Program crash
PID:4112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 6643⤵
- Program crash
PID:4892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 6643⤵
- Program crash
PID:1816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 6563⤵
- Program crash
PID:1128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 9203⤵
- Program crash
PID:4700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 14203⤵
- Program crash
PID:1360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 15083⤵
- Program crash
PID:3180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 15243⤵
- Program crash
PID:4116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 16603⤵
- Program crash
PID:60
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 15083⤵
- Program crash
PID:1688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 16523⤵
- Program crash
PID:2448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 15843⤵
- Program crash
PID:1612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 16803⤵
- Program crash
PID:4316
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2016 -ip 20161⤵PID:3504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2260 -ip 22601⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2260 -ip 22601⤵PID:800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2260 -ip 22601⤵PID:3836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2260 -ip 22601⤵PID:3688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2260 -ip 22601⤵PID:3416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2260 -ip 22601⤵PID:2196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2260 -ip 22601⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2260 -ip 22601⤵PID:2500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2260 -ip 22601⤵PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2260 -ip 22601⤵PID:760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2260 -ip 22601⤵PID:3184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2260 -ip 22601⤵PID:3892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2260 -ip 22601⤵PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2260 -ip 22601⤵PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4782d811b18957a8e641a22b19f3c02df9ae656524749d52f2d23fc430c8eba7N.exe
Filesize1.8MB
MD5d0f8a1f47c5f30ecb21944b3ca83922f
SHA1753401d333cabd5d511effa2f0666792263ffc69
SHA256bfa57e0e398102de23afcfd38f8954ff331c51d4095bf6610103c310cc9949a7
SHA512da3e470647852236293c7742fb55e8e205da3dfcf9406f9d143802eae212abff302a4c6ed8682636f491ef3371e9d970870368d58da3e7b8b449dadd38d5417c