8cf6c8d142639514e363103f0e9768f4847b0068c2eae252c45c782c5773ab60

Analysis

max time kernel
150s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cf6c8d142639514e363103f0e9768f4847b0068c2eae252c45c782c5773ab60.dll
Size

970KB
MD5

c57bd52b697bb4e7d84966e7e1060dcf
SHA1

bcae0790539d3753a5ddf7707a12068c3733a3b2
SHA256

8cf6c8d142639514e363103f0e9768f4847b0068c2eae252c45c782c5773ab60
SHA512

61d3830fe1d54f80ef1a5cb03f272f9148f897ceb132537c66117a287770fe48dc74a1a3e291c011c18c467ebeaf73b3b9f79802760bc6d8504b0ccd02cd3f0a

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Taskmgr.exephoneactivate.exeSystemPropertiesRemote.exe

pid process

3292 Taskmgr.exe
4588 phoneactivate.exe
4224 SystemPropertiesRemote.exe
Loads dropped DLL 3 IoCs

Processes:

Taskmgr.exephoneactivate.exeSystemPropertiesRemote.exe

pid process

3292 Taskmgr.exe
4588 phoneactivate.exe
4224 SystemPropertiesRemote.exe

pid	process
3292	Taskmgr.exe
4588	phoneactivate.exe
4224	SystemPropertiesRemote.exe

pid	process
3292	Taskmgr.exe
4588	phoneactivate.exe
4224	SystemPropertiesRemote.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Erihzxqqayujs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\ctglJxMzsP\\phoneactivate.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

phoneactivate.exeSystemPropertiesRemote.exerundll32.exeTaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	phoneactivate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3480	rundll32.exe
3480	rundll32.exe
3480	rundll32.exe
3480	rundll32.exe
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668
2668

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2668

pid	process
2668

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2668 wrote to memory of 2780	2668	Taskmgr.exe
PID 2668 wrote to memory of 2780	2668	Taskmgr.exe
PID 2668 wrote to memory of 3292	2668	Taskmgr.exe
PID 2668 wrote to memory of 3292	2668	Taskmgr.exe
PID 2668 wrote to memory of 1548	2668	phoneactivate.exe
PID 2668 wrote to memory of 1548	2668	phoneactivate.exe
PID 2668 wrote to memory of 4588	2668	phoneactivate.exe
PID 2668 wrote to memory of 4588	2668	phoneactivate.exe
PID 2668 wrote to memory of 4804	2668	SystemPropertiesRemote.exe
PID 2668 wrote to memory of 4804	2668	SystemPropertiesRemote.exe
PID 2668 wrote to memory of 4224	2668	SystemPropertiesRemote.exe
PID 2668 wrote to memory of 4224	2668	SystemPropertiesRemote.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8cf6c8d142639514e363103f0e9768f4847b0068c2eae252c45c782c5773ab60.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:2780

C:\Users\Admin\AppData\Local\o8nc\Taskmgr.exe
C:\Users\Admin\AppData\Local\o8nc\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3292

C:\Windows\system32\phoneactivate.exe
C:\Windows\system32\phoneactivate.exe
1⤵
PID:1548

C:\Users\Admin\AppData\Local\1hwuODKUX\phoneactivate.exe
C:\Users\Admin\AppData\Local\1hwuODKUX\phoneactivate.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4588

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:4804

C:\Users\Admin\AppData\Local\MT95cw\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\MT95cw\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1hwuODKUX\SLC.dll
Filesize
972KB

MD5
66a8d76cb1e20d7aee7b8a23b116d782

SHA1
277fbf0f61530fe50e6d5ee07509c00e42c0a240

SHA256
8b7f74ac92ae5d7be56d0a04bc9a904b98940cb368b190c64b5eef604c25d881

SHA512
aeaf9b2c282d851bc447e09c8e6883861bfbe6bacb4a4ac25db0fa4bb07c76b6411d0d743c4615b099e028178747cb07e8b0fcfa1b8a810ea78bcf568bef1ec2

Download Submit
C:\Users\Admin\AppData\Local\1hwuODKUX\SLC.dll
Filesize
972KB

MD5
66a8d76cb1e20d7aee7b8a23b116d782

SHA1
277fbf0f61530fe50e6d5ee07509c00e42c0a240

SHA256
8b7f74ac92ae5d7be56d0a04bc9a904b98940cb368b190c64b5eef604c25d881

SHA512
aeaf9b2c282d851bc447e09c8e6883861bfbe6bacb4a4ac25db0fa4bb07c76b6411d0d743c4615b099e028178747cb07e8b0fcfa1b8a810ea78bcf568bef1ec2

Download Submit
C:\Users\Admin\AppData\Local\1hwuODKUX\phoneactivate.exe
Filesize
107KB

MD5
32c31f06e0b68f349f68afdd08e45f3d

SHA1
e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

SHA256
cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

SHA512
fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

Download Submit
C:\Users\Admin\AppData\Local\MT95cw\SYSDM.CPL
Filesize
971KB

MD5
f9fa86747b5ac57531268b4e49e4b92b

SHA1
f032f23bf8f16ed66d715132e6521ee5b14ea11a

SHA256
8f374bdc9efd9a9f75d9beba39b1180ba6c650b2ffd396e0f080aa5a59c0a994

SHA512
2c7b3b9315a44b70fd478e450730bdb73d60a1cf8290f6b21cdc05e22e61428931d9d27e5b480fc248165345eac1cd3d4e3e1dcca0aac04147efa75a0767e599

Download Submit
C:\Users\Admin\AppData\Local\MT95cw\SYSDM.CPL
Filesize
971KB

MD5
f9fa86747b5ac57531268b4e49e4b92b

SHA1
f032f23bf8f16ed66d715132e6521ee5b14ea11a

SHA256
8f374bdc9efd9a9f75d9beba39b1180ba6c650b2ffd396e0f080aa5a59c0a994

SHA512
2c7b3b9315a44b70fd478e450730bdb73d60a1cf8290f6b21cdc05e22e61428931d9d27e5b480fc248165345eac1cd3d4e3e1dcca0aac04147efa75a0767e599

Download Submit
C:\Users\Admin\AppData\Local\MT95cw\SystemPropertiesRemote.exe
Filesize
82KB

MD5
cdce1ee7f316f249a3c20cc7a0197da9

SHA1
dadb23af07827758005ec0235ac1573ffcea0da6

SHA256
7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

SHA512
f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

Download Submit
C:\Users\Admin\AppData\Local\o8nc\DUser.dll
Filesize
975KB

MD5
659001881b1f16daeffb12b163cd6a15

SHA1
2deb456682d392e59551ac348d4561268e555f35

SHA256
eb58e109328dea7a9f05e4375e4a9c60046fb2000b41138080f20f802ee3c8f2

SHA512
5ad59e2fcfa306438ff08ae07de4ee5428ebe195d6e42949fe824271927467789da56272c5ce07c7426250de8a8c66ddd08edc64fdcbb0d87e67b376c77343b6

Download Submit
C:\Users\Admin\AppData\Local\o8nc\DUser.dll
Filesize
975KB

MD5
659001881b1f16daeffb12b163cd6a15

SHA1
2deb456682d392e59551ac348d4561268e555f35

SHA256
eb58e109328dea7a9f05e4375e4a9c60046fb2000b41138080f20f802ee3c8f2

SHA512
5ad59e2fcfa306438ff08ae07de4ee5428ebe195d6e42949fe824271927467789da56272c5ce07c7426250de8a8c66ddd08edc64fdcbb0d87e67b376c77343b6

Download Submit
C:\Users\Admin\AppData\Local\o8nc\Taskmgr.exe
Filesize
1.2MB

MD5
58d5bc7895f7f32ee308e34f06f25dd5

SHA1
7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4

SHA256
4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478

SHA512
872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

Download Submit
memory/2668-139-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-141-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-136-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-146-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-155-0x00000000024D0000-0x00000000024D7000-memory.dmp

Filesize
28KB

Download
memory/2668-156-0x00007FF9D5210000-0x00007FF9D5220000-memory.dmp

Filesize
64KB

Download
memory/2668-143-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-140-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-142-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-138-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-145-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-144-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2668-137-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/3292-164-0x00000187240F0000-0x00000187240F7000-memory.dmp

Filesize
28KB

Download
memory/3292-157-0x0000000000000000-mapping.dmp

Download
memory/3292-161-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3480-131-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/3480-135-0x000001CE8E530000-0x000001CE8E537000-memory.dmp

Filesize
28KB

Download
memory/4224-183-0x0000010743360000-0x0000010743367000-memory.dmp

Filesize
28KB

Download
memory/4224-175-0x0000000000000000-mapping.dmp

Download
memory/4588-174-0x000001DC0E370000-0x000001DC0E377000-memory.dmp

Filesize
28KB

Download
memory/4588-170-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/4588-166-0x0000000000000000-mapping.dmp

Download