37b51c529c4f88f175fec0d639759364d8dc4df55d0ebf775f4b4409546d6255

Analysis

max time kernel
90s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

App/DirectoryMonitor/DirectoryMonitor.exe
Size

1.9MB
MD5

ae0bc60a12ca3a32afb32cf17f44282a
SHA1

9100660d3e5daaaa810c8161d8ae25f2b0b54209
SHA256

242e6e9e8ef08501d6f97e408b2fff7d7141baced8214250219cad7c8a3b08dc
SHA512

72ed571b2a236415b20bfa6f7c1e4847df525b0f3a729e2f025236f6586254604f3a71dea282c9a9d0b2c8909e27fa67eb558569a362668ae82af8204afbfe56
SSDEEP

12288:4kLywLk29CPs+RkZL+AFncWlBI4g4dxCMDL6rkS:4ZECUXc+pgqCRrkS

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DirectoryMonitor.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	DirectoryMonitor.exe
Token: SeSecurityPrivilege	2264	auditpol.exe
Token: SeSecurityPrivilege	4668	auditpol.exe
Token: SeSecurityPrivilege	4404	auditpol.exe
Token: SeSecurityPrivilege	680	auditpol.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1196	DirectoryMonitor.exe
1196	DirectoryMonitor.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1196	DirectoryMonitor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1196	DirectoryMonitor.exe
1196	DirectoryMonitor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2264	1196	DirectoryMonitor.exe	87
PID 1196 wrote to memory of 2264	1196	DirectoryMonitor.exe	87
PID 1196 wrote to memory of 4668	1196	DirectoryMonitor.exe	89
PID 1196 wrote to memory of 4668	1196	DirectoryMonitor.exe	89
PID 1196 wrote to memory of 4404	1196	DirectoryMonitor.exe	91
PID 1196 wrote to memory of 4404	1196	DirectoryMonitor.exe	91
PID 1196 wrote to memory of 680	1196	DirectoryMonitor.exe	93
PID 1196 wrote to memory of 680	1196	DirectoryMonitor.exe	93

C:\Users\Admin\AppData\Local\Temp\App\DirectoryMonitor\DirectoryMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\App\DirectoryMonitor\DirectoryMonitor.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SYSTEM32\auditpol.exe
  "auditpol.exe" /get /subcategory:"{0CCE921D-69AE-11D9-BED3-505054503030}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SYSTEM32\auditpol.exe
  "auditpol.exe" /set /subcategory:"{0CCE921D-69AE-11D9-BED3-505054503030}" /success:disable
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\SYSTEM32\auditpol.exe
  "auditpol.exe" /get /subcategory:"{0CCE9223-69AE-11D9-BED3-505054503030}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\SYSTEM32\auditpol.exe
  "auditpol.exe" /set /subcategory:"{0CCE9223-69AE-11D9-BED3-505054503030}" /success:disable
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DirectoryMonitor\Admin\ExternalPluginSettings.xml

Filesize
178B

MD5
14f709eb94bfa215bbafde7401e15a7d

SHA1
154c7ce46d4d0de69b20ffbf934addc5957006f5

SHA256
9502e9e22c93b8291c9764d98c993753844b2d756b20f23e813575a3c225c8f7

SHA512
15ad946047e86d6efe184bc1c3940f9f9be47531ca02d4c033138211f0065217dc8ed3926378797d59505e24e7fdbde29b79c56fd322121d901cddf7c3466ea2

Download Submit
memory/1196-0-0x00000000001D0000-0x00000000003BC000-memory.dmp

Filesize
1.9MB

Download
memory/1196-1-0x000000001AB40000-0x000000001AB64000-memory.dmp

Filesize
144KB

Download
memory/1196-2-0x000000001AB10000-0x000000001AB24000-memory.dmp

Filesize
80KB

Download
memory/1196-3-0x000000001ABA0000-0x000000001ABCE000-memory.dmp

Filesize
184KB

Download
memory/1196-5-0x000000001AF30000-0x000000001AF68000-memory.dmp

Filesize
224KB

Download
memory/1196-4-0x00007FF9820F0000-0x00007FF982BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1196-6-0x000000001AF70000-0x000000001AFC0000-memory.dmp

Filesize
320KB

Download
memory/1196-8-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-7-0x000000001B090000-0x000000001B0FE000-memory.dmp

Filesize
440KB

Download
memory/1196-9-0x000000001AB30000-0x000000001AB3A000-memory.dmp

Filesize
40KB

Download
memory/1196-10-0x000000001B260000-0x000000001B2C0000-memory.dmp

Filesize
384KB

Download
memory/1196-11-0x000000001ABD0000-0x000000001ABE0000-memory.dmp

Filesize
64KB

Download
memory/1196-12-0x000000001ABF0000-0x000000001AC00000-memory.dmp

Filesize
64KB

Download
memory/1196-13-0x000000001B2C0000-0x000000001B320000-memory.dmp

Filesize
384KB

Download
memory/1196-14-0x000000001BD20000-0x000000001BD6A000-memory.dmp

Filesize
296KB

Download
memory/1196-15-0x000000001BD70000-0x000000001BDAA000-memory.dmp

Filesize
232KB

Download
memory/1196-16-0x000000001B030000-0x000000001B056000-memory.dmp

Filesize
152KB

Download
memory/1196-21-0x000000001CA90000-0x000000001CB6A000-memory.dmp

Filesize
872KB

Download
memory/1196-23-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-24-0x000000001CA20000-0x000000001CA40000-memory.dmp

Filesize
128KB

Download
memory/1196-22-0x000000001CF00000-0x000000001CF8A000-memory.dmp

Filesize
552KB

Download
memory/1196-26-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-29-0x0000000020020000-0x0000000020104000-memory.dmp

Filesize
912KB

Download
memory/1196-32-0x000000001D100000-0x000000001D10A000-memory.dmp

Filesize
40KB

Download
memory/1196-33-0x000000001D130000-0x000000001D150000-memory.dmp

Filesize
128KB

Download
memory/1196-34-0x0000000020B50000-0x0000000020B88000-memory.dmp

Filesize
224KB

Download
memory/1196-35-0x0000000020B10000-0x0000000020B28000-memory.dmp

Filesize
96KB

Download
memory/1196-36-0x0000000020B30000-0x0000000020B4E000-memory.dmp

Filesize
120KB

Download
memory/1196-37-0x0000000020B90000-0x0000000020BAC000-memory.dmp

Filesize
112KB

Download
memory/1196-38-0x0000000020BB0000-0x0000000020BC8000-memory.dmp

Filesize
96KB

Download
memory/1196-39-0x0000000020BD0000-0x0000000020BE6000-memory.dmp

Filesize
88KB

Download
memory/1196-40-0x0000000020BF0000-0x0000000020C04000-memory.dmp

Filesize
80KB

Download
memory/1196-41-0x0000000020C10000-0x0000000020C2A000-memory.dmp

Filesize
104KB

Download
memory/1196-42-0x0000000020C60000-0x0000000020C82000-memory.dmp

Filesize
136KB

Download
memory/1196-43-0x0000000020CD0000-0x0000000020D0C000-memory.dmp

Filesize
240KB

Download
memory/1196-44-0x0000000020C30000-0x0000000020C42000-memory.dmp

Filesize
72KB

Download
memory/1196-45-0x0000000020D90000-0x0000000020E06000-memory.dmp

Filesize
472KB

Download
memory/1196-46-0x0000000020D10000-0x0000000020D36000-memory.dmp

Filesize
152KB

Download
memory/1196-47-0x00000000203B0000-0x0000000020434000-memory.dmp

Filesize
528KB

Download
memory/1196-48-0x000000001C9B0000-0x000000001C9C4000-memory.dmp

Filesize
80KB

Download
memory/1196-49-0x0000000020320000-0x0000000020368000-memory.dmp

Filesize
288KB

Download
memory/1196-50-0x000000001C9C0000-0x000000001C9DC000-memory.dmp

Filesize
112KB

Download
memory/1196-51-0x000000001C9E0000-0x000000001C9F0000-memory.dmp

Filesize
64KB

Download
memory/1196-52-0x000000001D110000-0x000000001D120000-memory.dmp

Filesize
64KB

Download
memory/1196-53-0x000000001D120000-0x000000001D12C000-memory.dmp

Filesize
48KB

Download
memory/1196-54-0x000000001D150000-0x000000001D15C000-memory.dmp

Filesize
48KB

Download
memory/1196-55-0x0000000020370000-0x0000000020382000-memory.dmp

Filesize
72KB

Download
memory/1196-56-0x0000000020380000-0x000000002039E000-memory.dmp

Filesize
120KB

Download
memory/1196-60-0x00007FF9820F0000-0x00007FF982BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1196-61-0x0000000020630000-0x0000000020690000-memory.dmp

Filesize
384KB

Download
memory/1196-70-0x00000000206A0000-0x00000000206AE000-memory.dmp

Filesize
56KB

Download
memory/1196-71-0x00000000208F0000-0x0000000020946000-memory.dmp

Filesize
344KB

Download
memory/1196-75-0x0000000021B50000-0x00000000222F6000-memory.dmp

Filesize
7.6MB

Download
memory/1196-76-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-77-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-80-0x000000001D090000-0x000000001D0B6000-memory.dmp

Filesize
152KB

Download
memory/1196-81-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-82-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-83-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-84-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-85-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download
memory/1196-86-0x000000001B080000-0x000000001B090000-memory.dmp

Filesize
64KB

Download