16a49e6be04438de907921a01ba77232dc4cdd6be1efcc9141d3d519204458df

General

Target

16e6a77a75cfd7252c1561efc9797a91.exe
Size

877KB
MD5

16e6a77a75cfd7252c1561efc9797a91
SHA1

a695040c2722a09edbff32dd2c35b2f83ea8bc4b
SHA256

16a49e6be04438de907921a01ba77232dc4cdd6be1efcc9141d3d519204458df
SHA512

3a03c48f1e47563ed1d46f085cd11cbb9028c8dfcec7c65c8859916061cae63d8e333d4dcc27500066df4d71fc04ca0c51d3d8b674b0c58f5a05ffa78c4cf86f
SSDEEP

24576:KxMLKmtvPyHu7s8vPa9ndy9pNg4W7HM85cN+2QHC0c:kiKmHyOooP0Jp7s8wQy

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2740	16e6a77a75cfd7252c1561efc9797a91.exe
2740	16e6a77a75cfd7252c1561efc9797a91.exe
2740	16e6a77a75cfd7252c1561efc9797a91.exe
2740	16e6a77a75cfd7252c1561efc9797a91.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16e6a77a75cfd7252c1561efc9797a91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2248	2632	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 2632 wrote to memory of 2248	2632	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 2632 wrote to memory of 2248	2632	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 2632 wrote to memory of 2248	2632	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 2632 wrote to memory of 2248	2632	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 2632 wrote to memory of 2248	2632	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 2632 wrote to memory of 2248	2632	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 2248 wrote to memory of 2740	2248	16e6a77a75cfd7252c1561efc9797a91.exe	28
PID 2248 wrote to memory of 2740	2248	16e6a77a75cfd7252c1561efc9797a91.exe	28
PID 2248 wrote to memory of 2740	2248	16e6a77a75cfd7252c1561efc9797a91.exe	28
PID 2248 wrote to memory of 2740	2248	16e6a77a75cfd7252c1561efc9797a91.exe	28
PID 2248 wrote to memory of 2740	2248	16e6a77a75cfd7252c1561efc9797a91.exe	28
PID 2248 wrote to memory of 2740	2248	16e6a77a75cfd7252c1561efc9797a91.exe	28
PID 2248 wrote to memory of 2740	2248	16e6a77a75cfd7252c1561efc9797a91.exe	28

C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe
"C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe
  "C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe
    "C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gUdnk3JzU5bBlaQAfyV\extramod.dll

Filesize
73KB

MD5
f401f16817fe1a64d8144b876537fc60

SHA1
56d3890ed3b640cfe397d8d8a834f68c307a19b7

SHA256
b103e708349c7643e776bc99d7937eed115811b7fae8e45c51c6d309f3c15f29

SHA512
887e0f921dfe7a7b59debfb48acefde586d4b48e51a7bc420bfcc5958121c8e4e1e4209db34fa8e79000924a89fe26bbeb374391180a03cfe96188b0dad6a1e4

Download Submit
\Users\Admin\AppData\Local\Temp\gUdnk3JzU5bBlaQAfyV\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\gUdnk3JzU5bBlaQAfyV\lua51.dll

Filesize
48KB

MD5
2c12c459cf65e812778aed8dc722e494

SHA1
92485d28f3ebf5de714366e6ba008e8329da2792

SHA256
65504f8abfb2da36711848ce912c5ac2197a39a9c989a3a32ca095b06945a503

SHA512
9b8581fb981e0bcbc5096dd695daea4f667dfae91c63dc816a1381a915e3a1d859cb77a0edc5191cc006481fb2f971ada5a98997105fe4eecd79fdccae285086

Download Submit
\Users\Admin\AppData\Local\Temp\gUdnk3JzU5bBlaQAfyV\shared_library.dll

Filesize
170KB

MD5
ea0d667d264f5ef0a686525cacd09ab7

SHA1
70cad39f5303ff8ac4407b823ba084a0f46146e5

SHA256
343301f083fe8eb55db8f9b0fa8add745389f539670f5f3ecd7b726084baabbf

SHA512
7b4222b8d57c721bcbd597bcad44c503abf9f77511172050845b1626119b6ea6b0fd1d62fe68657be68ff9c682530ef0a7dfb6dd2bbd11e12337a4bf2ee37df4

Download Submit
memory/2740-26-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/2740-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2740-10-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2740-20-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2740-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2740-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2740-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2740-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2740-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2740-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2740-5-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing