8aa74696ec333711aeac0f9177f7fd7e5d5877f72071596b81157bcab607329a

Analysis

max time kernel
150s
max time network
41s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aa74696ec333711aeac0f9177f7fd7e5d5877f72071596b81157bcab607329a.dll
Size

878KB
MD5

9865db9e9f88fa6da0a98826e59591dc
SHA1

0af819b9bf7c60c53b5af71498dddaf27e0cd723
SHA256

8aa74696ec333711aeac0f9177f7fd7e5d5877f72071596b81157bcab607329a
SHA512

be508bf583f29db78aac7fd31a8b6345de02d03c27e4ff2cf3143ccdaa09a577ba594d6fa755ff3ca9d97fc218ed0d3194135a4513938110af2a399d1a9c4e43

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesAdvanced.exeVaultSysUi.exesethc.exe

pid process

1156 SystemPropertiesAdvanced.exe
1760 VaultSysUi.exe
1756 sethc.exe
Loads dropped DLL 8 IoCs

Processes:

SystemPropertiesAdvanced.exeVaultSysUi.exesethc.exe

pid process

1196
1156 SystemPropertiesAdvanced.exe
1196
1196
1760 VaultSysUi.exe
1196
1756 sethc.exe
1196

pid	process
1156	SystemPropertiesAdvanced.exe
1760	VaultSysUi.exe
1756	sethc.exe

pid	process
1196
1156	SystemPropertiesAdvanced.exe
1196
1196
1760	VaultSysUi.exe
1196
1756	sethc.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lwausnzctoco = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\JlrP\\VAULTS~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesAdvanced.exeVaultSysUi.exesethc.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSystemPropertiesAdvanced.exeVaultSysUi.exe

pid	process
1860	rundll32.exe
1860	rundll32.exe
1860	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1156	SystemPropertiesAdvanced.exe
1156	SystemPropertiesAdvanced.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1760	VaultSysUi.exe
1760	VaultSysUi.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 1628	1196	SystemPropertiesAdvanced.exe
PID 1196 wrote to memory of 1628	1196	SystemPropertiesAdvanced.exe
PID 1196 wrote to memory of 1628	1196	SystemPropertiesAdvanced.exe
PID 1196 wrote to memory of 1156	1196	SystemPropertiesAdvanced.exe
PID 1196 wrote to memory of 1156	1196	SystemPropertiesAdvanced.exe
PID 1196 wrote to memory of 1156	1196	SystemPropertiesAdvanced.exe
PID 1196 wrote to memory of 900	1196	VaultSysUi.exe
PID 1196 wrote to memory of 900	1196	VaultSysUi.exe
PID 1196 wrote to memory of 900	1196	VaultSysUi.exe
PID 1196 wrote to memory of 1760	1196	VaultSysUi.exe
PID 1196 wrote to memory of 1760	1196	VaultSysUi.exe
PID 1196 wrote to memory of 1760	1196	VaultSysUi.exe
PID 1196 wrote to memory of 1696	1196	sethc.exe
PID 1196 wrote to memory of 1696	1196	sethc.exe
PID 1196 wrote to memory of 1696	1196	sethc.exe
PID 1196 wrote to memory of 1756	1196	sethc.exe
PID 1196 wrote to memory of 1756	1196	sethc.exe
PID 1196 wrote to memory of 1756	1196	sethc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8aa74696ec333711aeac0f9177f7fd7e5d5877f72071596b81157bcab607329a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:1628

C:\Users\Admin\AppData\Local\RTFPXmPFl\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\RTFPXmPFl\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:900

C:\Users\Admin\AppData\Local\YhZCtOkwC\VaultSysUi.exe
C:\Users\Admin\AppData\Local\YhZCtOkwC\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\tvW\sethc.exe
C:\Users\Admin\AppData\Local\tvW\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1756

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\RTFPXmPFl\SYSDM.CPL
Filesize
878KB

MD5
7ada9ad8ab34feefc5f7d6ffd70d4a96

SHA1
e38446d08f40d2cc587c79b43d80553dbc1dfb03

SHA256
dc40c9fe349b93c6d5caffeab47878ed67bf1942b1ea5b7b16a0112bb89a9952

SHA512
6ae5d5d1bd86e56b011d46140083f2cdc9fd3ba2a5aca7d5aa1051cbee7c1741a3950b37de67880f0986884fefa820a9b32f2b453cf92ca0a9bfaa75ce0c26fe

Download Submit
C:\Users\Admin\AppData\Local\RTFPXmPFl\SystemPropertiesAdvanced.exe
Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
C:\Users\Admin\AppData\Local\YhZCtOkwC\VaultSysUi.exe
Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
C:\Users\Admin\AppData\Local\YhZCtOkwC\credui.dll
Filesize
879KB

MD5
7d7556407a56509c8240efd49156083c

SHA1
c857a7102bc3e94d3be86b4c662248dcb430df91

SHA256
617a45504d499bebe31b622c23009ad925492d6961ffd63b25375eca8a7962a3

SHA512
7f04000fb38388a4959ce1d8850ac673258c883acf2debd2387fdb2139dd0220e156e5b747d41cb627199b80077181f205aa9db80cc77fddac6d7f1db9e79cd3

Download Submit
C:\Users\Admin\AppData\Local\tvW\OLEACC.dll
Filesize
879KB

MD5
f109c05a42b3e06c81da1f69a6b2136f

SHA1
e0bb7a8276aaf26ccd187ae9d81ee3e045a8ba92

SHA256
a27d8f1b46005fd1e0d90a80c662cfeae4387b34a22944b400334131835a4f6b

SHA512
72a1ea9f03f230c56109897ee2c07f38352ec538e7dd40b65d4cdcd82c6c9c6c16cafdfdf5572e29ece93f1f925abffddf727ea162db7c4976b00597561b3820

Download Submit
C:\Users\Admin\AppData\Local\tvW\sethc.exe
Filesize
272KB

MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
\Users\Admin\AppData\Local\RTFPXmPFl\SYSDM.CPL
Filesize
878KB

MD5
7ada9ad8ab34feefc5f7d6ffd70d4a96

SHA1
e38446d08f40d2cc587c79b43d80553dbc1dfb03

SHA256
dc40c9fe349b93c6d5caffeab47878ed67bf1942b1ea5b7b16a0112bb89a9952

SHA512
6ae5d5d1bd86e56b011d46140083f2cdc9fd3ba2a5aca7d5aa1051cbee7c1741a3950b37de67880f0986884fefa820a9b32f2b453cf92ca0a9bfaa75ce0c26fe

Download Submit
\Users\Admin\AppData\Local\RTFPXmPFl\SystemPropertiesAdvanced.exe
Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\YhZCtOkwC\VaultSysUi.exe
Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\YhZCtOkwC\VaultSysUi.exe
Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\YhZCtOkwC\credui.dll
Filesize
879KB

MD5
7d7556407a56509c8240efd49156083c

SHA1
c857a7102bc3e94d3be86b4c662248dcb430df91

SHA256
617a45504d499bebe31b622c23009ad925492d6961ffd63b25375eca8a7962a3

SHA512
7f04000fb38388a4959ce1d8850ac673258c883acf2debd2387fdb2139dd0220e156e5b747d41cb627199b80077181f205aa9db80cc77fddac6d7f1db9e79cd3

Download Submit
\Users\Admin\AppData\Local\tvW\OLEACC.dll
Filesize
879KB

MD5
f109c05a42b3e06c81da1f69a6b2136f

SHA1
e0bb7a8276aaf26ccd187ae9d81ee3e045a8ba92

SHA256
a27d8f1b46005fd1e0d90a80c662cfeae4387b34a22944b400334131835a4f6b

SHA512
72a1ea9f03f230c56109897ee2c07f38352ec538e7dd40b65d4cdcd82c6c9c6c16cafdfdf5572e29ece93f1f925abffddf727ea162db7c4976b00597561b3820

Download Submit
\Users\Admin\AppData\Local\tvW\sethc.exe
Filesize
272KB

MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\Dg\sethc.exe
Filesize
272KB

MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
memory/1156-65-0x0000000000000000-mapping.dmp

Download
memory/1196-63-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-60-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-56-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-58-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-55-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-59-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-57-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-61-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-62-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-54-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1756-76-0x0000000000000000-mapping.dmp

Download
memory/1760-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads