e6068e78a095edc7e0910c9db97422b36e87e03f98e996fcfba76138e3d2c334

General

Target

AutoReg.exe
Size

3.5MB
MD5

3b495949f589588064b6a4097f27d79f
SHA1

6cfca65e3d414dd8111c4e49f614024deb99fb31
SHA256

e33b1b70563ec14243c4030cc173316eaa85453f0ddac28afd7b47aceb55d5bf
SHA512

6ca3f875afca22067acc53fbb6eab228a31457ccd0030da885ef0da0f1d5c4c7828b6e55d059f4fd053d049f0d43b09dd1322517e5e746391d9593437cf64a74
SSDEEP

98304:DmJkREXM39UBJ1OgvRAyFGT63p2FGT63p:0kIkYvJAfele

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AutoReg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4220	AutoReg.exe
4220	AutoReg.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4220	AutoReg.exe
4220	AutoReg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4220	AutoReg.exe
4220	AutoReg.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 3780	4220	AutoReg.exe	84
PID 4220 wrote to memory of 3780	4220	AutoReg.exe	84
PID 4220 wrote to memory of 3780	4220	AutoReg.exe	84
PID 4220 wrote to memory of 792	4220	AutoReg.exe	86
PID 4220 wrote to memory of 792	4220	AutoReg.exe	86
PID 4220 wrote to memory of 792	4220	AutoReg.exe	86
PID 4220 wrote to memory of 3572	4220	AutoReg.exe	88
PID 4220 wrote to memory of 3572	4220	AutoReg.exe	88
PID 4220 wrote to memory of 3572	4220	AutoReg.exe	88
PID 4220 wrote to memory of 208	4220	AutoReg.exe	90
PID 4220 wrote to memory of 208	4220	AutoReg.exe	90
PID 4220 wrote to memory of 208	4220	AutoReg.exe	90
PID 4220 wrote to memory of 3664	4220	AutoReg.exe	92
PID 4220 wrote to memory of 3664	4220	AutoReg.exe	92
PID 4220 wrote to memory of 3664	4220	AutoReg.exe	92
PID 4220 wrote to memory of 3864	4220	AutoReg.exe	94
PID 4220 wrote to memory of 3864	4220	AutoReg.exe	94
PID 4220 wrote to memory of 3864	4220	AutoReg.exe	94

C:\Users\Admin\AppData\Local\Temp\AutoReg.exe
"C:\Users\Admin\AppData\Local\Temp\AutoReg.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
  2⤵
  PID:3780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
  2⤵
  PID:792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
  2⤵
  PID:3572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
  2⤵
  PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
  2⤵
  PID:3664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
  2⤵
  PID:3864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com

Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com

Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com

Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com

Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com

Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com

Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
memory/4220-133-0x0000000002CA0000-0x0000000002E9F000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing