16a49e6be04438de907921a01ba77232dc4cdd6be1efcc9141d3d519204458df

General

Target

16e6a77a75cfd7252c1561efc9797a91.exe
Size

877KB
MD5

16e6a77a75cfd7252c1561efc9797a91
SHA1

a695040c2722a09edbff32dd2c35b2f83ea8bc4b
SHA256

16a49e6be04438de907921a01ba77232dc4cdd6be1efcc9141d3d519204458df
SHA512

3a03c48f1e47563ed1d46f085cd11cbb9028c8dfcec7c65c8859916061cae63d8e333d4dcc27500066df4d71fc04ca0c51d3d8b674b0c58f5a05ffa78c4cf86f
SSDEEP

24576:KxMLKmtvPyHu7s8vPa9ndy9pNg4W7HM85cN+2QHC0c:kiKmHyOooP0Jp7s8wQy

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
4516	16e6a77a75cfd7252c1561efc9797a91.exe
4516	16e6a77a75cfd7252c1561efc9797a91.exe
4516	16e6a77a75cfd7252c1561efc9797a91.exe
4516	16e6a77a75cfd7252c1561efc9797a91.exe
4516	16e6a77a75cfd7252c1561efc9797a91.exe
4516	16e6a77a75cfd7252c1561efc9797a91.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16e6a77a75cfd7252c1561efc9797a91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1060	536	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 536 wrote to memory of 1060	536	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 536 wrote to memory of 1060	536	16e6a77a75cfd7252c1561efc9797a91.exe	27
PID 1060 wrote to memory of 4516	1060	16e6a77a75cfd7252c1561efc9797a91.exe	23
PID 1060 wrote to memory of 4516	1060	16e6a77a75cfd7252c1561efc9797a91.exe	23
PID 1060 wrote to memory of 4516	1060	16e6a77a75cfd7252c1561efc9797a91.exe	23

C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe
"C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe
  "C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060

C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe
"C:\Users\Admin\AppData\Local\Temp\16e6a77a75cfd7252c1561efc9797a91.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XWkPnvYGHKGERGJ4qp8\extramod.dll

Filesize
63KB

MD5
edf552352527faae45f3d13f59ba458c

SHA1
e3694d91d6a5cb9c7b8a87885df9a8eaf63768b3

SHA256
f5c363c3580c09a90f6a0d7173d4ef302da329b09af6e101e3dbbbbf7dd1cd8c

SHA512
d85f432127ee0722c5729fdce0a35875dd00bf0f74875848b13299f79947b31fd291004513a9bcc1b55d7c85bf1a0bbaf21cd40667bca9d8f6d6603a34a44931

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWkPnvYGHKGERGJ4qp8\extramod.dll

Filesize
10KB

MD5
a200f1bd5620bf625df0cbdb6729b7dc

SHA1
38195bb915c0faf28d3f25f472e3769882a97f7a

SHA256
77ffb4ba6343bb8a20a2e6453c5765e957c99b64f94995083f64a6de7a0a2f9b

SHA512
1c9302e0008aa639fde018114165dbd247012ff1d25213f2d7006b85cdbfcfa9a6f88363014d312c9d56dfb763398f9c3ab352462c49c40591002664272b2713

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWkPnvYGHKGERGJ4qp8\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWkPnvYGHKGERGJ4qp8\lua51.dll

Filesize
47KB

MD5
58d538b97960bc2848662f93a33242e0

SHA1
6f444fb02d58455129a5404a18a4dbf99a5a3599

SHA256
bd547cc35745995678f2a507750250764a934edb7d16157be07dacd6d4120b72

SHA512
215e3bf5f39b7e22dcee9cf5e971e1a46fc5817c8473166e607ed0f74863b372596c3c311b2b4623d8d3c8a0d926226d38a818caa3aa8f42cab5820c301e0c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWkPnvYGHKGERGJ4qp8\shared_library.dll

Filesize
6KB

MD5
03bc2773cfa0157d93a717d4568af535

SHA1
f4ef28d089d59f71a466e0456e77d977561831cd

SHA256
f794b4fe99f7add948746272c1a8863de9342573350e362644a5bc3b83c92acc

SHA512
4ed67d04b8b01b0a55e72e2599593da2f2e795832b685c7ebc07b727b28b1ab5d2ae24d691516ccc4ce33e28a1d0558c0f12466c3968f08ff82b8e7482c11ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWkPnvYGHKGERGJ4qp8\shared_library.dll

Filesize
54KB

MD5
2e0c18a4f114944846bc6ba51c062a41

SHA1
dbb68fe0129407068eb28137fc71f80d0eeb3564

SHA256
7c1f379ce919b02def59e5beb09c1d0462234dde3a3d72228c2aae91e054c6f9

SHA512
5487739d5c613f4c67b67b39975aaa390889f208cf3f99f543ad9efd44a1c30b53f3a56e214d8bf71b65d035e0217056ddd7afce816f8cf6e9f19845a54c3b20

Download Submit
memory/4516-23-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4516-19-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4516-29-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4516-18-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4516-17-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4516-14-0x0000000000670000-0x00000000006A6000-memory.dmp

Filesize
216KB

Download
memory/4516-21-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4516-22-0x000000007FE30000-0x000000007FE40000-memory.dmp

Filesize
64KB

Download
memory/4516-20-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4516-7-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing