6f9d8f41560ad0aa8d579e1de1da23facb4785ce0e2cc667b02e74b5e8a5a2f8

Analysis

max time kernel
23s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2023, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888.dll
Size

912KB
MD5

d24b38a543bfbb715b93e9059a79ada5
SHA1

af4b41a4ddd99d866360160f755a5f55fc8f35f0
SHA256

c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888
SHA512

abceb1d12fc00678b63d2439341e04bdee65952230ebd6ba674d9a9b8b6fccea04fed1e4b9f1c8f2064c944b7f5b8d71749a7b2b343923d335a8bd03b5eb3830
SSDEEP

12288:v+YE32Q8n9FgCBT4jh0rOcazvLbzTq4TYSyPKcaTuxfa:vvEwnfg04jgaXbzG4TYS8KcR

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3280	Process not Found
Token: SeCreatePagefilePrivilege	3280	Process not Found
Token: SeShutdownPrivilege	3280	Process not Found
Token: SeCreatePagefilePrivilege	3280	Process not Found
Token: SeShutdownPrivilege	3280	Process not Found
Token: SeCreatePagefilePrivilege	3280	Process not Found
Token: SeShutdownPrivilege	3280	Process not Found
Token: SeCreatePagefilePrivilege	3280	Process not Found
Token: SeShutdownPrivilege	3280	Process not Found
Token: SeCreatePagefilePrivilege	3280	Process not Found
Token: SeShutdownPrivilege	3280	Process not Found
Token: SeCreatePagefilePrivilege	3280	Process not Found
Token: SeShutdownPrivilege	3280	Process not Found
Token: SeCreatePagefilePrivilege	3280	Process not Found
Token: SeShutdownPrivilege	3280	Process not Found
Token: SeCreatePagefilePrivilege	3280	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3280	Process not Found
3280	Process not Found

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:3728

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\XUDGFA.cmd
1⤵
PID:4788

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:4512

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\y99pX.cmd
1⤵
PID:3564

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Ylmmmigwnqcj" /TR C:\Windows\system32\ha6GXf\SystemPropertiesComputerName.exe /SC minute /MO 60 /RL highest
1⤵
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Ylmmmigwnqcj"
1⤵
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Ylmmmigwnqcj"
1⤵
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Ylmmmigwnqcj"
1⤵
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Ylmmmigwnqcj"
1⤵
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Ylmmmigwnqcj"
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XUDGFA.cmd

Filesize
231B

MD5
a57a2ac764fce3263752149cf6040ed3

SHA1
c80561474c8dd8e9fb0aa743cb1e66dcd578ba2d

SHA256
1a06dd62f437c0f773e8abf90bebbc24fe4e0c1eaa2d25b64c6d3921dd7ceb9f

SHA512
3e4fe652c45c8165e77fc67c7792230644f75af5bb480da78a287245ecb6741669677146f6e3ce68d7632e491bc05c179bc1d9038e0bf6c40a4dfce7716eafef

Download Submit
C:\Users\Admin\AppData\Local\Temp\n6h2C7A.tmp

Filesize
916KB

MD5
a601f7c0dad7aa2480f9cd70f83b50ed

SHA1
24e4960e2d9a09499a8190b11d29dcbac246e1fd

SHA256
55caacc4e1bbd4e1a806fd99ccb692a4e95c95845fb9584f7f269d291c84fb33

SHA512
bdc920231ea45d923b48e6518b19b4e4cb717fc58ba0e3c723edd7c82a509dc6a4bad72a42c2f79eb67e6de37d4e568f44afc13c8019d77e9cab3373d09bd3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\t55CD.tmp

Filesize
916KB

MD5
779bdad65eba8d54ca0526bb97de250c

SHA1
34ec03245e70c33483e00f6b86e0d30d73369c1b

SHA256
8a8cc3dd38b8c2d28faee5e201a0e94e071b9c47f72aed7029f630cbf54d0001

SHA512
1519d0bd95560ad2298065f9cabe760688c7c1e6ef775af7ae18db9e26a12ac4c516d49a91a8b291d3c8d8dbfaee4101b22bd5214ce7a7cf2bf944564f430101

Download Submit
C:\Users\Admin\AppData\Local\Temp\y99pX.cmd

Filesize
217B

MD5
1e1217517f436006302892c32be66b2f

SHA1
923628c0a9ea553c1bd7b122c6f3ccc4e6e4d2d0

SHA256
1a2861a74e6b82f1d9333442d0d5029af873ba658f49002625cfb458ced32d26

SHA512
050042eef24307cf8bd0c29ec16bbbeacda70ebc558e6a635304d666a13db48ec34ec1184eb19f5da704c1d213ed6755e65bbb5c9e02e04cbcc4c8168ee212d4

Download Submit
C:\Users\Admin\AppData\Roaming\FRcBHJ\slui.exe

Filesize
534KB

MD5
eb725ea35a13dc18eac46aa81e7f2841

SHA1
c0b3304c970324952e18c4a51073e3bdec73440b

SHA256
25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

SHA512
39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qrmgdculrkqx.lnk

Filesize
859B

MD5
c1431bc72748dbcb273c1fb3f14a081f

SHA1
a2b77504ba79c6261165897291b4180f5cafef00

SHA256
b8c6b36e804c1f7bb765c4e66d9384244099b9de1f2987fedf741cf6d6f164c3

SHA512
5257a67f63ebcd0dac2708a194106172b4798388e286e564f39dc43c1bf2ddc144319302d352ab3dda1f1a577f01ac16288b04655fefdf4a3fb84aefb9cc44fd

Download Submit
memory/1924-2-0x000002C5D6410000-0x000002C5D6418000-memory.dmp

Filesize
32KB

Download
memory/1924-0-0x00007FFC5FD10000-0x00007FFC5FDF4000-memory.dmp

Filesize
912KB

Download
memory/1924-9-0x00007FFC5FD10000-0x00007FFC5FDF4000-memory.dmp

Filesize
912KB

Download
memory/3280-51-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-46-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-18-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-21-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-26-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-30-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-32-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-35-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-40-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-44-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-48-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-55-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-59-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-60-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-61-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-62-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-65-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-64-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-63-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-58-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-80-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/3280-56-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-88-0x00007FFC7D5A0000-0x00007FFC7D5B0000-memory.dmp

Filesize
64KB

Download
memory/3280-57-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-54-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-53-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-52-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-12-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-50-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-49-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-47-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-16-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-45-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-43-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-42-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-41-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-39-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-38-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-37-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-36-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-33-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-34-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-31-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-29-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-28-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-27-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-25-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-24-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-23-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-22-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-20-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-19-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-17-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-15-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-14-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-13-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-11-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-7-0x00007FFC7CB9A000-0x00007FFC7CB9B000-memory.dmp

Filesize
4KB

Download
memory/3280-5-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-10-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-8-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-6-0x0000000140000000-0x00000001400E4000-memory.dmp

Filesize
912KB

Download
memory/3280-3-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download