30316f6ec4932f0788a2ecc6a93e5f7313121241d94caf544f314f1a2615fa46

Analysis

max time kernel
151s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30316f6ec4932f0788a2ecc6a93e5f7313121241d94caf544f314f1a2615fa46.dll
Size

969KB
MD5

cfc7e196da21d39bd421129550403f36
SHA1

fbf099967e30871fc4f12c9b448b988aefbeafb5
SHA256

30316f6ec4932f0788a2ecc6a93e5f7313121241d94caf544f314f1a2615fa46
SHA512

29ed93906917a1d12151e561a93118fc4278787f6cd7b471136ff22643b1da032441d86b8687c445352774c32dc7cc563ec4759f51b24ac13a8d6dc81ed6ab6a

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Narrator.exeiexpress.exeBitLockerWizard.exeSystemPropertiesRemote.exe

pid process

4652 Narrator.exe
1692 iexpress.exe
2940 BitLockerWizard.exe
3692 SystemPropertiesRemote.exe
Loads dropped DLL 3 IoCs

Processes:

iexpress.exeBitLockerWizard.exeSystemPropertiesRemote.exe

pid process

1692 iexpress.exe
2940 BitLockerWizard.exe
3692 SystemPropertiesRemote.exe

pid	process
4652	Narrator.exe
1692	iexpress.exe
2940	BitLockerWizard.exe
3692	SystemPropertiesRemote.exe

pid	process
1692	iexpress.exe
2940	BitLockerWizard.exe
3692	SystemPropertiesRemote.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Erihzxqqayujs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\wPSGq\\BITLOC~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeiexpress.exeBitLockerWizard.exeSystemPropertiesRemote.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420
420

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

420

pid	process
420

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 420 wrote to memory of 3204	420	Narrator.exe
PID 420 wrote to memory of 3204	420	Narrator.exe
PID 420 wrote to memory of 4772	420	iexpress.exe
PID 420 wrote to memory of 4772	420	iexpress.exe
PID 420 wrote to memory of 1692	420	iexpress.exe
PID 420 wrote to memory of 1692	420	iexpress.exe
PID 420 wrote to memory of 1336	420	BitLockerWizard.exe
PID 420 wrote to memory of 1336	420	BitLockerWizard.exe
PID 420 wrote to memory of 2940	420	BitLockerWizard.exe
PID 420 wrote to memory of 2940	420	BitLockerWizard.exe
PID 420 wrote to memory of 3612	420	SystemPropertiesRemote.exe
PID 420 wrote to memory of 3612	420	SystemPropertiesRemote.exe
PID 420 wrote to memory of 3692	420	SystemPropertiesRemote.exe
PID 420 wrote to memory of 3692	420	SystemPropertiesRemote.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30316f6ec4932f0788a2ecc6a93e5f7313121241d94caf544f314f1a2615fa46.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:3204

C:\Users\Admin\AppData\Local\CbrK6Sxi\Narrator.exe
C:\Users\Admin\AppData\Local\CbrK6Sxi\Narrator.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:4772

C:\Users\Admin\AppData\Local\Dnwh\iexpress.exe
C:\Users\Admin\AppData\Local\Dnwh\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1692

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:1336

C:\Users\Admin\AppData\Local\XGS7\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\XGS7\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2940

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:3612

C:\Users\Admin\AppData\Local\4LI\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\4LI\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4LI\SYSDM.CPL
Filesize
970KB

MD5
7065aa1a66ff2278d617c137feac8b8f

SHA1
000f7b2edc61a5b8f50d06d751b007e401965471

SHA256
630badd6f8331c4265ac5de03c38da01708f0d32bdca80d50632e47fb98250b5

SHA512
c3d65e90ef527f2cc8ebe2c7861e78ab2d202fda7c7dd11f96b8667eb7b8228800cd374544d28ba30c9c0a2e24a72456eea6e97a86d52414cfa305a7cca20d0d

Download Submit
C:\Users\Admin\AppData\Local\4LI\SYSDM.CPL
Filesize
970KB

MD5
7065aa1a66ff2278d617c137feac8b8f

SHA1
000f7b2edc61a5b8f50d06d751b007e401965471

SHA256
630badd6f8331c4265ac5de03c38da01708f0d32bdca80d50632e47fb98250b5

SHA512
c3d65e90ef527f2cc8ebe2c7861e78ab2d202fda7c7dd11f96b8667eb7b8228800cd374544d28ba30c9c0a2e24a72456eea6e97a86d52414cfa305a7cca20d0d

Download Submit
C:\Users\Admin\AppData\Local\4LI\SystemPropertiesRemote.exe
Filesize
82KB

MD5
cdce1ee7f316f249a3c20cc7a0197da9

SHA1
dadb23af07827758005ec0235ac1573ffcea0da6

SHA256
7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

SHA512
f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

Download Submit
C:\Users\Admin\AppData\Local\CbrK6Sxi\Narrator.exe
Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\Dnwh\VERSION.dll
Filesize
970KB

MD5
3bf188aba153ea7eb9b62706d6289908

SHA1
d14f380ddfeed419a69ed30cce00346f9bb5d3d4

SHA256
e6ef16d93809caac858c07ded395c7110899bb062caf52c4f8347d9cba6b262b

SHA512
9cba59c184783550daa1a778fe9ec802c56dab8dfb42470d5345155108cca4de44da39c2154b568c504c4a26c51fc5c782aec18642a5f495053f18aaac191067

Download Submit
C:\Users\Admin\AppData\Local\Dnwh\VERSION.dll
Filesize
970KB

MD5
3bf188aba153ea7eb9b62706d6289908

SHA1
d14f380ddfeed419a69ed30cce00346f9bb5d3d4

SHA256
e6ef16d93809caac858c07ded395c7110899bb062caf52c4f8347d9cba6b262b

SHA512
9cba59c184783550daa1a778fe9ec802c56dab8dfb42470d5345155108cca4de44da39c2154b568c504c4a26c51fc5c782aec18642a5f495053f18aaac191067

Download Submit
C:\Users\Admin\AppData\Local\Dnwh\iexpress.exe
Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Local\XGS7\BitLockerWizard.exe
Filesize
100KB

MD5
6d30c96f29f64b34bc98e4c81d9b0ee8

SHA1
4a3adc355f02b9c69bdbe391bfb01469dee15cf0

SHA256
7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

SHA512
25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

Download Submit
C:\Users\Admin\AppData\Local\XGS7\FVEWIZ.dll
Filesize
972KB

MD5
157d716be57b08c3ee84e595bf882d1b

SHA1
187c3c61ba6e9a19b95100271370dbfd5a486cbf

SHA256
234c2cc35cb01eed375c6599c754bbbbbb02d0d2cd54c1e5eab0e25c028d41cd

SHA512
7a67cf33aae079a5dd6dcff32f7ef6e4ad81f8dc3805865819d87c7fae0870ee114f36b93714880c0105adc6d560fb2f6fc2c87917a4567020e87afe51d89429

Download Submit
C:\Users\Admin\AppData\Local\XGS7\FVEWIZ.dll
Filesize
972KB

MD5
157d716be57b08c3ee84e595bf882d1b

SHA1
187c3c61ba6e9a19b95100271370dbfd5a486cbf

SHA256
234c2cc35cb01eed375c6599c754bbbbbb02d0d2cd54c1e5eab0e25c028d41cd

SHA512
7a67cf33aae079a5dd6dcff32f7ef6e4ad81f8dc3805865819d87c7fae0870ee114f36b93714880c0105adc6d560fb2f6fc2c87917a4567020e87afe51d89429

Download Submit
memory/420-142-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-139-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-145-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-154-0x0000000000E90000-0x0000000000E97000-memory.dmp

Filesize
28KB

Download
memory/420-155-0x00007FFCE16F0000-0x00007FFCE1700000-memory.dmp

Filesize
64KB

Download
memory/420-143-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-136-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-140-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-135-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-141-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-137-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-144-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/420-138-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1692-165-0x00000270C1A10000-0x00000270C1A17000-memory.dmp

Filesize
28KB

Download
memory/1692-161-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/1692-157-0x0000000000000000-mapping.dmp

Download
memory/2460-130-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2460-134-0x000002D089A50000-0x000002D089A57000-memory.dmp

Filesize
28KB

Download
memory/2940-166-0x0000000000000000-mapping.dmp

Download
memory/2940-174-0x0000026B4A7E0000-0x0000026B4A7E7000-memory.dmp

Filesize
28KB

Download
memory/3692-175-0x0000000000000000-mapping.dmp

Download
memory/3692-183-0x0000018D26400000-0x0000018D26407000-memory.dmp

Filesize
28KB

Download