d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e

General

Target

Bidding of 38D OBA project.exe
Size

786KB
MD5

13d24f937b11359da9f65cc862f9edbd
SHA1

0cf3e49eca8c60e6b7eb19efc2d85d0f953ee3aa
SHA256

d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e
SHA512

1c8a2fa79e8189914ae6ed8aaf13182d99f885ac4c8b03faad2ce5f5684fb5054e24e5c04209565c63c586913bfc667e08ac816ba005f21eb8907e9861e0adc8

Score

7^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	Bidding of 38D OBA project.exe
Token: SeDebugPrivilege	1496	NETSTAT.EXE
Token: SeShutdownPrivilege	1324	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1288	Bidding of 38D OBA project.exe
1288	Bidding of 38D OBA project.exe
1288	Bidding of 38D OBA project.exe
1496	NETSTAT.EXE
1496	NETSTAT.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1288	1072	Bidding of 38D OBA project.exe	24
PID 1072 wrote to memory of 1288	1072	Bidding of 38D OBA project.exe	24
PID 1072 wrote to memory of 1288	1072	Bidding of 38D OBA project.exe	24
PID 1072 wrote to memory of 1288	1072	Bidding of 38D OBA project.exe	24
PID 1072 wrote to memory of 1288	1072	Bidding of 38D OBA project.exe	24
PID 1072 wrote to memory of 1288	1072	Bidding of 38D OBA project.exe	24
PID 1072 wrote to memory of 1288	1072	Bidding of 38D OBA project.exe	24
PID 1324 wrote to memory of 1496	1324	Explorer.EXE	25
PID 1324 wrote to memory of 1496	1324	Explorer.EXE	25
PID 1324 wrote to memory of 1496	1324	Explorer.EXE	25
PID 1324 wrote to memory of 1496	1324	Explorer.EXE	25
PID 1496 wrote to memory of 292	1496	NETSTAT.EXE	26
PID 1496 wrote to memory of 292	1496	NETSTAT.EXE	26
PID 1496 wrote to memory of 292	1496	NETSTAT.EXE	26
PID 1496 wrote to memory of 292	1496	NETSTAT.EXE	26

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 1288	1072	Bidding of 38D OBA project.exe	24
PID 1288 set thread context of 1324	1288	Bidding of 38D OBA project.exe	20
PID 1496 set thread context of 1324	1496	NETSTAT.EXE	20

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1288	Bidding of 38D OBA project.exe
1288	Bidding of 38D OBA project.exe
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE
1496	NETSTAT.EXE

Deletes itself 1 IoCs

pid	Process
292	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\Bidding of 38D OBA project.exe
  "C:\Users\Admin\AppData\Local\Temp\Bidding of 38D OBA project.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\Bidding of 38D OBA project.exe
    "{path}"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1288
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Bidding of 38D OBA project.exe"
    3⤵
    - Deletes itself
    PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1496-3-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

Filesize
36KB

Download
memory/1496-5-0x00000000020F0000-0x0000000002199000-memory.dmp

Filesize
676KB

Download

Analysis

Sharing