98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb

General

Target

98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
Size

193KB
MD5

ba3021001d74f430dc9d2156ad62d71a
SHA1

38fa96a4ea0920146ee5d02735c3f9251bb9adcb
SHA256

98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb
SHA512

803b3060ca03a867f3db06a1c0160dd708019adb657e799e03e4119b059c16a3c5e9679b1a94bd2f9cd09c75ef80932758d52c3086b79eab5c70296d7d6fad6a
SSDEEP

6144:FeYl211ReYl211IdwaWB28edeP/deUv80P80Ap8jh:FeYlk3eYlkvpnedeP/deUe1pw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1976	ntldr.exe

Loads dropped DLL 6 IoCs

pid	Process
1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
File created	C:\Windows\SysWOW64\ntldr.exe	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
File opened for modification	C:\Windows\SysWOW64\RCXEB88.tmp	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
File opened for modification	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe
File created	C:\Windows\SysWOW64\ntldr.exe	ntldr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1784	1788	WerFault.exe	27
1244	1976	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1976	1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	28
PID 1788 wrote to memory of 1976	1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	28
PID 1788 wrote to memory of 1976	1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	28
PID 1788 wrote to memory of 1976	1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	28
PID 1788 wrote to memory of 1784	1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	29
PID 1788 wrote to memory of 1784	1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	29
PID 1788 wrote to memory of 1784	1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	29
PID 1788 wrote to memory of 1784	1788	98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe	29
PID 1976 wrote to memory of 1244	1976	ntldr.exe	30
PID 1976 wrote to memory of 1244	1976	ntldr.exe	30
PID 1976 wrote to memory of 1244	1976	ntldr.exe	30
PID 1976 wrote to memory of 1244	1976	ntldr.exe	30

C:\Users\Admin\AppData\Local\Temp\98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe
"C:\Users\Admin\AppData\Local\Temp\98269dd2176869c275079c1ee3965ffda6b425084fb4051b51ef4c560239d7fb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\ntldr.exe
  "C:\Windows\system32\ntldr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 116
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 116
  2⤵
  - Program crash
  PID:1784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit
C:\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit
\Windows\SysWOW64\ntldr.exe

Filesize
25KB

MD5
3cae6f8e19e6fc4a9b5e63d363a7793b

SHA1
3828846ba48e61cd35c705636c03850d27cc0f5b

SHA256
f9afcd4da591149653a1788b6cf46e31db4e6e8a3f7c165f6fb5735b84c6309b

SHA512
733649648f5b2741c5eac40b05839f794b0fdcf2e6c910ba5f3e1ebb502618885bb7ec2df0393f80e748a4faace3961fb71bc0f819ed446d534202c6b9cfc9b8

Download Submit
memory/1788-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads