bdd11d08ab41c7aaaf6398a12a2aaac21b1254a8d6140aa7fc6405e802be8a62

General

Target

01ec980eefb52c397090c056a9750046.exe
Size

240KB
MD5

01ec980eefb52c397090c056a9750046
SHA1

a46b271d96183f2ce6cc11f9525ec982ebcd3b1a
SHA256

bdd11d08ab41c7aaaf6398a12a2aaac21b1254a8d6140aa7fc6405e802be8a62
SHA512

bce48d4859b177d24cdcbf9afb308660a8ab1988fc6ae56157bea2d6506e4eadb57b56ae157ca64e5ff7b3cb041f15127a9ac06126916470161175dcc7346143
SSDEEP

6144:gLdRE99cd91iZb3aztAwz3KnIgRqYBldcSKBK7Po:gLdRE99cDAZb3AtAwTKnLRflaSK87

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

01ec980eefb52c397090c056a9750046.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	01ec980eefb52c397090c056a9750046.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

01ec980eefb52c397090c056a9750046.exe01ec980eefb52c397090c056a9750046.exe

description	pid	process	target process
PID 2964 set thread context of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 set thread context of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe

Suspicious use of SetWindowsHookAW 1 IoCs

Processes:

01ec980eefb52c397090c056a9750046.exe

pid process

2964 01ec980eefb52c397090c056a9750046.exe

pid	process
2964	01ec980eefb52c397090c056a9750046.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

01ec980eefb52c397090c056a9750046.exe01ec980eefb52c397090c056a9750046.exe01ec980eefb52c397090c056a9750046.exe

description	pid	process	target process
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 2964 wrote to memory of 4028	2964	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 wrote to memory of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 wrote to memory of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 wrote to memory of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 wrote to memory of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 wrote to memory of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 wrote to memory of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 wrote to memory of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 wrote to memory of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 4028 wrote to memory of 3096	4028	01ec980eefb52c397090c056a9750046.exe	01ec980eefb52c397090c056a9750046.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe
PID 3096 wrote to memory of 1248	3096	01ec980eefb52c397090c056a9750046.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\01ec980eefb52c397090c056a9750046.exe
"C:\Users\Admin\AppData\Local\Temp\01ec980eefb52c397090c056a9750046.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookAW
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\01ec980eefb52c397090c056a9750046.exe
"C:\Users\Admin\AppData\Local\Temp\01ec980eefb52c397090c056a9750046.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\01ec980eefb52c397090c056a9750046.exe
C:\Users\Admin\AppData\Local\Temp\01ec980eefb52c397090c056a9750046.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Program Files (x86)\Internet explorer\iexplore.exe
"C:\Program Files (x86)\Internet explorer\iexplore.exe"
1⤵
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3096-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3096-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3096-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3096-5-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3096-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4028-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4028-3-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4028-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4028-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4028-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4028-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads