Overview

overview

8

Static

static

a2119d1ce6...59.exe

windows7-x64

8

a2119d1ce6...59.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    184s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe

  • Size

    113KB

  • MD5

    e312c72a6551232a8f8e966b4dc1467f

  • SHA1

    706cd171261480c44a53dca21f1fd22e4a9345e1

  • SHA256

    a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259

  • SHA512

    7f17bc8910675c74d1bff2dc1d647adf5bfcb83d5016ba5bda06f6ceb1f9f24df8ecd843aff948b7fb3db77caf7c3909ba340db30df0a0aee67150b8e594b066

  • SSDEEP

    1536:iUrlwr0WQ7sk/Urlwr0WQ7skR2s82qjUbb5d6ojOepel5:iSlwr01V/Slwr01VULjUbb5d6u6

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe
    "C:\Users\Admin\AppData\Local\Temp\a2119d1ce6787e6b5ecb633312d9b61fbb8e5d2f2e80038623b6d6f9fd34e259.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4900
    • C:\Windows\SysWOW64\ntldr.exe
      "C:\Windows\system32\ntldr.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1940
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 364
        3⤵
        • Program crash
        PID:4780
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 368
      2⤵
      • Program crash
      PID:4788
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4900 -ip 4900
    1⤵
      PID:3424
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1940 -ip 1940
      1⤵
        PID:928

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\ntldr.exe
        Filesize

        25KB

        MD5

        8a76b057620f7929e687ec6b403c0364

        SHA1

        6479733cc708a41e391d9c73a069b6462e6370e7

        SHA256

        a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

        SHA512

        bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

        Download Submit

      • C:\Windows\SysWOW64\ntldr.exe
        Filesize

        25KB

        MD5

        8a76b057620f7929e687ec6b403c0364

        SHA1

        6479733cc708a41e391d9c73a069b6462e6370e7

        SHA256

        a4b21daf643957bb02842d651a81ae47f4f347db842f05b09eb5e4e5af9509a6

        SHA512

        bb1a689324b7076c7d599c7b89bde81ec7272004e5bba43cb12e5d3baafbb8e1fe8ecad43f84b419f97c17c6451fa433c4b0029843826ee013825bb5cca4361a

        Download Submit