abfe2e9589900ddde0e6d047913cb31b3e2e6ddddda57f087636aac4ec5b5cd6

Analysis

max time kernel
131s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a55c827c3285055010e1307a9785a5f4d403c3a857acadd1fded4a7de529db47.dll
Size

740KB
MD5

a2653075a9e69912f7ad570ff5589ff2
SHA1

345f7e813123599d59d564d7cf359f67b51fda6d
SHA256

a55c827c3285055010e1307a9785a5f4d403c3a857acadd1fded4a7de529db47
SHA512

2165d919d23257fc141d8df5f84ec4df18506226e22cd49e8c06d21dfd8d512036207d29c5ad7b14d54b276086119e9aeae6196b79d084fee9d7dcf82e9b4868
SSDEEP

12288:i+YE32Q8n9FgCBT4jh0rOcazvLbzTq4TYSyPKcaTuxfa:ivEwnfg04jgaXbzG4TYS8KcR

Score

6^/10

evasion persistence trojan

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dhdytttjj = "C:\\Users\\Admin\\AppData\\Roaming\\TMJr2G\\AtBroker.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\wPA8K\cttune.exe	cmd.exe
File opened for modification	C:\Windows\system32\wPA8K\cttune.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4860	rundll32.exe
4860	rundll32.exe
4860	rundll32.exe
4860	rundll32.exe
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found
3172	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3172	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3172	Process not Found
Token: SeCreatePagefilePrivilege	3172	Process not Found
Token: SeShutdownPrivilege	3172	Process not Found
Token: SeCreatePagefilePrivilege	3172	Process not Found
Token: SeShutdownPrivilege	3172	Process not Found
Token: SeCreatePagefilePrivilege	3172	Process not Found

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2516	3172	Process not Found	94
PID 3172 wrote to memory of 2516	3172	Process not Found	94
PID 3172 wrote to memory of 4980	3172	Process not Found	95
PID 3172 wrote to memory of 4980	3172	Process not Found	95
PID 3172 wrote to memory of 2632	3172	Process not Found	97
PID 3172 wrote to memory of 2632	3172	Process not Found	97
PID 3172 wrote to memory of 4620	3172	Process not Found	98
PID 3172 wrote to memory of 4620	3172	Process not Found	98
PID 3172 wrote to memory of 4716	3172	Process not Found	100
PID 3172 wrote to memory of 4716	3172	Process not Found	100
PID 3172 wrote to memory of 1764	3172	Process not Found	104
PID 3172 wrote to memory of 1764	3172	Process not Found	104
PID 3172 wrote to memory of 3060	3172	Process not Found	107
PID 3172 wrote to memory of 3060	3172	Process not Found	107
PID 3172 wrote to memory of 904	3172	Process not Found	109
PID 3172 wrote to memory of 904	3172	Process not Found	109
PID 3172 wrote to memory of 2628	3172	Process not Found	115
PID 3172 wrote to memory of 2628	3172	Process not Found	115
PID 3172 wrote to memory of 1508	3172	Process not Found	117
PID 3172 wrote to memory of 1508	3172	Process not Found	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a55c827c3285055010e1307a9785a5f4d403c3a857acadd1fded4a7de529db47.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4860

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:2516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Rkug.cmd
1⤵
PID:4980

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2632

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\S8xM6E.cmd
1⤵
- Drops file in System32 directory
PID:4620

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Xdlsydzchw" /TR C:\Windows\system32\wPA8K\cttune.exe /SC minute /MO 60 /RL highest
1⤵
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Xdlsydzchw"
1⤵
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Xdlsydzchw"
1⤵
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Xdlsydzchw"
1⤵
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Xdlsydzchw"
1⤵
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Xdlsydzchw"
1⤵
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Xdlsydzchw"
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7bDB03.tmp

Filesize
744KB

MD5
b635c49da55756e6ca69ecd710d4deba

SHA1
10c073317a6895a3209fbd98946a72d7ac332119

SHA256
750ae5805b9176368ce904052105f19f506532d519588ef49f9cdf5d5ad2622e

SHA512
8b9e5951a057d1c3d92c610f689a374e7c7144bfcf4d8baad6a65044e881b6abdb42591c9712e29f04cddd0106ca70d011c01e0ab5dd26abe3c5827749de84ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rkug.cmd

Filesize
233B

MD5
d09b46e749187796adc2b593a5c22c7c

SHA1
99a8043fcaf12f2bf5d46843104609137414e1f2

SHA256
656de063b3163160c818d0bd59c1b966f5669d8caf5a473ff4b03b7afa3e34e5

SHA512
ffe6da1cad8f0d695c97e2ec1f9935b94439375cc6344ea12877e79939f72d0be460ac6e9d459811481f0128e28a1f5b7dfac3c9c9abb70251a90915c23aa126

Download Submit
C:\Users\Admin\AppData\Local\Temp\S8xM6E.cmd

Filesize
193B

MD5
0704eb40106394cba2af80e53bda9bf3

SHA1
b479f1bf8dfc65c92888ffbd6a7dbcc1c5334929

SHA256
c3b130424f781ded477d0b98371c21c29111bec1a20a9d2095469fbb56d65b6d

SHA512
ac36a97d58c6cb46226d2f94e637fcf82cd91842616e1271189ccf0d4c0eae9f55ea70eb4969e838e25e22066de59cf882cae41ed2b27d8626a0bbbf71ba7bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3D9.tmp

Filesize
744KB

MD5
e572cb705f2a5ea79175fa2c3a82f36b

SHA1
a82ec9d6870030d5bd555195d8c9548d4bbd3788

SHA256
012db8b89a46e167169a382cc4aa43c7b601bf6efbf4bb12ea0c4e92fad3dc49

SHA512
cf13694ce9fa2d633b9b72c95eddbc35b18fafb9f5de6f0245f0472e1d3d91ab6fa4059d2263918bad3940781721d702592b8ad13ad290d9e8decd3fa31301e0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dhdytttjj.lnk

Filesize
883B

MD5
6556e195285139c9c449818cf7288358

SHA1
b3c7494ab070e2ec16872f525c68b8f509ea20a9

SHA256
93ac3d3653bb3fcb02dea9b982a1f2d9944cdebaf34f108e5db779c9b9d2e307

SHA512
643a92e0e70cb78860f8ef03e576edecd5a23678b0ebfbbe43e682a08ea1f8c088eba4cf983fc40a9b1e88e4c00d2d19062ae9b98faa7a17461315844d277df4

Download Submit
C:\Users\Admin\AppData\Roaming\TMJr2G\AtBroker.exe

Filesize
90KB

MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
memory/3172-170-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-184-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-146-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-147-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-150-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-148-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-151-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-152-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-153-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-154-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-155-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-156-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-159-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-160-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-161-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-162-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-163-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-164-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-165-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-166-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-167-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-168-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-169-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-136-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/3172-171-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-143-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-172-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-187-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-175-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-176-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-177-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-178-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-179-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-180-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-181-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-182-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-183-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-173-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-185-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-186-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-174-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-188-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-194-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-203-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-205-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-207-0x0000000001450000-0x0000000001458000-memory.dmp

Filesize
32KB

Download
memory/3172-209-0x00007FFA9BBC0000-0x00007FFA9BBD0000-memory.dmp

Filesize
64KB

Download
memory/3172-144-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-145-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-142-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-140-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-139-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3172-138-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4860-133-0x00007FFA7D420000-0x00007FFA7D4D9000-memory.dmp

Filesize
740KB

Download
memory/4860-135-0x000001F3BF3A0000-0x000001F3BF3A8000-memory.dmp

Filesize
32KB

Download
memory/4860-141-0x00007FFA7D420000-0x00007FFA7D4D9000-memory.dmp

Filesize
740KB

Download