a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f

General

Target

a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Size

304KB
MD5

cc9e7e94be6e2b403cb83fa1cc7662d9
SHA1

1adce1dcacbd31a1f5c019d39b3ff993b5bc28e2
SHA256

a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f
SHA512

1a25ea2ded3c00ef39cd993f168a45a21059627c38a7b09fbfa6a6e41b5cee71540344ec7cae000989798377497936767983cffc67597a3563c0bab671960774
SSDEEP

6144:a/nOHz9fiX/MqobuB3W//ACFep/3RrMQqgMzAcDon0jB:a2HzlapqAQH6j

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeRestorePrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeBackupPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeLoadDriverPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeCreatePagefilePrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeShutdownPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeTakeOwnershipPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeChangeNotifyPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeCreateTokenPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeMachineAccountPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeSecurityPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeAssignPrimaryTokenPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: SeCreateGlobalPrivilege	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
Token: 33	232	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85
PID 2036 wrote to memory of 232	2036	a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe	85

C:\Users\Admin\AppData\Local\Temp\a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
"C:\Users\Admin\AppData\Local\Temp\a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe
  "C:\Users\Admin\AppData\Local\Temp\a67faa7d978ff10725066635e1f771c12e50af65f68cf3fec786df16c210112f.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:4636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/232-143-0x0000000000A30000-0x0000000000A93000-memory.dmp

Filesize
396KB

Download
memory/232-144-0x0000000000640000-0x000000000064D000-memory.dmp

Filesize
52KB

Download
memory/232-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-135-0x0000000000000000-mapping.dmp

Download
memory/232-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-145-0x00000000027F0000-0x00000000027FC000-memory.dmp

Filesize
48KB

Download
memory/232-141-0x0000000000A30000-0x0000000000A93000-memory.dmp

Filesize
396KB

Download
memory/232-148-0x0000000000A30000-0x0000000000A93000-memory.dmp

Filesize
396KB

Download
memory/2036-134-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/2036-136-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/4636-146-0x0000000000000000-mapping.dmp

Download
memory/4636-149-0x0000000000180000-0x00000000005B3000-memory.dmp

Filesize
4.2MB

Download
memory/4636-150-0x00000000008C0000-0x0000000000973000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads