ac7a4330088e7a46a977714c404aad19d381262a3496be2f956ed868eba3b5f3

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 09:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NWwww#5.exe
Size

1.6MB
MD5

556c972a4792908bd1056880fbcf6fb8
SHA1

2db1abd5f0a4037a9935d571c4ca7f8e8b4efc15
SHA256

ac7a4330088e7a46a977714c404aad19d381262a3496be2f956ed868eba3b5f3
SHA512

cb088ac596350be0265e1b5ac0f1f2103d28c2c090c3644862cef57cc89ad30a91309f881f3e74af9a2f86a68b65d7cca8915e006677a9347f19ef97993dac60
SSDEEP

24576:4+l2sfHM0lcBAPwaUfJLdW43C5/f4UG4:/ERA03C5

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

Executes dropped EXE 1 IoCs

pid	Process
60	lejzjpkp.exe

Loads dropped DLL 6 IoCs

pid	Process
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	lejzjpkp.exe
File opened (read-only)	\??\M:	lejzjpkp.exe
File opened (read-only)	\??\N:	lejzjpkp.exe
File opened (read-only)	\??\O:	lejzjpkp.exe
File opened (read-only)	\??\T:	lejzjpkp.exe
File opened (read-only)	\??\W:	lejzjpkp.exe
File opened (read-only)	\??\E:	lejzjpkp.exe
File opened (read-only)	\??\K:	lejzjpkp.exe
File opened (read-only)	\??\L:	lejzjpkp.exe
File opened (read-only)	\??\U:	lejzjpkp.exe
File opened (read-only)	\??\B:	lejzjpkp.exe
File opened (read-only)	\??\S:	lejzjpkp.exe
File opened (read-only)	\??\V:	lejzjpkp.exe
File opened (read-only)	\??\Y:	lejzjpkp.exe
File opened (read-only)	\??\Q:	lejzjpkp.exe
File opened (read-only)	\??\H:	lejzjpkp.exe
File opened (read-only)	\??\J:	lejzjpkp.exe
File opened (read-only)	\??\P:	lejzjpkp.exe
File opened (read-only)	\??\R:	lejzjpkp.exe
File opened (read-only)	\??\X:	lejzjpkp.exe
File opened (read-only)	\??\Z:	lejzjpkp.exe
File opened (read-only)	\??\G:	lejzjpkp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
1304	regedit.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe
60	lejzjpkp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
60	lejzjpkp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 60	1324	NWwww#5.exe	96
PID 1324 wrote to memory of 60	1324	NWwww#5.exe	96
PID 1324 wrote to memory of 60	1324	NWwww#5.exe	96
PID 1324 wrote to memory of 3944	1324	NWwww#5.exe	97
PID 1324 wrote to memory of 3944	1324	NWwww#5.exe	97
PID 1324 wrote to memory of 3944	1324	NWwww#5.exe	97
PID 3944 wrote to memory of 1304	3944	cmd.exe	99
PID 3944 wrote to memory of 1304	3944	cmd.exe	99
PID 3944 wrote to memory of 1304	3944	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\NWwww#5.exe
"C:\Users\Admin\AppData\Local\Temp\NWwww#5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Public\Downloads\lejzjpkp.exe
  "C:\Users\Public\Downloads\lejzjpkp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:60
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c regedit /s C:\\Users\\Public\\Downloads\\uac.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\\Users\\Public\\Downloads\\uac.reg
    3⤵
    - UAC bypass
    - Runs .reg file with regedit
    PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Downloads\AndroidAssistHelper.dll

Filesize
152KB

MD5
f1ccfdd550f0144a80f2b0ea791e2f7a

SHA1
891dd45e0a495f46d92cc9437df54b3a361db967

SHA256
d69d9332a42141168061e6bde1f1316d528060f93b2583acf188b78f9c062548

SHA512
380c5bf672dc1f716c20a993f1a643cda7b87dd9f7cee09644e5d19d746e6de3b519668bc91397e83833d5a0d4144bae99cb577faa572424fcea3cc3fdca9e24

Download Submit
C:\Users\Public\Downloads\AndroidAssistHelper.dll

Filesize
152KB

MD5
f1ccfdd550f0144a80f2b0ea791e2f7a

SHA1
891dd45e0a495f46d92cc9437df54b3a361db967

SHA256
d69d9332a42141168061e6bde1f1316d528060f93b2583acf188b78f9c062548

SHA512
380c5bf672dc1f716c20a993f1a643cda7b87dd9f7cee09644e5d19d746e6de3b519668bc91397e83833d5a0d4144bae99cb577faa572424fcea3cc3fdca9e24

Download Submit
C:\Users\Public\Downloads\CommonLib.dll

Filesize
1.9MB

MD5
8d2adb597a93331dfdf9c5a59962df62

SHA1
8b578724c2b2597b146e196c0c6436b177e097cb

SHA256
ace46ac7b326b1e7b9860b78ef5b78d4112005c9cdff960cf524f965efd95562

SHA512
0c5a58c913ab08ab8a017cfc600c73181520271facfeb10c2e0d8c275c17256d4153d450d19833d104b046194330f0a1f34877abc623976ae6bfa57137207b77

Download Submit
C:\Users\Public\Downloads\CommonLib.dll

Filesize
1.9MB

MD5
8d2adb597a93331dfdf9c5a59962df62

SHA1
8b578724c2b2597b146e196c0c6436b177e097cb

SHA256
ace46ac7b326b1e7b9860b78ef5b78d4112005c9cdff960cf524f965efd95562

SHA512
0c5a58c913ab08ab8a017cfc600c73181520271facfeb10c2e0d8c275c17256d4153d450d19833d104b046194330f0a1f34877abc623976ae6bfa57137207b77

Download Submit
C:\Users\Public\Downloads\LiveUpdate.db

Filesize
1KB

MD5
ca1ef50f4b8e67c8581b2c5abd1632cc

SHA1
7de6a98c2e44eb7c4eaf3b2fc950926df4eedc83

SHA256
fb84ec8f2e2a971835dcf0ab906856b79aa006cbfd68e0e01c3136d2ecfed69c

SHA512
25ba7b2c5101e84b4d6ff0f1e487d38d654354227d38de9bd1234ac9f10137b80f9d65eef3446df00b2fce1d4f457e26b36d555f297390d669584e55e590695e

Download Submit
C:\Users\Public\Downloads\MSVCP120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Public\Downloads\MSVCR120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Public\Downloads\lejzjpkp.exe

Filesize
48KB

MD5
6ef054605667e2af4d546a51cbddb2f1

SHA1
c935a683e8f1ab85ef719a07dcfff312f9ce3501

SHA256
e9c29f5c3347e1b2c3cd53a6a0d46fadb717d63f9d00621c8855ff4d85d93a66

SHA512
a50feeb46c84f85e4dbd91791481c6aa29db13951bde79a9ebd9d73508efe03df5c40be7ab0ede945b2eba4cf624387f56ae7680759863e66ad2907f9ad23fcf

Download Submit
C:\Users\Public\Downloads\lejzjpkp.exe

Filesize
48KB

MD5
6ef054605667e2af4d546a51cbddb2f1

SHA1
c935a683e8f1ab85ef719a07dcfff312f9ce3501

SHA256
e9c29f5c3347e1b2c3cd53a6a0d46fadb717d63f9d00621c8855ff4d85d93a66

SHA512
a50feeb46c84f85e4dbd91791481c6aa29db13951bde79a9ebd9d73508efe03df5c40be7ab0ede945b2eba4cf624387f56ae7680759863e66ad2907f9ad23fcf

Download Submit
C:\Users\Public\Downloads\lejzjpkp.exe

Filesize
48KB

MD5
6ef054605667e2af4d546a51cbddb2f1

SHA1
c935a683e8f1ab85ef719a07dcfff312f9ce3501

SHA256
e9c29f5c3347e1b2c3cd53a6a0d46fadb717d63f9d00621c8855ff4d85d93a66

SHA512
a50feeb46c84f85e4dbd91791481c6aa29db13951bde79a9ebd9d73508efe03df5c40be7ab0ede945b2eba4cf624387f56ae7680759863e66ad2907f9ad23fcf

Download Submit
C:\Users\Public\Downloads\msvcp120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Public\Downloads\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Public\Downloads\smlog.dll

Filesize
154KB

MD5
b980923c4fda07404b3114f0a5ce24aa

SHA1
bf41d3443a13eb57424e3dcdd04013de533a6a25

SHA256
7530060649b85d910fb35da64ed9a2d0b3babaeadcce129e224e972f1f1b1029

SHA512
031f85bf79b08b8da7dff198bf2326a761a4bf0aa1209cd543ab9617ee0a3071c81e57e4aa0d2859d55643b62d6e1070bf9f0cce1c6d0f0265595b43ca47974f

Download Submit
C:\Users\Public\Downloads\smlog.dll

Filesize
154KB

MD5
b980923c4fda07404b3114f0a5ce24aa

SHA1
bf41d3443a13eb57424e3dcdd04013de533a6a25

SHA256
7530060649b85d910fb35da64ed9a2d0b3babaeadcce129e224e972f1f1b1029

SHA512
031f85bf79b08b8da7dff198bf2326a761a4bf0aa1209cd543ab9617ee0a3071c81e57e4aa0d2859d55643b62d6e1070bf9f0cce1c6d0f0265595b43ca47974f

Download Submit
C:\Users\Public\Downloads\uac.reg

Filesize
302B

MD5
958dce9a39bb4d496f94ea19388cf02e

SHA1
d4f444e05e2c1893132506d4e8b22ef272083c95

SHA256
c246172071f15967432a297a46fa532f71ba61a677a37a29764e55a429b247b5

SHA512
9752c8406db0e92c0dab0374a428d961c7ef09679cde74bc71379e0418c00f9d36f4efec7f034f79f7763b18c531e50af1479824eb88458f3391824c406903cc

Download Submit
C:\Users\Public\Downloads\zlib1.dll

Filesize
134KB

MD5
c96bf8296cc03164a0309e5acaea0426

SHA1
b0ad779e64670f84ccbe471b936c0e57d45d1ed9

SHA256
0ad6e0730cf3c8744de8af8522eadd092fbd4cf6aaf87a594d60bbfbfa3465a0

SHA512
0e06807cee503259ab6771beeb0297460b440e38eddb5636a16911391ac95d8aa5b25fbebd2267b539b482a95223f5405c9d5a7d7558c5fb146cacbb1b893620

Download Submit
C:\Users\Public\Downloads\zlib1.dll

Filesize
134KB

MD5
c96bf8296cc03164a0309e5acaea0426

SHA1
b0ad779e64670f84ccbe471b936c0e57d45d1ed9

SHA256
0ad6e0730cf3c8744de8af8522eadd092fbd4cf6aaf87a594d60bbfbfa3465a0

SHA512
0e06807cee503259ab6771beeb0297460b440e38eddb5636a16911391ac95d8aa5b25fbebd2267b539b482a95223f5405c9d5a7d7558c5fb146cacbb1b893620

Download Submit
memory/60-190-0x0000000002740000-0x0000000002762000-memory.dmp

Filesize
136KB

Download
memory/60-193-0x0000000003790000-0x00000000037C9000-memory.dmp

Filesize
228KB

Download
memory/60-199-0x0000000003790000-0x00000000037C9000-memory.dmp

Filesize
228KB

Download
memory/60-198-0x0000000002740000-0x0000000002762000-memory.dmp

Filesize
136KB

Download
memory/60-197-0x0000000002740000-0x0000000002762000-memory.dmp

Filesize
136KB

Download
memory/60-185-0x0000000002740000-0x0000000002762000-memory.dmp

Filesize
136KB

Download
memory/60-186-0x0000000002C20000-0x0000000002CA1000-memory.dmp

Filesize
516KB

Download
memory/60-187-0x0000000002740000-0x0000000002762000-memory.dmp

Filesize
136KB

Download
memory/60-189-0x0000000002740000-0x0000000002762000-memory.dmp

Filesize
136KB

Download
memory/60-196-0x0000000003790000-0x00000000037C9000-memory.dmp

Filesize
228KB

Download
memory/60-192-0x0000000003790000-0x00000000037C9000-memory.dmp

Filesize
228KB

Download
memory/60-191-0x0000000002EB0000-0x0000000002EE2000-memory.dmp

Filesize
200KB

Download
memory/60-181-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/60-188-0x0000000002740000-0x0000000002762000-memory.dmp

Filesize
136KB

Download
memory/60-194-0x0000000003790000-0x00000000037C9000-memory.dmp

Filesize
228KB

Download
memory/60-195-0x0000000003790000-0x00000000037C9000-memory.dmp

Filesize
228KB

Download
memory/1324-133-0x0000000003830000-0x00000000038BA000-memory.dmp

Filesize
552KB

Download
memory/1324-184-0x0000000003830000-0x00000000038BA000-memory.dmp

Filesize
552KB

Download
memory/1324-134-0x0000000003830000-0x00000000038BA000-memory.dmp

Filesize
552KB

Download
memory/1324-160-0x0000000003830000-0x00000000038BA000-memory.dmp

Filesize
552KB

Download