f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9

General

Target

f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
Size

60KB
MD5

10479d68ffecf5772b8b6c73d1f2d771
SHA1

be102391884d02bc942eb61f4ae9c7a9c32d7d2d
SHA256

f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9
SHA512

f41e0a2b91a77763863acfab0841828443c6d782a414bf110248e37793ea2022ea7e2f49bf270f1afe52864b2b71d4a304897a9910dd5d8cf8dfd3be1cce5435
SSDEEP

768:9gL1wX+h9ipfaADEzxQSs3l/b5ZQEu15C04BkPCJao1asB3Z:9gu+h9i5aADWWljQEu1YJBkP5o1LB3Z

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1700	NÒldr.exe
964	NÒldr.exe

Loads dropped DLL 2 IoCs

pid	Process
1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NT4 hosting service = "C:\\Windows\\system32\\NÒldr.exe"	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	NÒldr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NT4 hosting service = "C:\\Windows\\system32\\NÒldr.exe"	NÒldr.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NÒldr.exe	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
File created	C:\Windows\SysWOW64\NÒldr.exe	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
File opened for modification	C:\Windows\SysWOW64\RCX8650.tmp	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
File opened for modification	C:\Windows\SysWOW64\NÒldr.exe	NÒldr.exe
File created	C:\Windows\SysWOW64\NÒldr.exe	NÒldr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1700	1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe	28
PID 1380 wrote to memory of 1700	1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe	28
PID 1380 wrote to memory of 1700	1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe	28
PID 1380 wrote to memory of 1700	1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe	28
PID 1380 wrote to memory of 560	1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe	29
PID 1380 wrote to memory of 560	1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe	29
PID 1380 wrote to memory of 560	1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe	29
PID 1380 wrote to memory of 560	1380	f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe	29
PID 1700 wrote to memory of 964	1700	NÒldr.exe	30
PID 1700 wrote to memory of 964	1700	NÒldr.exe	30
PID 1700 wrote to memory of 964	1700	NÒldr.exe	30
PID 1700 wrote to memory of 964	1700	NÒldr.exe	30

C:\Users\Admin\AppData\Local\Temp\f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
"C:\Users\Admin\AppData\Local\Temp\f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\NÒldr.exe
  "C:\Windows\system32\NÒldr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\NÒldr.exe
    C:\Windows\SysWOW64\NÒldr.exe
    3⤵
    - Executes dropped EXE
    PID:964
- C:\Users\Admin\AppData\Local\Temp\f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
  C:\Users\Admin\AppData\Local\Temp\f96f783f85a4df479ad7b43f5b1daf11485284bd27cd5c19802bf66d899e2ce9.exe
  2⤵
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
C:\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
C:\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
memory/1380-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing