0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05

General

Target

56aa277081075438c3dbbef841299172.exe
Size

183KB
MD5

56aa277081075438c3dbbef841299172
SHA1

e5870965f41cb82f454043845641ae92b6c6b939
SHA256

0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05
SHA512

6f128a1a9d8b1bb96bc7fa92fad1170395b1ce9603168fb1925bbeb1a5d910f0f8b5999eabdcd4b1dacae376d4ff479d878920984ba68d951a46ac7056b7ad69
SSDEEP

3072:bGVWrMNKUhjhoo7MQW/ieN6RzNLWV+1hpNaL+90tLsVXzJQYMUCb:bGArMNKUhjWl/ieNULu8h39SLSuYMUCb

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

liloo.exe

pid process

1096 liloo.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1116 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

56aa277081075438c3dbbef841299172.exe

pid process

1080 56aa277081075438c3dbbef841299172.exe
1080 56aa277081075438c3dbbef841299172.exe

pid	process
1116	cmd.exe

pid	process
1080	56aa277081075438c3dbbef841299172.exe
1080	56aa277081075438c3dbbef841299172.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

liloo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	liloo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9E6E3C61-98A5-34F3-D57A-72CD6C3CECE6} = "C:\\Users\\Admin\\AppData\\Roaming\\Nitaz\\liloo.exe"	liloo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

56aa277081075438c3dbbef841299172.exe

description	pid	process	target process
PID 1080 set thread context of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1080 set thread context of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

56aa277081075438c3dbbef841299172.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	56aa277081075438c3dbbef841299172.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	56aa277081075438c3dbbef841299172.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

liloo.exe

pid	process
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe
1096	liloo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

56aa277081075438c3dbbef841299172.exeliloo.exe

description	pid	process
Token: SeSecurityPrivilege	1080	56aa277081075438c3dbbef841299172.exe
Token: SeSecurityPrivilege	1096	liloo.exe
Token: SeSecurityPrivilege	1096	liloo.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

56aa277081075438c3dbbef841299172.exeliloo.exe

description	pid	process	target process
PID 1080 wrote to memory of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1080 wrote to memory of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1080 wrote to memory of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1080 wrote to memory of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1080 wrote to memory of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1080 wrote to memory of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1080 wrote to memory of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1080 wrote to memory of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1080 wrote to memory of 1096	1080	56aa277081075438c3dbbef841299172.exe	liloo.exe
PID 1096 wrote to memory of 1128	1096	liloo.exe	taskhost.exe
PID 1096 wrote to memory of 1128	1096	liloo.exe	taskhost.exe
PID 1096 wrote to memory of 1128	1096	liloo.exe	taskhost.exe
PID 1096 wrote to memory of 1128	1096	liloo.exe	taskhost.exe
PID 1096 wrote to memory of 1128	1096	liloo.exe	taskhost.exe
PID 1096 wrote to memory of 1224	1096	liloo.exe	Dwm.exe
PID 1096 wrote to memory of 1224	1096	liloo.exe	Dwm.exe
PID 1096 wrote to memory of 1224	1096	liloo.exe	Dwm.exe
PID 1096 wrote to memory of 1224	1096	liloo.exe	Dwm.exe
PID 1096 wrote to memory of 1224	1096	liloo.exe	Dwm.exe
PID 1096 wrote to memory of 1256	1096	liloo.exe	Explorer.EXE
PID 1096 wrote to memory of 1256	1096	liloo.exe	Explorer.EXE
PID 1096 wrote to memory of 1256	1096	liloo.exe	Explorer.EXE
PID 1096 wrote to memory of 1256	1096	liloo.exe	Explorer.EXE
PID 1096 wrote to memory of 1256	1096	liloo.exe	Explorer.EXE
PID 1096 wrote to memory of 1080	1096	liloo.exe	56aa277081075438c3dbbef841299172.exe
PID 1096 wrote to memory of 1080	1096	liloo.exe	56aa277081075438c3dbbef841299172.exe
PID 1096 wrote to memory of 1080	1096	liloo.exe	56aa277081075438c3dbbef841299172.exe
PID 1096 wrote to memory of 1080	1096	liloo.exe	56aa277081075438c3dbbef841299172.exe
PID 1096 wrote to memory of 1080	1096	liloo.exe	56aa277081075438c3dbbef841299172.exe
PID 1080 wrote to memory of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe
PID 1080 wrote to memory of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe
PID 1080 wrote to memory of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe
PID 1080 wrote to memory of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe
PID 1080 wrote to memory of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe
PID 1080 wrote to memory of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe
PID 1080 wrote to memory of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe
PID 1080 wrote to memory of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe
PID 1080 wrote to memory of 1116	1080	56aa277081075438c3dbbef841299172.exe	cmd.exe
PID 1096 wrote to memory of 1940	1096	liloo.exe	DllHost.exe
PID 1096 wrote to memory of 1940	1096	liloo.exe	DllHost.exe
PID 1096 wrote to memory of 1940	1096	liloo.exe	DllHost.exe
PID 1096 wrote to memory of 1940	1096	liloo.exe	DllHost.exe
PID 1096 wrote to memory of 1940	1096	liloo.exe	DllHost.exe
PID 1096 wrote to memory of 1400	1096	liloo.exe	DllHost.exe
PID 1096 wrote to memory of 1400	1096	liloo.exe	DllHost.exe
PID 1096 wrote to memory of 1400	1096	liloo.exe	DllHost.exe
PID 1096 wrote to memory of 1400	1096	liloo.exe	DllHost.exe
PID 1096 wrote to memory of 1400	1096	liloo.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\56aa277081075438c3dbbef841299172.exe
"C:\Users\Admin\AppData\Local\Temp\56aa277081075438c3dbbef841299172.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe
"C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9ac29b41.bat"
3⤵
- Deletes itself
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1940

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9ac29b41.bat
Filesize
243B

MD5
b966e8046ea0fc598df2adcc97b3805b

SHA1
480fff61477e4c7fadb2f78cd90b0e50176b5c75

SHA256
b45325c58d4cd7f2fcef0cec10ebd85704ac7dc2e40e0e136efca51a5962173f

SHA512
fe82151f45cf99962c0a5adc8ed8334937444cb292c79ac80fdee84e258ff7c8483bd19254616604e8579fa20f769e2e7315a252c141bc90927c0365fe02bf68

Download Submit
C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe
Filesize
183KB

MD5
56aa277081075438c3dbbef841299172

SHA1
e5870965f41cb82f454043845641ae92b6c6b939

SHA256
0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05

SHA512
6f128a1a9d8b1bb96bc7fa92fad1170395b1ce9603168fb1925bbeb1a5d910f0f8b5999eabdcd4b1dacae376d4ff479d878920984ba68d951a46ac7056b7ad69

Download Submit
C:\Users\Admin\AppData\Roaming\Nitaz\o.d
Filesize
1024B

MD5
e79c44150814ca6baf7f970fa722ba56

SHA1
804b97f3482e55c177ecc9b5e92c972ccb9f64bc

SHA256
94a4387d5a7c52dfd279b3b911730023290184c2c13071ece5e841c99d06493b

SHA512
4a4dd816ff9d56e3ba91bc74b1cea7c1118a77615077eaae7ea8c64c535e7120ccc61e23ea64534044d50e6f9911cfb8c4a510a0a1bd54896fa6a348de7a13be

Download Submit
C:\Users\Admin\AppData\Roaming\oemfpc.dat
Filesize
16B

MD5
139259fdaf33287ab2cb752f6d68a6df

SHA1
04e7e6cf55310e09e8569494917aade24c5c968d

SHA256
24708c78fd189b746df77c06039c0d0789f08647eed711129759b2ec54248e89

SHA512
12d1da26965e02c94d27eb3ccd921a66d791ae8818973d60b1904234db0764b4519c689b94f644ceeb0b70f915ca881b4193a769d13a4ec7c426755cf9f575d6

Download Submit
\Users\Admin\AppData\Roaming\Nitaz\liloo.exe
Filesize
183KB

MD5
56aa277081075438c3dbbef841299172

SHA1
e5870965f41cb82f454043845641ae92b6c6b939

SHA256
0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05

SHA512
6f128a1a9d8b1bb96bc7fa92fad1170395b1ce9603168fb1925bbeb1a5d910f0f8b5999eabdcd4b1dacae376d4ff479d878920984ba68d951a46ac7056b7ad69

Download Submit
\Users\Admin\AppData\Roaming\Nitaz\liloo.exe
Filesize
183KB

MD5
56aa277081075438c3dbbef841299172

SHA1
e5870965f41cb82f454043845641ae92b6c6b939

SHA256
0eab1c5406f415f75ab39dbf3651cee9d41a0e0b6d5bdb51042412b57f0aea05

SHA512
6f128a1a9d8b1bb96bc7fa92fad1170395b1ce9603168fb1925bbeb1a5d910f0f8b5999eabdcd4b1dacae376d4ff479d878920984ba68d951a46ac7056b7ad69

Download Submit
memory/1080-90-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1080-91-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1080-92-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1080-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1080-89-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1080-101-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1096-60-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1096-105-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1096-64-0x0000000000051474-mapping.dmp

Download
memory/1096-61-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1096-59-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1096-58-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1096-57-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1096-55-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1116-99-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1116-97-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1116-104-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1116-100-0x0000000000051474-mapping.dmp

Download
memory/1116-98-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1116-95-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1116-96-0x0000000000050000-0x0000000000083000-memory.dmp

Filesize
204KB

Download
memory/1128-71-0x0000000001E90000-0x0000000001EC3000-memory.dmp

Filesize
204KB

Download
memory/1128-72-0x0000000001E90000-0x0000000001EC3000-memory.dmp

Filesize
204KB

Download
memory/1128-73-0x0000000001E90000-0x0000000001EC3000-memory.dmp

Filesize
204KB

Download
memory/1128-74-0x0000000001E90000-0x0000000001EC3000-memory.dmp

Filesize
204KB

Download
memory/1224-78-0x00000000001A0000-0x00000000001D3000-memory.dmp

Filesize
204KB

Download
memory/1224-80-0x00000000001A0000-0x00000000001D3000-memory.dmp

Filesize
204KB

Download
memory/1224-77-0x00000000001A0000-0x00000000001D3000-memory.dmp

Filesize
204KB

Download
memory/1224-79-0x00000000001A0000-0x00000000001D3000-memory.dmp

Filesize
204KB

Download
memory/1256-84-0x00000000029F0000-0x0000000002A23000-memory.dmp

Filesize
204KB

Download
memory/1256-86-0x00000000029F0000-0x0000000002A23000-memory.dmp

Filesize
204KB

Download
memory/1256-85-0x00000000029F0000-0x0000000002A23000-memory.dmp

Filesize
204KB

Download
memory/1256-83-0x00000000029F0000-0x0000000002A23000-memory.dmp

Filesize
204KB

Download
memory/1400-114-0x0000000003A50000-0x0000000003A83000-memory.dmp

Filesize
204KB

Download
memory/1400-115-0x0000000003A50000-0x0000000003A83000-memory.dmp

Filesize
204KB

Download
memory/1400-116-0x0000000003A50000-0x0000000003A83000-memory.dmp

Filesize
204KB

Download
memory/1400-117-0x0000000003A50000-0x0000000003A83000-memory.dmp

Filesize
204KB

Download
memory/1940-108-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download
memory/1940-109-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download
memory/1940-110-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download
memory/1940-111-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads