77c5f3b7ddc1dbc9df1e341d849a6314a92b37f4ca2fdfb5e04772d1d6792ed1

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 03:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

77c5f3b7ddc1dbc9df1e341d849a6314a92b37f4ca2fdfb5e04772d1d6792ed1.dll
Size

268KB
MD5

420fbd7ded2ec28ad4130631c272f720
SHA1

be67e2aaaa1cdb74210384619c36662025923b45
SHA256

77c5f3b7ddc1dbc9df1e341d849a6314a92b37f4ca2fdfb5e04772d1d6792ed1
SHA512

0794ebe0fe5a5287afcb0af2edc1432e4639f626f7168a8b4fc12f6f76b0544d8bab0fe8eff901bb4207525603fe57b5352b46b984e8cc661c89792817f22bca
SSDEEP

6144:UW7QnuDi+G+mEAOttoeCjOCjl86rH916tD:UrnuDZmENoDPj6qd1

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\dfikiiwd\\llawsigt.exe"	svchost.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
844	35j8xBw
1576	dqxrxkiamkmktydv.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llawsigt.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llawsigt.exe	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1228	rundll32.exe
1228	rundll32.exe
844	35j8xBw
844	35j8xBw
844	35j8xBw
844	35j8xBw

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\LlaWsigt = "C:\\Users\\Admin\\AppData\\Local\\dfikiiwd\\llawsigt.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1464	1228	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe
572	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	844	35j8xBw
Token: SeDebugPrivilege	844	35j8xBw
Token: SeSecurityPrivilege	268	svchost.exe
Token: SeSecurityPrivilege	572	svchost.exe
Token: SeDebugPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeSecurityPrivilege	1576	dqxrxkiamkmktydv.exe
Token: SeLoadDriverPrivilege	1576	dqxrxkiamkmktydv.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe
Token: SeBackupPrivilege	572	svchost.exe
Token: SeRestorePrivilege	572	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1228	1340	rundll32.exe	27
PID 1340 wrote to memory of 1228	1340	rundll32.exe	27
PID 1340 wrote to memory of 1228	1340	rundll32.exe	27
PID 1340 wrote to memory of 1228	1340	rundll32.exe	27
PID 1340 wrote to memory of 1228	1340	rundll32.exe	27
PID 1340 wrote to memory of 1228	1340	rundll32.exe	27
PID 1340 wrote to memory of 1228	1340	rundll32.exe	27
PID 1228 wrote to memory of 844	1228	rundll32.exe	28
PID 1228 wrote to memory of 844	1228	rundll32.exe	28
PID 1228 wrote to memory of 844	1228	rundll32.exe	28
PID 1228 wrote to memory of 844	1228	rundll32.exe	28
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 844 wrote to memory of 268	844	35j8xBw	30
PID 1228 wrote to memory of 1464	1228	rundll32.exe	29
PID 1228 wrote to memory of 1464	1228	rundll32.exe	29
PID 1228 wrote to memory of 1464	1228	rundll32.exe	29
PID 1228 wrote to memory of 1464	1228	rundll32.exe	29
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 572	844	35j8xBw	31
PID 844 wrote to memory of 1576	844	35j8xBw	32
PID 844 wrote to memory of 1576	844	35j8xBw	32
PID 844 wrote to memory of 1576	844	35j8xBw	32
PID 844 wrote to memory of 1576	844	35j8xBw	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\77c5f3b7ddc1dbc9df1e341d849a6314a92b37f4ca2fdfb5e04772d1d6792ed1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\77c5f3b7ddc1dbc9df1e341d849a6314a92b37f4ca2fdfb5e04772d1d6792ed1.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\35j8xBw
    "35j8xBw"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:268
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks BIOS information in registry
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:572
  - - C:\Users\Admin\AppData\Local\Temp\dqxrxkiamkmktydv.exe
      "C:\Users\Admin\AppData\Local\Temp\dqxrxkiamkmktydv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 236
    3⤵
    - Program crash
    PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35j8xBw

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
C:\Users\Admin\AppData\Local\Temp\35j8xBw

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqxrxkiamkmktydv.exe

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqxrxkiamkmktydv.exe

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
\Users\Admin\AppData\Local\Temp\35j8xBw

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
\Users\Admin\AppData\Local\Temp\35j8xBw

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
\Users\Admin\AppData\Local\Temp\dqxrxkiamkmktydv.exe

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
\Users\Admin\AppData\Local\Temp\dqxrxkiamkmktydv.exe

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
\Users\Admin\AppData\Local\Temp\dqxrxkiamkmktydv.exe

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
\Users\Admin\AppData\Local\Temp\dqxrxkiamkmktydv.exe

Filesize
95KB

MD5
7fc51f7f09344a3dbeb28e14c35ce39d

SHA1
c8a9082351f5edcd3012d5379caa33e0804e954f

SHA256
91eceecf4fdcaff36652a1a3a5d25ee37fff70796e71438c60446a2ea72c0a78

SHA512
b40a5743a212038161065af0dbfd0aa7b386b9bd8ae080e621459465e6f6dd888cb9ee35b4f152e5f6931446ad3f1696f6b98b9494903d02ab86493939cae508

Download Submit
memory/268-63-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/268-67-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/572-77-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/572-73-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/844-83-0x0000000000400000-0x000000000043A04C-memory.dmp

Filesize
232KB

Download
memory/1228-81-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/1228-82-0x00000000006F0000-0x000000000072B000-memory.dmp

Filesize
236KB

Download
memory/1228-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1576-92-0x0000000000400000-0x000000000043A04C-memory.dmp

Filesize
232KB

Download
memory/1576-93-0x0000000000400000-0x000000000043A04C-memory.dmp

Filesize
232KB

Download