Overview

overview

10

Static

static

1db516ec44...f5.dll

windows7_x64

10

1db516ec44...f5.dll

windows10-2004_x64

8

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    19-04-2022 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1db516ec44d7e582128b742a21ad262b118ede5823969eae29b8d0c6eace59f5.dll

  • Size

    1000KB

  • MD5

    3558b7179725f016656dd90085f93678

  • SHA1

    6f86ad7ebacc70ba7c1a032fe9964d4fec4c71cf

  • SHA256

    1db516ec44d7e582128b742a21ad262b118ede5823969eae29b8d0c6eace59f5

  • SHA512

    84845486787de8e7bd64a9df0a50720c68619fbb383d078013470ce6d935d86b843768f6d1253979e91c9da01adf82db04691a0fbf0002b4a4cf45f59e8f708f

Score
8/10
evasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1db516ec44d7e582128b742a21ad262b118ede5823969eae29b8d0c6eace59f5.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1508
  • C:\Windows\system32\sessionmsg.exe
    C:\Windows\system32\sessionmsg.exe
    1⤵
      PID:4936
    • C:\Users\Admin\AppData\Local\IO5EsQC\sessionmsg.exe
      C:\Users\Admin\AppData\Local\IO5EsQC\sessionmsg.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5056
    • C:\Windows\system32\recdisc.exe
      C:\Windows\system32\recdisc.exe
      1⤵
        PID:4764
      • C:\Users\Admin\AppData\Local\ltuPOJ5tB\recdisc.exe
        C:\Users\Admin\AppData\Local\ltuPOJ5tB\recdisc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4748
      • C:\Windows\system32\wbengine.exe
        C:\Windows\system32\wbengine.exe
        1⤵
          PID:2964
        • C:\Users\Admin\AppData\Local\YIERt\wbengine.exe
          C:\Users\Admin\AppData\Local\YIERt\wbengine.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1980

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IO5EsQC\DUI70.dll
          Filesize

          1.2MB

          MD5

          118c8296af4071cc8b059972711f446a

          SHA1

          a54cd0eeb8ae4cbdc079b4a98bc9af270278aed0

          SHA256

          5cefcbbcc6a506ca8772b609933b6f7c98b250f8aca316f8b8ecb95d7c816843

          SHA512

          0137dcdaed4d388139f55cda7bc8b42bac795f6d9e1758d450027319580e084320525c3485cc7ee3a5a4971ddf7b20d4516cef7e27ba749208556bba17c15069

          Download Submit
        • C:\Users\Admin\AppData\Local\IO5EsQC\DUI70.dll
          Filesize

          1.2MB

          MD5

          118c8296af4071cc8b059972711f446a

          SHA1

          a54cd0eeb8ae4cbdc079b4a98bc9af270278aed0

          SHA256

          5cefcbbcc6a506ca8772b609933b6f7c98b250f8aca316f8b8ecb95d7c816843

          SHA512

          0137dcdaed4d388139f55cda7bc8b42bac795f6d9e1758d450027319580e084320525c3485cc7ee3a5a4971ddf7b20d4516cef7e27ba749208556bba17c15069

          Download Submit
        • C:\Users\Admin\AppData\Local\IO5EsQC\sessionmsg.exe
          Filesize

          85KB

          MD5

          480f710806b68dfe478ca1ec7d7e79cc

          SHA1

          b4fc97fed2dbff9c4874cb65ede7b50699db37cd

          SHA256

          2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

          SHA512

          29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

          Download Submit
        • C:\Users\Admin\AppData\Local\YIERt\SPP.dll
          Filesize

          1001KB

          MD5

          0c604cc9cb74b5a197fff72538b5d8b7

          SHA1

          b63202a4624e8f847eef29aab0c8171b50e90c7f

          SHA256

          611fa12cc72e92120cafdab2e1a9656da610315e2744f50102bf2742ef2316c4

          SHA512

          70b9c862be9a5d78499321a13987a7924cf4d76668fb3ace6abb61da9595102b1cd2e7dbe5eeafc1b3b66966e2abac5625ec2ca06c7fb857967c0f063d4f27c9

          Download Submit
        • C:\Users\Admin\AppData\Local\YIERt\SPP.dll
          Filesize

          1001KB

          MD5

          0c604cc9cb74b5a197fff72538b5d8b7

          SHA1

          b63202a4624e8f847eef29aab0c8171b50e90c7f

          SHA256

          611fa12cc72e92120cafdab2e1a9656da610315e2744f50102bf2742ef2316c4

          SHA512

          70b9c862be9a5d78499321a13987a7924cf4d76668fb3ace6abb61da9595102b1cd2e7dbe5eeafc1b3b66966e2abac5625ec2ca06c7fb857967c0f063d4f27c9

          Download Submit
        • C:\Users\Admin\AppData\Local\YIERt\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit
        • C:\Users\Admin\AppData\Local\ltuPOJ5tB\ReAgent.dll
          Filesize

          1003KB

          MD5

          08b19e9f99615eac5d17d7dda5e824b5

          SHA1

          1ab6fb3407b1e44a06bc57d2f65a9837432b4653

          SHA256

          af97be94e8244f808343ab780b63a79ddabaeb4f3673acf9e5a3d743a9331dd5

          SHA512

          af197748e4908514511620e023bf2c4f283061750087444a95c2f1ff5af9857a163907a5bc3bd5c31bc623ce7a410299eac380b06764f9defd03239b52187635

          Download Submit
        • C:\Users\Admin\AppData\Local\ltuPOJ5tB\ReAgent.dll
          Filesize

          1003KB

          MD5

          08b19e9f99615eac5d17d7dda5e824b5

          SHA1

          1ab6fb3407b1e44a06bc57d2f65a9837432b4653

          SHA256

          af97be94e8244f808343ab780b63a79ddabaeb4f3673acf9e5a3d743a9331dd5

          SHA512

          af197748e4908514511620e023bf2c4f283061750087444a95c2f1ff5af9857a163907a5bc3bd5c31bc623ce7a410299eac380b06764f9defd03239b52187635

          Download Submit
        • C:\Users\Admin\AppData\Local\ltuPOJ5tB\recdisc.exe
          Filesize

          193KB

          MD5

          18afee6824c84bf5115bada75ff0a3e7

          SHA1

          d10f287a7176f57b3b2b315a5310d25b449795aa

          SHA256

          0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

          SHA512

          517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

          Download Submit
        • memory/1508-130-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/1508-134-0x0000021437D10000-0x0000021437D17000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1980-182-0x0000021C5F080000-0x0000021C5F087000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1980-174-0x0000000000000000-mapping.dmp
          Download
        • memory/2728-140-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-155-0x00007FFE3DC30000-0x00007FFE3DC40000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2728-149-0x0000000000C40000-0x0000000000C47000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2728-141-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-139-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-138-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-145-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-135-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-136-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-144-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-137-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-143-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2728-142-0x0000000140000000-0x0000000140101000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/4748-170-0x0000000140000000-0x0000000140102000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/4748-169-0x000001B879FF0000-0x000001B879FF7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4748-165-0x0000000000000000-mapping.dmp
          Download
        • memory/5056-164-0x000001EB7A8C0000-0x000001EB7A8C7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/5056-160-0x0000000140000000-0x0000000140147000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/5056-156-0x0000000000000000-mapping.dmp
          Download