a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259

General

Target

a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
Size

113KB
MD5

e312c72a6551232a8f8e966b4dc1467f
SHA1

706cd171261480c44a53dca21f1fd22e4a9345e1
SHA256

a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259
SHA512

7f17bc8910675c74d1bff2dc1d647adf5bfcb83d5016ba5bda06f6ceb1f9f24df8ecd843aff948b7fb3db77caf7c3909ba340db30df0a0aee67150b8e594b066
SSDEEP

1536:iUrlwr0WQ7sk/Urlwr0WQ7skR2s82qjUbb5d6ojOepel5:iSlwr01V/Slwr01VULjUbb5d6u6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	ntldr.exe

Loads dropped DLL 6 IoCs

pid	Process
1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
File created	C:\Windows\SysWOW64\ntldr.exe	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
File opened for modification	C:\Windows\SysWOW64\RCX5E85.tmp	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe
File created	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1200	1708	WerFault.exe	26
1856	1976	WerFault.exe	25

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1708	1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe	26
PID 1976 wrote to memory of 1708	1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe	26
PID 1976 wrote to memory of 1708	1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe	26
PID 1976 wrote to memory of 1708	1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe	26
PID 1976 wrote to memory of 1856	1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe	28
PID 1976 wrote to memory of 1856	1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe	28
PID 1976 wrote to memory of 1856	1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe	28
PID 1976 wrote to memory of 1856	1976	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe	28
PID 1708 wrote to memory of 1200	1708	ntldr.exe	27
PID 1708 wrote to memory of 1200	1708	ntldr.exe	27
PID 1708 wrote to memory of 1200	1708	ntldr.exe	27
PID 1708 wrote to memory of 1200	1708	ntldr.exe	27

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun = "0"	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "0"	a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe

C:\Users\Admin\AppData\Local\Temp\a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
"C:\Users\Admin\AppData\Local\Temp\a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1976
- C:\Windows\SysWOW64\ntldr.exe
  "C:\Windows\system32\ntldr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 116
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 116
  2⤵
  - Program crash
  PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
8a76b057620f7929e687ec6b403c0364

SHA1
6479733cc708a41e391d9c73a069b6462e6370e7

SHA256
a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

SHA512
bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

Download Submit
C:\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
8a76b057620f7929e687ec6b403c0364

SHA1
6479733cc708a41e391d9c73a069b6462e6370e7

SHA256
a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

SHA512
bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
8a76b057620f7929e687ec6b403c0364

SHA1
6479733cc708a41e391d9c73a069b6462e6370e7

SHA256
a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

SHA512
bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
8a76b057620f7929e687ec6b403c0364

SHA1
6479733cc708a41e391d9c73a069b6462e6370e7

SHA256
a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

SHA512
bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
8a76b057620f7929e687ec6b403c0364

SHA1
6479733cc708a41e391d9c73a069b6462e6370e7

SHA256
a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

SHA512
bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
8a76b057620f7929e687ec6b403c0364

SHA1
6479733cc708a41e391d9c73a069b6462e6370e7

SHA256
a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

SHA512
bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
8a76b057620f7929e687ec6b403c0364

SHA1
6479733cc708a41e391d9c73a069b6462e6370e7

SHA256
a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

SHA512
bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
8a76b057620f7929e687ec6b403c0364

SHA1
6479733cc708a41e391d9c73a069b6462e6370e7

SHA256
a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

SHA512
bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

Download Submit
memory/1976-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing