9896a4f7a5d74708af6fdfc7bde7995dd9242b6c18a6239943c963ed60eeb7b8

Analysis

max time kernel
150s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9896a4f7a5d74708af6fdfc7bde7995dd9242b6c18a6239943c963ed60eeb7b8.dll
Size

998KB
MD5

c6b8a03ce5ec402adf6a7e40d960b306
SHA1

bdbb9fbe24914344c69086ceeaed355c7715bdfd
SHA256

9896a4f7a5d74708af6fdfc7bde7995dd9242b6c18a6239943c963ed60eeb7b8
SHA512

3bb10b255f3ecc49fcd5cf743857af83b638c923c02c6814649cf3f64c310baa577430c278aac370765fe87bcf497a35141c7fc408c9906c3cba837def16e39f

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

DWWIN.EXEEhStorAuthn.exemsinfo32.exe

pid process

1376 DWWIN.EXE
1956 EhStorAuthn.exe
1784 msinfo32.exe
Loads dropped DLL 7 IoCs

Processes:

DWWIN.EXEEhStorAuthn.exemsinfo32.exe

pid process

1388
1376 DWWIN.EXE
1388
1956 EhStorAuthn.exe
1388
1784 msinfo32.exe
1388

pid	process
1376	DWWIN.EXE
1956	EhStorAuthn.exe
1784	msinfo32.exe

pid	process
1388
1376	DWWIN.EXE
1388
1956	EhStorAuthn.exe
1388
1784	msinfo32.exe
1388

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lwausnzctoco = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\LQCNuY\\EhStorAuthn.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msinfo32.exerundll32.exeDWWIN.EXEEhStorAuthn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeDWWIN.EXE

pid	process
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1376	DWWIN.EXE
1376	DWWIN.EXE
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1388 wrote to memory of 892	1388	DWWIN.EXE
PID 1388 wrote to memory of 892	1388	DWWIN.EXE
PID 1388 wrote to memory of 892	1388	DWWIN.EXE
PID 1388 wrote to memory of 1376	1388	DWWIN.EXE
PID 1388 wrote to memory of 1376	1388	DWWIN.EXE
PID 1388 wrote to memory of 1376	1388	DWWIN.EXE
PID 1388 wrote to memory of 1720	1388	EhStorAuthn.exe
PID 1388 wrote to memory of 1720	1388	EhStorAuthn.exe
PID 1388 wrote to memory of 1720	1388	EhStorAuthn.exe
PID 1388 wrote to memory of 1956	1388	EhStorAuthn.exe
PID 1388 wrote to memory of 1956	1388	EhStorAuthn.exe
PID 1388 wrote to memory of 1956	1388	EhStorAuthn.exe
PID 1388 wrote to memory of 1812	1388	msinfo32.exe
PID 1388 wrote to memory of 1812	1388	msinfo32.exe
PID 1388 wrote to memory of 1812	1388	msinfo32.exe
PID 1388 wrote to memory of 1784	1388	msinfo32.exe
PID 1388 wrote to memory of 1784	1388	msinfo32.exe
PID 1388 wrote to memory of 1784	1388	msinfo32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9896a4f7a5d74708af6fdfc7bde7995dd9242b6c18a6239943c963ed60eeb7b8.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1480

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:892

C:\Users\Admin\AppData\Local\QzEO\DWWIN.EXE
C:\Users\Admin\AppData\Local\QzEO\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1720

C:\Users\Admin\AppData\Local\TRqG\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\TRqG\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1956

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:1812

C:\Users\Admin\AppData\Local\zPUHLmSa\msinfo32.exe
C:\Users\Admin\AppData\Local\zPUHLmSa\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1784

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QzEO\DWWIN.EXE
Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
C:\Users\Admin\AppData\Local\QzEO\VERSION.dll
Filesize
999KB

MD5
75fa86449da176a5cdf89a1028629ae3

SHA1
521d081f93cc11181df5bcfcef7395745745a709

SHA256
2927241d951737e0efc8113dfd7dd4d79deef4ec87f98532808fd705cd26113e

SHA512
367329ab2b5604131a08ad218427df0a56b9a7fcdcd34d9c6c88e8cfa1da30206116e7c9a7b2c186f142fe089ed6c08aa3309bb0956fb6e7bc596c600f19cce5

Download Submit
C:\Users\Admin\AppData\Local\TRqG\EhStorAuthn.exe
Filesize
137KB

MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
C:\Users\Admin\AppData\Local\TRqG\WTSAPI32.dll
Filesize
1001KB

MD5
a7ecd33501b95e1b02bb22350a62747b

SHA1
79320038aed4a1688de11be2d9acbbb5b409013e

SHA256
882d879e6e882a61e21d87418a7fe1a43133d3061c0c6acf3408621b2e5d936a

SHA512
3cfa033aa7c620f920949d46dfccfa4098ce26e8f49d4b2325b4ee01f303e3c6d0214dce83e0a664b79c14568a0d4eccccae6c7cf46dcce1f9c2cd509627dad5

Download Submit
C:\Users\Admin\AppData\Local\zPUHLmSa\MFC42u.dll
Filesize
1.0MB

MD5
d07d0c1aba7875eaf9088b5aa7d8cb0d

SHA1
20fcb105af699293a6d4564f5c0bf4aecfeb34ee

SHA256
8b4821b6c2aafbecc689ea83b45f7b85ec2dc925e04179a9004e6c3c32b5d5f0

SHA512
12d9c14eed40c83eb35cc026823d38a545984e7b9a407960bd9a3d3933fd23e7a2011a624e8d0c4ee79f374e194cc354babdd4058f72a03096710093c855b2a3

Download Submit
C:\Users\Admin\AppData\Local\zPUHLmSa\msinfo32.exe
Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
\Users\Admin\AppData\Local\QzEO\DWWIN.EXE
Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\QzEO\VERSION.dll
Filesize
999KB

MD5
75fa86449da176a5cdf89a1028629ae3

SHA1
521d081f93cc11181df5bcfcef7395745745a709

SHA256
2927241d951737e0efc8113dfd7dd4d79deef4ec87f98532808fd705cd26113e

SHA512
367329ab2b5604131a08ad218427df0a56b9a7fcdcd34d9c6c88e8cfa1da30206116e7c9a7b2c186f142fe089ed6c08aa3309bb0956fb6e7bc596c600f19cce5

Download Submit
\Users\Admin\AppData\Local\TRqG\EhStorAuthn.exe
Filesize
137KB

MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
\Users\Admin\AppData\Local\TRqG\WTSAPI32.dll
Filesize
1001KB

MD5
a7ecd33501b95e1b02bb22350a62747b

SHA1
79320038aed4a1688de11be2d9acbbb5b409013e

SHA256
882d879e6e882a61e21d87418a7fe1a43133d3061c0c6acf3408621b2e5d936a

SHA512
3cfa033aa7c620f920949d46dfccfa4098ce26e8f49d4b2325b4ee01f303e3c6d0214dce83e0a664b79c14568a0d4eccccae6c7cf46dcce1f9c2cd509627dad5

Download Submit
\Users\Admin\AppData\Local\zPUHLmSa\MFC42u.dll
Filesize
1.0MB

MD5
d07d0c1aba7875eaf9088b5aa7d8cb0d

SHA1
20fcb105af699293a6d4564f5c0bf4aecfeb34ee

SHA256
8b4821b6c2aafbecc689ea83b45f7b85ec2dc925e04179a9004e6c3c32b5d5f0

SHA512
12d9c14eed40c83eb35cc026823d38a545984e7b9a407960bd9a3d3933fd23e7a2011a624e8d0c4ee79f374e194cc354babdd4058f72a03096710093c855b2a3

Download Submit
\Users\Admin\AppData\Local\zPUHLmSa\msinfo32.exe
Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\YfoDv\msinfo32.exe
Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
memory/1376-89-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1376-85-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1376-84-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download
memory/1376-80-0x0000000000000000-mapping.dmp

Download
memory/1388-69-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-68-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-59-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-61-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-66-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-78-0x00000000021F0000-0x00000000021F7000-memory.dmp

Filesize
28KB

Download
memory/1388-63-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-62-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-67-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-65-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-60-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1388-64-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1480-54-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1480-58-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1784-102-0x0000000000000000-mapping.dmp

Download
memory/1784-107-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1784-111-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/1956-100-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1956-91-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads