d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6

Analysis

max time kernel
99s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 00:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe
Size

734KB
MD5

5b0980fe58acb76e1b89feaa051fea60
SHA1

55e1a8ce8c2742f4ecb69f6e9ca215102b2c72a2
SHA256

d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6
SHA512

d0a122cb96fa2f5fd875b5b753fa76205ae2f44142950616b144e9da150ee770462e7762e78a3b7a6c70565d3042599f8ee30271d835a426d4c9d6075e150e8c
SSDEEP

12288:QhC71id9ZwcjRjvWgcDQshlJNO13t1nEmm4SnFoE9/BK5b7IBkU+A4:QhCEZ5jJvWgc1EcJ9gpIE

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1628	preloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	preloader.exe

Maps connected drives based on registry 3 TTPs 5 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	preloader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	preloader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	preloader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	preloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	preloader.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3e752e1e\\preloader.exe"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3e752e1e\\preloader.exe"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3e752e1e\\preloader.exe"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3e752e1e"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	preloader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	preloader.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	preloader.exe
1628	preloader.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 1628	4880	d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe	81
PID 4880 wrote to memory of 1628	4880	d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe	81
PID 4880 wrote to memory of 1628	4880	d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe	81

C:\Users\Admin\AppData\Local\Temp\d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe
"C:\Users\Admin\AppData\Local\Temp\d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\3e752e1e\preloader.exe
  "C:\Users\Admin\AppData\Local\Temp/3e752e1e/preloader.exe" ProfileFileName=step0.ini
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3e752e1e\installer\boot.dat

Filesize
1KB

MD5
6db0fd7f293dd6ed225f6bff92aecbdd

SHA1
b3467986e47d40c4c64ab6a985ff733930efcafa

SHA256
8900730951ed90b21d1643dd685e0a75c4ac72196c7eb4094e5bb5d48ebd351a

SHA512
2a87b596c8da681177e3ae4ac62667b398d1c4857e2bbf970c35f519883191b856c5fd4ac95e761cb0c3c1a5885d6cc7eb5385c6643ef0c65f853c00c19283b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e752e1e\installer\installer-config.dat

Filesize
4KB

MD5
a452b6172db2abff033fdcf07348db7e

SHA1
c6dc34da668691f92435d587d05d29ae80318e57

SHA256
90a37ac4d4679a4d33d4a68bd438c40c3daba0930be6d741555a96430a042a45

SHA512
b1d581c679ad402de53510673bec889854d4f1a7960b2fafcb9b16c063a5efd9158784495887136c756539e712f21cb05c1e5c471e9089eca90698555cef1cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e752e1e\installer\installer.dat

Filesize
33KB

MD5
3f90d1ae2cd6585e05f2e88b083ed7fe

SHA1
315f4a145f3258217f5366cf9e63bea1e59af9ea

SHA256
313aee635db631714c93dc12d77420d5b7aa9fb0de1e34c1c283528399f5f219

SHA512
41c8048e32cab2a49c94cd416c7bb72f605edb67bd03b49415d0fdd3e88578df3111a3a068638da5ca8c808b209c94d49f8e6e9fa81c4c6d0d0bd7927fd0a686

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e752e1e\installer\new-screen.dat

Filesize
2KB

MD5
e7bd86cc534ea38eb2a028443ca03fdf

SHA1
eb344f4892e295621cfa05b3251daf57a16e725e

SHA256
f07b65edea8a35f0ae5b909e04a29bcde0ab7f996381b3773645f70375e772df

SHA512
0b1a99e911ac6b3b47fbeb2943924f4a072080be8ddfb148552c5d9b7dc30e4894c30e02b6975c345785972e849b0512d59c36760cbf5e9caa587e5878ec327f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e752e1e\installer\step0.ini

Filesize
15KB

MD5
5552e09567c3660bea951b6d623565f0

SHA1
ce98c340252db05564b06fc05c0f667acf10a2ca

SHA256
1e6edc05da14cf37128e1c5aaba5c9cd326055dfddaf598650f0d454a3dab1e2

SHA512
0d4148df719080cd0d03501757ffbb4accc9183db93ded19c851f0a8571718303c287f2ccb26ba9dbb3b3f4cc57f50d2f3cdabeeb4ae49977c0dbb5b8f9feebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e752e1e\installer\step0.ini

Filesize
26KB

MD5
351578558f9222c19f826aab562238d5

SHA1
a0fff3854c8af8458b80e89a7c2633aaa5d35a46

SHA256
419deb9db42031d57adf272bf662d28fa38a3dfd165673259745b7ec38e6699e

SHA512
53a07965ab7a463f91b898d7355026f7fe30f4e85a7967fc12bc954dd9ed8895199a9fa3f5fb11c8fd9a71402f212b49c7af70f3c1e154d0980011994021dacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e752e1e\preloader.exe

Filesize
1.3MB

MD5
1ca6cc8caaeda9ff6369146d461af826

SHA1
0dac7d2bc99c76710d508c7e1fc02ea1085def3b

SHA256
cf3be7118a2588ca52d94bab8fca88feae263f1e7fca185fa2cacde7ee8b713a

SHA512
ebb4799f8a170cebbac3235efdf4ea00ac8cde25ec80b2f5b09e3523456e667a689a0cf34270271c5815e62963241eb7a698b0838e25cc4be022a748a0a113d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e752e1e\preloader.exe

Filesize
1.3MB

MD5
1ca6cc8caaeda9ff6369146d461af826

SHA1
0dac7d2bc99c76710d508c7e1fc02ea1085def3b

SHA256
cf3be7118a2588ca52d94bab8fca88feae263f1e7fca185fa2cacde7ee8b713a

SHA512
ebb4799f8a170cebbac3235efdf4ea00ac8cde25ec80b2f5b09e3523456e667a689a0cf34270271c5815e62963241eb7a698b0838e25cc4be022a748a0a113d1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads