Overview

overview

10

Static

static

a7ae8e4bc0...f3.dll

windows7_x64

8

a7ae8e4bc0...f3.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-04-2022 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7ae8e4bc04a200c85ebd599977d5bace425481f69ed9e28983b7e4f5aa79bf3.dll

  • Size

    883KB

  • MD5

    2b1ed27affd5b2c6413780abe2f60a6b

  • SHA1

    b2cbcf2d41695c9a173a7feba16bb4166c0c560f

  • SHA256

    a7ae8e4bc04a200c85ebd599977d5bace425481f69ed9e28983b7e4f5aa79bf3

  • SHA512

    f80d7dbb53a307648ff95ff12bdaa06a37f7b1d5d472585768dee296129ffdd28a3da7ff2d747f4b7a9f5858f71a5c98f069de110ddbd1fc71a3ca9df1c7ff03

Score
8/10
evasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ae8e4bc04a200c85ebd599977d5bace425481f69ed9e28983b7e4f5aa79bf3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1824
  • C:\Windows\system32\EhStorAuthn.exe
    C:\Windows\system32\EhStorAuthn.exe
    1⤵
      PID:1928
    • C:\Users\Admin\AppData\Local\9JIjQEt\EhStorAuthn.exe
      C:\Users\Admin\AppData\Local\9JIjQEt\EhStorAuthn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:1720
    • C:\Windows\system32\consent.exe
      C:\Windows\system32\consent.exe
      1⤵
        PID:1732
      • C:\Users\Admin\AppData\Local\G1hP\consent.exe
        C:\Users\Admin\AppData\Local\G1hP\consent.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1704
      • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        1⤵
          PID:1684
        • C:\Users\Admin\AppData\Local\NkfCnQlK2\SystemPropertiesDataExecutionPrevention.exe
          C:\Users\Admin\AppData\Local\NkfCnQlK2\SystemPropertiesDataExecutionPrevention.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1708

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9JIjQEt\EhStorAuthn.exe
          Filesize

          137KB

          MD5

          3abe95d92c80dc79707d8e168d79a994

          SHA1

          64b10c17f602d3f21c84954541e7092bc55bb5ab

          SHA256

          2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

          SHA512

          70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

          Download Submit
        • C:\Users\Admin\AppData\Local\9JIjQEt\UxTheme.dll
          Filesize

          886KB

          MD5

          010d3a6e3e75bec52c40b10f0491223e

          SHA1

          07cfc9573ab8e740e26ce6fc4491efd2f7cd75e8

          SHA256

          052d58836dd7e7f510039bd213a5f2d3d536f85f198b64e3ac1cc4f8ba0f2539

          SHA512

          43a81b58df2365c0b41d2949756441c89b263d14a96b4dbcf5338e889fefe5e6a680cc497ebe6500ec614815a4c223311c518a98b2e779225d475f710f07b0d1

          Download Submit
        • C:\Users\Admin\AppData\Local\G1hP\WTSAPI32.dll
          Filesize

          885KB

          MD5

          370166c3ce94aec2172fd19753faabd0

          SHA1

          9cfa416406520a060204897972d2b2fc7b7fd049

          SHA256

          cb74c8214174b132e7ed828a4153295f17ec6b1357333a1e28c822afa9c640a9

          SHA512

          516556f0e157e83fbdb3211ebf7a2c7b22e896558fa5ac0176c7fe0404c9f48a9e184f7e08497b51e4a6ab9450d5c359880793b1474a9cee1ee0d2780c361313

          Download Submit
        • C:\Users\Admin\AppData\Local\G1hP\consent.exe
          Filesize

          109KB

          MD5

          0b5511674394666e9d221f8681b2c2e6

          SHA1

          6e4e720dfc424a12383f0b8194e4477e3bc346dc

          SHA256

          ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

          SHA512

          00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

          Download Submit
        • C:\Users\Admin\AppData\Local\NkfCnQlK2\SYSDM.CPL
          Filesize

          884KB

          MD5

          52466384e233ffecd7936d5a2b12907b

          SHA1

          231bfd9389ce261db45aba6e635b93578721c624

          SHA256

          46e80aa0d7161acf260d05034ce36e3f5e520036195e1f95b5d9bed5aea0ecd7

          SHA512

          dd9a10027bf4853ca9d81582545cfde621609e1cf70a62ae441a3c246d8bde8745769ebdcabe690ce8d6e6260aa8bd7b701e9c66612f5bea0e36530724d02709

          Download Submit
        • C:\Users\Admin\AppData\Local\NkfCnQlK2\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit
        • \Users\Admin\AppData\Local\9JIjQEt\EhStorAuthn.exe
          Filesize

          137KB

          MD5

          3abe95d92c80dc79707d8e168d79a994

          SHA1

          64b10c17f602d3f21c84954541e7092bc55bb5ab

          SHA256

          2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

          SHA512

          70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

          Download Submit
        • \Users\Admin\AppData\Local\9JIjQEt\UxTheme.dll
          Filesize

          886KB

          MD5

          010d3a6e3e75bec52c40b10f0491223e

          SHA1

          07cfc9573ab8e740e26ce6fc4491efd2f7cd75e8

          SHA256

          052d58836dd7e7f510039bd213a5f2d3d536f85f198b64e3ac1cc4f8ba0f2539

          SHA512

          43a81b58df2365c0b41d2949756441c89b263d14a96b4dbcf5338e889fefe5e6a680cc497ebe6500ec614815a4c223311c518a98b2e779225d475f710f07b0d1

          Download Submit
        • \Users\Admin\AppData\Local\G1hP\WTSAPI32.dll
          Filesize

          885KB

          MD5

          370166c3ce94aec2172fd19753faabd0

          SHA1

          9cfa416406520a060204897972d2b2fc7b7fd049

          SHA256

          cb74c8214174b132e7ed828a4153295f17ec6b1357333a1e28c822afa9c640a9

          SHA512

          516556f0e157e83fbdb3211ebf7a2c7b22e896558fa5ac0176c7fe0404c9f48a9e184f7e08497b51e4a6ab9450d5c359880793b1474a9cee1ee0d2780c361313

          Download Submit
        • \Users\Admin\AppData\Local\G1hP\consent.exe
          Filesize

          109KB

          MD5

          0b5511674394666e9d221f8681b2c2e6

          SHA1

          6e4e720dfc424a12383f0b8194e4477e3bc346dc

          SHA256

          ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

          SHA512

          00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

          Download Submit
        • \Users\Admin\AppData\Local\NkfCnQlK2\SYSDM.CPL
          Filesize

          884KB

          MD5

          52466384e233ffecd7936d5a2b12907b

          SHA1

          231bfd9389ce261db45aba6e635b93578721c624

          SHA256

          46e80aa0d7161acf260d05034ce36e3f5e520036195e1f95b5d9bed5aea0ecd7

          SHA512

          dd9a10027bf4853ca9d81582545cfde621609e1cf70a62ae441a3c246d8bde8745769ebdcabe690ce8d6e6260aa8bd7b701e9c66612f5bea0e36530724d02709

          Download Submit
        • \Users\Admin\AppData\Local\NkfCnQlK2\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\eCjk\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit
        • memory/1196-58-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1196-61-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1196-56-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1196-55-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1196-59-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1196-57-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1196-54-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1196-63-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1196-60-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1196-62-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1704-71-0x0000000000000000-mapping.dmp
          Download
        • memory/1708-77-0x0000000000000000-mapping.dmp
          Download
        • memory/1720-65-0x0000000000000000-mapping.dmp
          Download
        • memory/1720-69-0x000007FEFB851000-0x000007FEFB853000-memory.dmp
          Filesize

          8KB

          Download