a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f

General

Target

a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
Size

31KB
MD5

103989a9e3cffb6be6670bb51140c560
SHA1

470fa8bcd1bd275ac765dd602b4b500a1caacbbf
SHA256

a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f
SHA512

9baa7e02c7a9dbc6c7155c03ed626122335018d559d75b436e9d54f8dff88442ad60be95de70553a44c3ed308aae1d9541ceeee703da54e8bd1d5720a36327fb
SSDEEP

384:DgtCIKJbqX10XDrjbxq2hxs4M9gym5bfaAD3H0zYiwHCFn1el9TSs3G8UyW:DgL1wX+h9ipfaADEzxQSs3E

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
816	NÒldr.exe
320	NÒldr.exe

Loads dropped DLL 2 IoCs

pid	Process
1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NT4 hosting service = "C:\\Windows\\system32\\NÒldr.exe"	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	NÒldr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NT4 hosting service = "C:\\Windows\\system32\\NÒldr.exe"	NÒldr.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NÒldr.exe	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
File created	C:\Windows\SysWOW64\NÒldr.exe	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
File opened for modification	C:\Windows\SysWOW64\RCX1FD1.tmp	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
File opened for modification	C:\Windows\SysWOW64\NÒldr.exe	NÒldr.exe
File created	C:\Windows\SysWOW64\NÒldr.exe	NÒldr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 816	1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe	27
PID 1340 wrote to memory of 816	1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe	27
PID 1340 wrote to memory of 816	1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe	27
PID 1340 wrote to memory of 816	1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe	27
PID 1340 wrote to memory of 1212	1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe	28
PID 1340 wrote to memory of 1212	1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe	28
PID 1340 wrote to memory of 1212	1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe	28
PID 1340 wrote to memory of 1212	1340	a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe	28
PID 816 wrote to memory of 320	816	NÒldr.exe	29
PID 816 wrote to memory of 320	816	NÒldr.exe	29
PID 816 wrote to memory of 320	816	NÒldr.exe	29
PID 816 wrote to memory of 320	816	NÒldr.exe	29

C:\Users\Admin\AppData\Local\Temp\a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
"C:\Users\Admin\AppData\Local\Temp\a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\NÒldr.exe
  "C:\Windows\system32\NÒldr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\NÒldr.exe
    C:\Windows\SysWOW64\NÒldr.exe
    3⤵
    - Executes dropped EXE
    PID:320
- C:\Users\Admin\AppData\Local\Temp\a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
  C:\Users\Admin\AppData\Local\Temp\a94d0373e22e66104b2005dce6710f89d3eddc0a02a40d8c049178fa4842b20f.exe
  2⤵
  PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
C:\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
C:\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
\Windows\SysWOW64\NÒldr.exe

Filesize
21KB

MD5
9e925ed0f4491d242f4cf4d0e2387390

SHA1
398a58119f3ae6b20b8fbf7064f0eb79e217509b

SHA256
7390e0d0482616d4a34a1d02716597170e15b5902b1b147f91d29044fbfbd727

SHA512
8b6237e1b6ba1982023e02c4dcf3ba06ad29d73bdcdd12ca31d708aadb35067358b35c6ecbdf0a61328f12a78baa4eb10805da9b24b706845a669a67857aaa27

Download Submit
memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing