abfe2e9589900ddde0e6d047913cb31b3e2e6ddddda57f087636aac4ec5b5cd6

Analysis

max time kernel
151s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/03/2023, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a55c827c3285055010e1307a9785a5f4d403c3a857acadd1fded4a7de529db47.dll
Size

740KB
MD5

a2653075a9e69912f7ad570ff5589ff2
SHA1

345f7e813123599d59d564d7cf359f67b51fda6d
SHA256

a55c827c3285055010e1307a9785a5f4d403c3a857acadd1fded4a7de529db47
SHA512

2165d919d23257fc141d8df5f84ec4df18506226e22cd49e8c06d21dfd8d512036207d29c5ad7b14d54b276086119e9aeae6196b79d084fee9d7dcf82e9b4868
SSDEEP

12288:i+YE32Q8n9FgCBT4jh0rOcazvLbzTq4TYSyPKcaTuxfa:ivEwnfg04jgaXbzG4TYS8KcR

Score

7^/10

evasion persistence trojan

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1260	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ubcrkuizcds = "C:\\Users\\Admin\\AppData\\Roaming\\rQL6X6N\\ddodiag.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\iK3Or\WFS.exe	cmd.exe
File opened for modification	C:\Windows\system32\iK3Or\WFS.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1260	Process not Found

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1364	1260	Process not Found	27
PID 1260 wrote to memory of 1364	1260	Process not Found	27
PID 1260 wrote to memory of 1364	1260	Process not Found	27
PID 1260 wrote to memory of 1872	1260	Process not Found	28
PID 1260 wrote to memory of 1872	1260	Process not Found	28
PID 1260 wrote to memory of 1872	1260	Process not Found	28
PID 1260 wrote to memory of 1932	1260	Process not Found	30
PID 1260 wrote to memory of 1932	1260	Process not Found	30
PID 1260 wrote to memory of 1932	1260	Process not Found	30
PID 1260 wrote to memory of 1940	1260	Process not Found	31
PID 1260 wrote to memory of 1940	1260	Process not Found	31
PID 1260 wrote to memory of 1940	1260	Process not Found	31
PID 1260 wrote to memory of 940	1260	Process not Found	34
PID 1260 wrote to memory of 940	1260	Process not Found	34
PID 1260 wrote to memory of 940	1260	Process not Found	34
PID 1260 wrote to memory of 884	1260	Process not Found	36
PID 1260 wrote to memory of 884	1260	Process not Found	36
PID 1260 wrote to memory of 884	1260	Process not Found	36
PID 1260 wrote to memory of 2012	1260	Process not Found	38
PID 1260 wrote to memory of 2012	1260	Process not Found	38
PID 1260 wrote to memory of 2012	1260	Process not Found	38
PID 1260 wrote to memory of 1580	1260	Process not Found	39
PID 1260 wrote to memory of 1580	1260	Process not Found	39
PID 1260 wrote to memory of 1580	1260	Process not Found	39
PID 1260 wrote to memory of 936	1260	Process not Found	41
PID 1260 wrote to memory of 936	1260	Process not Found	41
PID 1260 wrote to memory of 936	1260	Process not Found	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a55c827c3285055010e1307a9785a5f4d403c3a857acadd1fded4a7de529db47.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:1364

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\NTw.cmd
1⤵
PID:1872

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:1932

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bpvVmY.cmd
1⤵
- Drops file in System32 directory
PID:1940

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Qltxre" /TR C:\Windows\system32\iK3Or\WFS.exe /SC minute /MO 60 /RL highest
1⤵
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qltxre"
1⤵
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qltxre"
1⤵
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qltxre"
1⤵
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qltxre"
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2ecA64E.tmp

Filesize
744KB

MD5
510c1ee03623730df6a10a794e6702a5

SHA1
1d170ed94b0fd06a5e09d718c1074355434f9941

SHA256
86e4129a9fb53f8f9402f00a3582105a661e2b85421ab602767f9ee9fbfe1815

SHA512
c376633f87b0d6c34f6bc6947d71471a0371b9eba42669f06059a91c540a8aa80a52b0fa5081efbf8e776b350b124834dbd8e4ae965b8e0971c971da799cceb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D3E4.tmp

Filesize
768KB

MD5
171c4e9e65bf97ddb0d80b959d73d61f

SHA1
a27aca0d6579f0e87d4d4a4bdfd3d8ce946ed54d

SHA256
efcdf565acb7d21b751527f9bb4db3c2cbedf972756fcaba759c6f8899862225

SHA512
1c3618dfc05c1c671069e3f9509baad8c4cb210ef12629c5f21ab330862d41cfd55a248dae6f1ff6eace3b7f549b18ff98ee931c33b6f435067dce63908b5a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTw.cmd

Filesize
236B

MD5
8ae9ecb13f36e493b3397baf73b23621

SHA1
48fa2f7df7aaa8d14c38949957246b636cf94bd2

SHA256
6f0d6aa7473ec20f0984151daac4231cc6948f50e09b74c024a7b0f2fd7dd9e1

SHA512
8731e101ab7c390376f86125ef6f8f389a04016a24dd192e444c1470cf20ea6f1320d2dbb23a87d33449e37b29469d6797afeba1a68ff0f6d21bd40a1939085a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bpvVmY.cmd

Filesize
190B

MD5
3e58c999a6d4edf1765fe5b47f5ef441

SHA1
51e0d5f19fda729c08847ce4214db954fb03497c

SHA256
7d2d465a025b87c8aa1fb74d1b201f7b67bd471a0324bf083e2ea58abd3adbe3

SHA512
325619e23d74d00808d13210c9699ffb80a6b93725d9b34e71377e53bb0e25f8c2531293ad18139a4eb47c98d32dd3e291881a3cf4d3c624720b030f5afd8a6b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ubcrkuizcds.lnk

Filesize
798B

MD5
1eac5abc394e7706ecf9e135585324a6

SHA1
b331592cdce095ea35c85b31d7d464dcac39b5d0

SHA256
4889ef10d53d7c0bf8746a1e4fee00bf0cf1c9f4420c7198cb97ae918325b8bf

SHA512
809997e3573af5fbb4d7400bd055ed7e87e07950e505641550abb8636a026ab186e01ae62d8583392c83d06183af4ec0a8f4f0248a4d0a0e3f4aa095fc776756

Download Submit
C:\Users\Admin\AppData\Roaming\rQL6X6N\ddodiag.exe

Filesize
42KB

MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Roaming\rQL6X6N\ddodiag.exe

Filesize
42KB

MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
memory/1260-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-79-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-80-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-81-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-82-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-83-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-85-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-86-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-93-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-96-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-103-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-109-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-108-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-110-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-107-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-106-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-105-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-104-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-102-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-116-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-77-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-97-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-78-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-95-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-65-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-87-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-120-0x0000000077460000-0x0000000077462000-memory.dmp

Filesize
8KB

Download
memory/1260-119-0x0000000002A80000-0x0000000002A88000-memory.dmp

Filesize
32KB

Download
memory/1260-84-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-76-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-75-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-74-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-94-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-67-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-64-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-63-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-61-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-60-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-58-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1260-71-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-73-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-72-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-66-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-122-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1260-121-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2000-54-0x000007FEFAFC0000-0x000007FEFB079000-memory.dmp

Filesize
740KB

Download
memory/2000-56-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/2000-57-0x000007FEFAFC0000-0x000007FEFB079000-memory.dmp

Filesize
740KB

Download