35de1c7ca742f0f5e25b9ffcf632bac7e50bd68d11b31cf1fcf66c6065265f71

Analysis

max time kernel
151s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35de1c7ca742f0f5e25b9ffcf632bac7e50bd68d11b31cf1fcf66c6065265f71.dll
Size

1000KB
MD5

a1802c11c7ddd2eada359d6de66a3f92
SHA1

232773f600292d53111d1bfb13117553da7c497e
SHA256

35de1c7ca742f0f5e25b9ffcf632bac7e50bd68d11b31cf1fcf66c6065265f71
SHA512

48b1a0176e19d4c281856605cdd446893bfc378d78152e92c69ab390e465485b65dda5d19ed7c5e284600854c6208f71f5dd42c10c8799048025164989db630d

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

fveprompt.exewusa.exeSystemPropertiesProtection.exe

pid process

1748 fveprompt.exe
676 wusa.exe
1016 SystemPropertiesProtection.exe
Loads dropped DLL 7 IoCs

Processes:

fveprompt.exewusa.exeSystemPropertiesProtection.exe

pid process

1256
1748 fveprompt.exe
1256
676 wusa.exe
1256
1016 SystemPropertiesProtection.exe
1256

pid	process
1748	fveprompt.exe
676	wusa.exe
1016	SystemPropertiesProtection.exe

pid	process
1256
1748	fveprompt.exe
1256
676	wusa.exe
1256
1016	SystemPropertiesProtection.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lwausnzctoco = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\twjX0u6PdpZ\\wusa.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exefveprompt.exewusa.exeSystemPropertiesProtection.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exefveprompt.exe

pid	process
1880	rundll32.exe
1880	rundll32.exe
1880	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1748	fveprompt.exe
1748	fveprompt.exe
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 2028	1256	fveprompt.exe
PID 1256 wrote to memory of 2028	1256	fveprompt.exe
PID 1256 wrote to memory of 2028	1256	fveprompt.exe
PID 1256 wrote to memory of 1748	1256	fveprompt.exe
PID 1256 wrote to memory of 1748	1256	fveprompt.exe
PID 1256 wrote to memory of 1748	1256	fveprompt.exe
PID 1256 wrote to memory of 1300	1256	wusa.exe
PID 1256 wrote to memory of 1300	1256	wusa.exe
PID 1256 wrote to memory of 1300	1256	wusa.exe
PID 1256 wrote to memory of 676	1256	wusa.exe
PID 1256 wrote to memory of 676	1256	wusa.exe
PID 1256 wrote to memory of 676	1256	wusa.exe
PID 1256 wrote to memory of 1152	1256	SystemPropertiesProtection.exe
PID 1256 wrote to memory of 1152	1256	SystemPropertiesProtection.exe
PID 1256 wrote to memory of 1152	1256	SystemPropertiesProtection.exe
PID 1256 wrote to memory of 1016	1256	SystemPropertiesProtection.exe
PID 1256 wrote to memory of 1016	1256	SystemPropertiesProtection.exe
PID 1256 wrote to memory of 1016	1256	SystemPropertiesProtection.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\35de1c7ca742f0f5e25b9ffcf632bac7e50bd68d11b31cf1fcf66c6065265f71.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:2028

C:\Users\Admin\AppData\Local\uwVKCu\fveprompt.exe
C:\Users\Admin\AppData\Local\uwVKCu\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:1300

C:\Users\Admin\AppData\Local\etLOEZe6p\wusa.exe
C:\Users\Admin\AppData\Local\etLOEZe6p\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:676

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:1152

C:\Users\Admin\AppData\Local\o6wmZp\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\o6wmZp\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\etLOEZe6p\dpx.dll
Filesize
1001KB

MD5
5b59518b56043c3a513f8a11c70c5af3

SHA1
26397924b45769241689eac9ec57ca74492dce2b

SHA256
1458457b60e00433530d2079e2612d0e8c45552ce09f740510a0449f9651e9aa

SHA512
cf53d07779631419be371ed1e3eb3a50bd6188184832a0bc28afcae9efcbf6127e3a435e3c89e785a62c2656e968e4e8d00a57ead281d426223d8bca2d3fcdcb

Download Submit
C:\Users\Admin\AppData\Local\etLOEZe6p\wusa.exe
Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
C:\Users\Admin\AppData\Local\o6wmZp\SYSDM.CPL
Filesize
1001KB

MD5
9d1f9d614a2d6f1924e0b23b691aabce

SHA1
733b024b3966336652f946ddd82df756fbe15001

SHA256
ef5a77da42f17c939d6cf2d00d1a03240e620b058dc938461e1731ced02dea02

SHA512
770ff3f6470182d86c983d206d9ea3b5e8fa2b61f993cb19e750a0b6ddbf55b7862f1bcadea713f36fd7c55dd999eac6742345a571e65be306aa1bbc9c9ce769

Download Submit
C:\Users\Admin\AppData\Local\o6wmZp\SystemPropertiesProtection.exe
Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
C:\Users\Admin\AppData\Local\uwVKCu\fveprompt.exe
Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
C:\Users\Admin\AppData\Local\uwVKCu\slc.dll
Filesize
1002KB

MD5
f0d54a7970dfd848aa97e9018a7e7e24

SHA1
67be660c0a138f462296fc9d80a9ce19a6977f03

SHA256
848c5d26ee344a112f786a6d3fab1474d9d025c76c374622b6fb2729f37a3cf7

SHA512
5b160ac088772b7c440d2d306aceae694b823d27f27b358949eb3393e2a85d8c36c6f739a57359ece871a18878ba6c0077ae81dc576526beffa6be6c23c2ec97

Download Submit
\Users\Admin\AppData\Local\etLOEZe6p\dpx.dll
Filesize
1001KB

MD5
5b59518b56043c3a513f8a11c70c5af3

SHA1
26397924b45769241689eac9ec57ca74492dce2b

SHA256
1458457b60e00433530d2079e2612d0e8c45552ce09f740510a0449f9651e9aa

SHA512
cf53d07779631419be371ed1e3eb3a50bd6188184832a0bc28afcae9efcbf6127e3a435e3c89e785a62c2656e968e4e8d00a57ead281d426223d8bca2d3fcdcb

Download Submit
\Users\Admin\AppData\Local\etLOEZe6p\wusa.exe
Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
\Users\Admin\AppData\Local\o6wmZp\SYSDM.CPL
Filesize
1001KB

MD5
9d1f9d614a2d6f1924e0b23b691aabce

SHA1
733b024b3966336652f946ddd82df756fbe15001

SHA256
ef5a77da42f17c939d6cf2d00d1a03240e620b058dc938461e1731ced02dea02

SHA512
770ff3f6470182d86c983d206d9ea3b5e8fa2b61f993cb19e750a0b6ddbf55b7862f1bcadea713f36fd7c55dd999eac6742345a571e65be306aa1bbc9c9ce769

Download Submit
\Users\Admin\AppData\Local\o6wmZp\SystemPropertiesProtection.exe
Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\uwVKCu\fveprompt.exe
Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\uwVKCu\slc.dll
Filesize
1002KB

MD5
f0d54a7970dfd848aa97e9018a7e7e24

SHA1
67be660c0a138f462296fc9d80a9ce19a6977f03

SHA256
848c5d26ee344a112f786a6d3fab1474d9d025c76c374622b6fb2729f37a3cf7

SHA512
5b160ac088772b7c440d2d306aceae694b823d27f27b358949eb3393e2a85d8c36c6f739a57359ece871a18878ba6c0077ae81dc576526beffa6be6c23c2ec97

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\jtaazoaPt\SystemPropertiesProtection.exe
Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
memory/676-91-0x0000000000000000-mapping.dmp

Download
memory/1016-101-0x0000000000000000-mapping.dmp

Download
memory/1256-67-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-64-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-78-0x0000000001D90000-0x0000000001D97000-memory.dmp

Filesize
28KB

Download
memory/1256-65-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-60-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-59-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-62-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-66-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-69-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-61-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-63-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1256-68-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1748-80-0x0000000000000000-mapping.dmp

Download
memory/1748-89-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1748-85-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1748-82-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1880-54-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1880-58-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads