3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c

General

Target

3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe
Size

94KB
MD5

9119807fa5ec301e9983551dad4456ae
SHA1

b156fee7d048c6c78290cc202e6cb1fe37d3b730
SHA256

3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c
SHA512

3346533fbea9e0b047092fa036fd9abb8cb469346445ed1edcb45aad312aaa7254d2e0e84daad959c71ed4a9d1adc42da032a4fcdcc30a051908957312ad3d29
SSDEEP

1536:Sgu+h9i5aADWWXiNTPt3io1CdO6RR8cQOFvPSMs02ruFVCdiNTPF:5h9i5ampXiNTPtSBpR8clKm2ruFVCdiv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
544	NÒldr.exe
1328	NÒldr.exe

Loads dropped DLL 2 IoCs

pid	Process
1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe
1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NT4 hosting service = "C:\\Windows\\system32\\NÒldr.exe"	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	NÒldr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NT4 hosting service = "C:\\Windows\\system32\\NÒldr.exe"	NÒldr.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NÒldr.exe	NÒldr.exe
File created	C:\Windows\SysWOW64\NÒldr.exe	NÒldr.exe
File opened for modification	C:\Windows\SysWOW64\NÒldr.exe	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe
File created	C:\Windows\SysWOW64\NÒldr.exe	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe
File opened for modification	C:\Windows\SysWOW64\RCX5477.tmp	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 544	1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe	26
PID 1424 wrote to memory of 544	1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe	26
PID 1424 wrote to memory of 544	1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe	26
PID 1424 wrote to memory of 544	1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe	26
PID 1424 wrote to memory of 1160	1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe	27
PID 1424 wrote to memory of 1160	1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe	27
PID 1424 wrote to memory of 1160	1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe	27
PID 1424 wrote to memory of 1160	1424	3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe	27
PID 544 wrote to memory of 1328	544	NÒldr.exe	28
PID 544 wrote to memory of 1328	544	NÒldr.exe	28
PID 544 wrote to memory of 1328	544	NÒldr.exe	28
PID 544 wrote to memory of 1328	544	NÒldr.exe	28

C:\Users\Admin\AppData\Local\Temp\3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe
"C:\Users\Admin\AppData\Local\Temp\3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\NÒldr.exe
  "C:\Windows\system32\NÒldr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\NÒldr.exe
    C:\Windows\SysWOW64\NÒldr.exe
    3⤵
    - Executes dropped EXE
    PID:1328
- C:\Users\Admin\AppData\Local\Temp\3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe
  C:\Users\Admin\AppData\Local\Temp\3eab2d0e19118af04d52e6aa0af8e28cb5f9a11e5a6307ebcbb005a35e241b6c.exe
  2⤵
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
C:\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
C:\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing