804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe
Size

250KB
MD5

ffbe74236bc5af71333adebaf3d24c05
SHA1

cff286efc1903321f7de50f03da466885c76b4e4
SHA256

804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6
SHA512

fd87cd289a63f3608adf4274d871297e77a945f6d1f0b2b3c9fb9774a4c0fe174cd610564356ecefc5f6797c530a076738f28bec5f512ea9439ecf5cffc7876a
SSDEEP

3072:OH/CVJGxEdicegNVoDZQf96sCJcRWJk2LRf9iJptNDcw6RvCIKCNLL+OZEobX/o:sqVJGIic/rCM96shW+I8Jpt56R6BbmNQ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1096	liamz.exe
360	liamz.exe

Deletes itself 1 IoCs

pid	Process
1036	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe
308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	liamz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{31DBFA84-4871-6C13-AA17-AEB328714A88} = "C:\\Users\\Admin\\AppData\\Roaming\\Ufwo\\liamz.exe"	liamz.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 1096 set thread context of 360	1096	liamz.exe	29

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe
360	liamz.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe
1096	liamz.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 852 wrote to memory of 308	852	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	27
PID 308 wrote to memory of 1096	308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	28
PID 308 wrote to memory of 1096	308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	28
PID 308 wrote to memory of 1096	308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	28
PID 308 wrote to memory of 1096	308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	28
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 1096 wrote to memory of 360	1096	liamz.exe	29
PID 308 wrote to memory of 1036	308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	30
PID 308 wrote to memory of 1036	308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	30
PID 308 wrote to memory of 1036	308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	30
PID 308 wrote to memory of 1036	308	804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe	30
PID 360 wrote to memory of 1128	360	liamz.exe	15
PID 360 wrote to memory of 1128	360	liamz.exe	15
PID 360 wrote to memory of 1128	360	liamz.exe	15
PID 360 wrote to memory of 1128	360	liamz.exe	15
PID 360 wrote to memory of 1128	360	liamz.exe	15
PID 360 wrote to memory of 1184	360	liamz.exe	14
PID 360 wrote to memory of 1184	360	liamz.exe	14
PID 360 wrote to memory of 1184	360	liamz.exe	14
PID 360 wrote to memory of 1184	360	liamz.exe	14
PID 360 wrote to memory of 1184	360	liamz.exe	14
PID 360 wrote to memory of 1212	360	liamz.exe	13
PID 360 wrote to memory of 1212	360	liamz.exe	13
PID 360 wrote to memory of 1212	360	liamz.exe	13
PID 360 wrote to memory of 1212	360	liamz.exe	13
PID 360 wrote to memory of 1212	360	liamz.exe	13
PID 360 wrote to memory of 1976	360	liamz.exe	32
PID 360 wrote to memory of 1976	360	liamz.exe	32
PID 360 wrote to memory of 1976	360	liamz.exe	32
PID 360 wrote to memory of 1976	360	liamz.exe	32
PID 360 wrote to memory of 1976	360	liamz.exe	32
PID 360 wrote to memory of 1816	360	liamz.exe	33
PID 360 wrote to memory of 1816	360	liamz.exe	33
PID 360 wrote to memory of 1816	360	liamz.exe	33
PID 360 wrote to memory of 1816	360	liamz.exe	33
PID 360 wrote to memory of 1816	360	liamz.exe	33
PID 360 wrote to memory of 2024	360	liamz.exe	34
PID 360 wrote to memory of 2024	360	liamz.exe	34
PID 360 wrote to memory of 2024	360	liamz.exe	34
PID 360 wrote to memory of 2024	360	liamz.exe	34
PID 360 wrote to memory of 2024	360	liamz.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe
  "C:\Users\Admin\AppData\Local\Temp\804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe
    "C:\Users\Admin\AppData\Local\Temp\804c743a10bd1930577cc66109e705d15391c07864f2b3bef608d4852d00bdd6.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Users\Admin\AppData\Roaming\Ufwo\liamz.exe
      "C:\Users\Admin\AppData\Roaming\Ufwo\liamz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Users\Admin\AppData\Roaming\Ufwo\liamz.exe
        
        "C:\Users\Admin\AppData\Roaming\Ufwo\liamz.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaf2bbc7b.bat"
      4⤵
      Deletes itself
      PID:1036

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpaf2bbc7b.bat

Filesize
307B

MD5
4221d6992342c5f48a0d5ff5eb0aedf8

SHA1
e13083f70489f6c1ddaeaf8db9050603b749bddc

SHA256
c3af205cf83238b8cee1a847637eff3269548856d0884f8ef90fa852f0ab9590

SHA512
a86aba5de4b6488898c50ae94028a751a0e06c6bc505b49b9ad13a4fa5bf7a12fb4ee4efdddfe55b8e0279164bfff6bfff9ff7afe817db351559b39e3d84b437

Download Submit
C:\Users\Admin\AppData\Roaming\Ufwo\liamz.exe

Filesize
250KB

MD5
55469ffc2131de8864b8d8e4d582e38d

SHA1
744ce018eb5a85b80243d3825c34cb83bc1a22c7

SHA256
ad076cfe742b31d02d65f25742f12693ee5cca3919d206e3525dd39d290885bd

SHA512
0e67cd8003dc9f21e41ae003d4b6d62848af9ae30239ae61e83ee4590f8e16502298d950328072a72609298ce0e59206888fb2e370ce8680d74911e91619e56f

Download Submit
C:\Users\Admin\AppData\Roaming\Ufwo\liamz.exe

Filesize
250KB

MD5
55469ffc2131de8864b8d8e4d582e38d

SHA1
744ce018eb5a85b80243d3825c34cb83bc1a22c7

SHA256
ad076cfe742b31d02d65f25742f12693ee5cca3919d206e3525dd39d290885bd

SHA512
0e67cd8003dc9f21e41ae003d4b6d62848af9ae30239ae61e83ee4590f8e16502298d950328072a72609298ce0e59206888fb2e370ce8680d74911e91619e56f

Download Submit
C:\Users\Admin\AppData\Roaming\Ufwo\liamz.exe

Filesize
250KB

MD5
55469ffc2131de8864b8d8e4d582e38d

SHA1
744ce018eb5a85b80243d3825c34cb83bc1a22c7

SHA256
ad076cfe742b31d02d65f25742f12693ee5cca3919d206e3525dd39d290885bd

SHA512
0e67cd8003dc9f21e41ae003d4b6d62848af9ae30239ae61e83ee4590f8e16502298d950328072a72609298ce0e59206888fb2e370ce8680d74911e91619e56f

Download Submit
\Users\Admin\AppData\Roaming\Ufwo\liamz.exe

Filesize
250KB

MD5
55469ffc2131de8864b8d8e4d582e38d

SHA1
744ce018eb5a85b80243d3825c34cb83bc1a22c7

SHA256
ad076cfe742b31d02d65f25742f12693ee5cca3919d206e3525dd39d290885bd

SHA512
0e67cd8003dc9f21e41ae003d4b6d62848af9ae30239ae61e83ee4590f8e16502298d950328072a72609298ce0e59206888fb2e370ce8680d74911e91619e56f

Download Submit
\Users\Admin\AppData\Roaming\Ufwo\liamz.exe

Filesize
250KB

MD5
55469ffc2131de8864b8d8e4d582e38d

SHA1
744ce018eb5a85b80243d3825c34cb83bc1a22c7

SHA256
ad076cfe742b31d02d65f25742f12693ee5cca3919d206e3525dd39d290885bd

SHA512
0e67cd8003dc9f21e41ae003d4b6d62848af9ae30239ae61e83ee4590f8e16502298d950328072a72609298ce0e59206888fb2e370ce8680d74911e91619e56f

Download Submit
memory/308-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/308-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/308-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/308-78-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/360-98-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/852-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/852-60-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1128-85-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1128-83-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1128-84-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1128-82-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1128-80-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1184-88-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1184-89-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1184-90-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1184-91-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1212-94-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1212-95-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1212-96-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1212-97-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1816-109-0x0000000003B50000-0x0000000003B77000-memory.dmp

Filesize
156KB

Download
memory/1816-107-0x0000000003B50000-0x0000000003B77000-memory.dmp

Filesize
156KB

Download
memory/1816-108-0x0000000003B50000-0x0000000003B77000-memory.dmp

Filesize
156KB

Download
memory/1816-110-0x0000000003B50000-0x0000000003B77000-memory.dmp

Filesize
156KB

Download
memory/1976-102-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1976-103-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1976-104-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1976-101-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/2024-115-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/2024-114-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/2024-113-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/2024-116-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download