edcea095b435ff1197fd722520e26b402b4e0e170cc9560994b0c59816a1ebc6

Analysis

max time kernel
150s
max time network
42s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edcea095b435ff1197fd722520e26b402b4e0e170cc9560994b0c59816a1ebc6.dll
Size

1.2MB
MD5

b87e7b934cf7027bc3725dcc7b19a6ef
SHA1

08c3b9cfd005eafe1b9c149ba1ef39d9c6e18b7f
SHA256

edcea095b435ff1197fd722520e26b402b4e0e170cc9560994b0c59816a1ebc6
SHA512

d879ef05c96ea20f26a40a28f457b57e58f51d4a7a9138d95cd32dcd4c3038e5b8fc1742a887732ea33767a48ff9532bf3d20179d9afbdfed481c9605a281d24

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

FXSCOVER.exelpksetup.exedccw.exe

pid process

1372 FXSCOVER.exe
1044 lpksetup.exe
1796 dccw.exe
Loads dropped DLL 7 IoCs

Processes:

FXSCOVER.exelpksetup.exedccw.exe

pid process

1256
1372 FXSCOVER.exe
1256
1044 lpksetup.exe
1256
1796 dccw.exe
1256

pid	process
1372	FXSCOVER.exe
1044	lpksetup.exe
1796	dccw.exe

pid	process
1256
1372	FXSCOVER.exe
1256
1044	lpksetup.exe
1256
1796	dccw.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lwausnzctoco = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\7DP\\lpksetup.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeFXSCOVER.exelpksetup.exedccw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeFXSCOVER.exe

pid	process
2024	rundll32.exe
2024	rundll32.exe
2024	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1372	FXSCOVER.exe
1372	FXSCOVER.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 1384	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1384	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1384	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1372	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1372	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1372	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1312	1256	lpksetup.exe
PID 1256 wrote to memory of 1312	1256	lpksetup.exe
PID 1256 wrote to memory of 1312	1256	lpksetup.exe
PID 1256 wrote to memory of 1044	1256	lpksetup.exe
PID 1256 wrote to memory of 1044	1256	lpksetup.exe
PID 1256 wrote to memory of 1044	1256	lpksetup.exe
PID 1256 wrote to memory of 1716	1256	dccw.exe
PID 1256 wrote to memory of 1716	1256	dccw.exe
PID 1256 wrote to memory of 1716	1256	dccw.exe
PID 1256 wrote to memory of 1796	1256	dccw.exe
PID 1256 wrote to memory of 1796	1256	dccw.exe
PID 1256 wrote to memory of 1796	1256	dccw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\edcea095b435ff1197fd722520e26b402b4e0e170cc9560994b0c59816a1ebc6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:1384

C:\Users\Admin\AppData\Local\c0kU7RcL8\FXSCOVER.exe
C:\Users\Admin\AppData\Local\c0kU7RcL8\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1312

C:\Users\Admin\AppData\Local\cW5f\lpksetup.exe
C:\Users\Admin\AppData\Local\cW5f\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1044

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:1716

C:\Users\Admin\AppData\Local\sUc8\dccw.exe
C:\Users\Admin\AppData\Local\sUc8\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\c0kU7RcL8\FXSCOVER.exe
Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
C:\Users\Admin\AppData\Local\c0kU7RcL8\MFC42u.dll
Filesize
1.2MB

MD5
6b7b1c15c2fbb43993b61f4cb86e522c

SHA1
78e21fd93dde98769a593808617fc965c9c9777f

SHA256
23945e0b8c21fe3dcd471e9c55ccee1696c3dab334647038a4a41129f3eb642d

SHA512
a62ccdd0e5f5a219d73f53cf7941bc4d6b897a85b4ae7e01a56c9eebc3c59dd3be136e8a71323c4bc56ed596340a7dc60b0560ea7f54bc830ad662f2fefc73df

Download Submit
C:\Users\Admin\AppData\Local\cW5f\lpksetup.exe
Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
C:\Users\Admin\AppData\Local\cW5f\slc.dll
Filesize
1.2MB

MD5
d236457c119fe582362a358ad234d51b

SHA1
d71fb874fd4a54f45841e6e9cb6001ca7da1b016

SHA256
530a968db703fcbf616ac13eb988998c98bca1c26d31325c1520e9ad4d1e4d71

SHA512
4b7503e9b16f3b78dea0d64e0df267fc1b8e7f9fe0afe6e300412dea0dc442be5251b6f2bc4cf3474504cfdc88bde1d66396e7b6ba334c85c3798dfa01d907b5

Download Submit
C:\Users\Admin\AppData\Local\sUc8\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
C:\Users\Admin\AppData\Local\sUc8\dxva2.dll
Filesize
1.2MB

MD5
611f09fb5ba5f84a3929da10d0b65edd

SHA1
9fb2889ba920711cf14c58d0904ce29865312ef8

SHA256
fdb1716df986695c08744fd3a3633c19e7dcff0b96329464655b1b16a5f16e3a

SHA512
25aeb0276492882453a534abef9cdf58a1a0fb305da7e750675ab09c9b6c24e952959c37168e9a02497af656d3dfab5b35531bab2810f9d4abdd7838e7a0d949

Download Submit
\Users\Admin\AppData\Local\c0kU7RcL8\FXSCOVER.exe
Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
\Users\Admin\AppData\Local\c0kU7RcL8\MFC42u.dll
Filesize
1.2MB

MD5
6b7b1c15c2fbb43993b61f4cb86e522c

SHA1
78e21fd93dde98769a593808617fc965c9c9777f

SHA256
23945e0b8c21fe3dcd471e9c55ccee1696c3dab334647038a4a41129f3eb642d

SHA512
a62ccdd0e5f5a219d73f53cf7941bc4d6b897a85b4ae7e01a56c9eebc3c59dd3be136e8a71323c4bc56ed596340a7dc60b0560ea7f54bc830ad662f2fefc73df

Download Submit
\Users\Admin\AppData\Local\cW5f\lpksetup.exe
Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\cW5f\slc.dll
Filesize
1.2MB

MD5
d236457c119fe582362a358ad234d51b

SHA1
d71fb874fd4a54f45841e6e9cb6001ca7da1b016

SHA256
530a968db703fcbf616ac13eb988998c98bca1c26d31325c1520e9ad4d1e4d71

SHA512
4b7503e9b16f3b78dea0d64e0df267fc1b8e7f9fe0afe6e300412dea0dc442be5251b6f2bc4cf3474504cfdc88bde1d66396e7b6ba334c85c3798dfa01d907b5

Download Submit
\Users\Admin\AppData\Local\sUc8\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\sUc8\dxva2.dll
Filesize
1.2MB

MD5
611f09fb5ba5f84a3929da10d0b65edd

SHA1
9fb2889ba920711cf14c58d0904ce29865312ef8

SHA256
fdb1716df986695c08744fd3a3633c19e7dcff0b96329464655b1b16a5f16e3a

SHA512
25aeb0276492882453a534abef9cdf58a1a0fb305da7e750675ab09c9b6c24e952959c37168e9a02497af656d3dfab5b35531bab2810f9d4abdd7838e7a0d949

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Credentials\qWJjrnPtqyN\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
memory/1044-97-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1044-101-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1044-92-0x0000000000000000-mapping.dmp

Download
memory/1256-68-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-59-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-63-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-64-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-78-0x0000000002B50000-0x0000000002B57000-memory.dmp

Filesize
28KB

Download
memory/1256-62-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-61-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-69-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-65-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-66-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-60-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1256-67-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1372-90-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download
memory/1372-80-0x0000000000000000-mapping.dmp

Download
memory/1372-86-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1372-84-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1372-85-0x000000013F3A1000-0x000000013F3A3000-memory.dmp

Filesize
8KB

Download
memory/1796-103-0x0000000000000000-mapping.dmp

Download
memory/1796-112-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2024-54-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2024-58-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads