18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8

Analysis

max time kernel
182s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe
Size

20.0MB
MD5

4ca7cafe6d2de606474a142b504f264c
SHA1

4e650e70a609f09b797c905db21d6c3b13031884
SHA256

18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8
SHA512

a0140c14db24db61cccdf7f8751223f53caf097e5b696f89d1cf7fbab957692c08c6c883f8646e7677beafc02cb50d264deee5b4c60007b8500e1ff71f3af4a9
SSDEEP

393216:AEhtnC7xIqhwV/zhly0NKt3YMJ+s4yPcwdzbfrxOG9AiCOIfxu9aDw:NFCjwVMZ4RwJTxBKRf89

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ActiveX.exe

pid process

3096 ActiveX.exe
Loads dropped DLL 3 IoCs

Processes:

ActiveX.exe

pid process

3096 ActiveX.exe
3096 ActiveX.exe
3096 ActiveX.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ActiveX.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ActiveX.exe

pid	process
3096	ActiveX.exe

pid	process
3096	ActiveX.exe
3096	ActiveX.exe
3096	ActiveX.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ActiveX.exe

Drops file in System32 directory 4 IoCs

Processes:

ActiveX.exe18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Macromed\Temp\{76D9502C-0C5F-45BD-9AE1-D028FE0A21BF}\fpb.tmp	ActiveX.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log	ActiveX.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\mms.cfg	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{EEC68854-3BAC-49A3-B431-BB9CED3B9B93}\fpb.tmp	ActiveX.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ActiveX.exe

pid process

3096 ActiveX.exe
3096 ActiveX.exe
3096 ActiveX.exe
3096 ActiveX.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ActiveX.exe

pid process

3096 ActiveX.exe

pid	process
3096	ActiveX.exe
3096	ActiveX.exe
3096	ActiveX.exe
3096	ActiveX.exe

pid	process
3096	ActiveX.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe

description	pid	process	target process
PID 3596 wrote to memory of 3096	3596	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe
PID 3596 wrote to memory of 3096	3596	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe
PID 3596 wrote to memory of 3096	3596	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe

C:\Users\Admin\AppData\Local\Temp\18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe
"C:\Users\Admin\AppData\Local\Temp\18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\ActiveX.exe
C:\Users\Admin\AppData\Local\Temp\ActiveX.exe /install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ActiveX.exe
Filesize
18.9MB

MD5
b18195bd28aa97546527fe349c9a1cac

SHA1
a74417d43224fa90c936cdbfd06143dddecb1287

SHA256
5d7e8f16effb5c41a4f0440e51b24e0631592ac89254b1355e4ed82a2f978656

SHA512
c5b5d3609f3ebf9d1940810a71e67349e0e76ac8ca0db4bc4d0a43bfbbf64f700211ca8ee7d32cb3db0fd5abcfaf7707c35359f0b2dea45e7e710f278ab74db2

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{76D9502C-0C5F-45BD-9AE1-D028FE0A21BF}\fpb.tmp
Filesize
531KB

MD5
abfd3e589088090cef4d24cc96f08adf

SHA1
f0cff2c63f0b13586d6ffa041b0741fcc3afb559

SHA256
aa331235698a8f03b600fd4e5dac959a854888c3d9b7fc949d450680eb287045

SHA512
30ae9627f69df64c4676d3b1b91d32939d75fbeec31a0ed65180eb0dfc8a389221a6a059f5050316a21c2b95ddd85fb8f07239549d8309bc61aa04cbf4ae0ed3

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{EEC68854-3BAC-49A3-B431-BB9CED3B9B93}\fpb.tmp
Filesize
1.2MB

MD5
50dff23ab101f360ae16b0c86e7bbc33

SHA1
2eb61415a46674e80450527c8545a7056c8d04ae

SHA256
44aa4cbe688edc61257300859cd916bdcfeea2e779ac0957733841a0da72fc45

SHA512
6329dcf553736e93b5f69b8cd9a83a08549f3c379d0c1b3e5fe969cbcd86f6f24e7ec1fd089eb5b93aa1a566d58c6f7e4dabccdf21a467c08944ca168ad83bbc

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{EEC68854-3BAC-49A3-B431-BB9CED3B9B93}\fpb.tmp
Filesize
1.2MB

MD5
50dff23ab101f360ae16b0c86e7bbc33

SHA1
2eb61415a46674e80450527c8545a7056c8d04ae

SHA256
44aa4cbe688edc61257300859cd916bdcfeea2e779ac0957733841a0da72fc45

SHA512
6329dcf553736e93b5f69b8cd9a83a08549f3c379d0c1b3e5fe969cbcd86f6f24e7ec1fd089eb5b93aa1a566d58c6f7e4dabccdf21a467c08944ca168ad83bbc

Download Submit
memory/3096-133-0x0000000000000000-mapping.dmp

Download