ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2

Analysis

max time kernel
171s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 11:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe
Size

480KB
MD5

143d5feed01d2a043def208af75fea7c
SHA1

a31796433dcf73f57063fd7d08621fe13459c2bf
SHA256

ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2
SHA512

c6594b11dcf5c720e41ede337ddbfdac85d30038083a3b88749e0d922cd8c02a0ef496cc119864c17fac2503433b79a68c303f58ad60f78ef6d583f88b1d3ecd
SSDEEP

12288:AteULVUBvCkfmvz756FGtkeSUknzp7tRuvftbObI:KeYVUV5a75G0OtXggbI

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3312	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe
3312	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe
3312	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3312	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe
3312	ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe

C:\Users\Admin\AppData\Local\Temp\ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe
"C:\Users\Admin\AppData\Local\Temp\ab4146950420a01f5d012e134ee396d4edfce8c05c9c2f10b6477131ef345cb2.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IM_F12B.tmp\ActionEngine.dll

Filesize
1009KB

MD5
9f33f5afe6693f5ef2bab1ff9b68ca52

SHA1
01b12b2c2b389d2337548b6d41a11be4516d8039

SHA256
7da9d3591d9b319484e4f651a1218fcfce6254315c2dab77519c11279ba25ced

SHA512
221256a8048a442322e2da961add20e46ff669cab29274e41824d00638a2ca3ce0b29a3987856db891862983e5cf8d417d113fe7653ae62ba47d77f3bb716cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_F12B.tmp\ActionEngine.dll

Filesize
1009KB

MD5
9f33f5afe6693f5ef2bab1ff9b68ca52

SHA1
01b12b2c2b389d2337548b6d41a11be4516d8039

SHA256
7da9d3591d9b319484e4f651a1218fcfce6254315c2dab77519c11279ba25ced

SHA512
221256a8048a442322e2da961add20e46ff669cab29274e41824d00638a2ca3ce0b29a3987856db891862983e5cf8d417d113fe7653ae62ba47d77f3bb716cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_F12B.tmp\ActionEngine.dll

Filesize
1009KB

MD5
9f33f5afe6693f5ef2bab1ff9b68ca52

SHA1
01b12b2c2b389d2337548b6d41a11be4516d8039

SHA256
7da9d3591d9b319484e4f651a1218fcfce6254315c2dab77519c11279ba25ced

SHA512
221256a8048a442322e2da961add20e46ff669cab29274e41824d00638a2ca3ce0b29a3987856db891862983e5cf8d417d113fe7653ae62ba47d77f3bb716cad

Download Submit