22cabd42478ff26f0d1b2d42ac2211aa746cb658fb0203234bd6f40597b4a413

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03712cd78ba7f33cd4f5fca205f76e8e.exe
Size

873KB
MD5

03712cd78ba7f33cd4f5fca205f76e8e
SHA1

0fc13ae27d19cf887d40f9d884df1cf35f5f5212
SHA256

22cabd42478ff26f0d1b2d42ac2211aa746cb658fb0203234bd6f40597b4a413
SHA512

1408f11c79d32c7c71d10f2127ca9114d4d35013b0d7729d6fa82d4ddffec595976d9e52dcf9bd3d4893573da96ce3dce9dddb27bab0dc726be9c4c1c20c019e
SSDEEP

24576:roMLKmtvPyHu78qiy9pNg4W7HMRG3bOAHCL:siKmHyOUp7sa

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2404	03712cd78ba7f33cd4f5fca205f76e8e.exe
2404	03712cd78ba7f33cd4f5fca205f76e8e.exe
2404	03712cd78ba7f33cd4f5fca205f76e8e.exe
2404	03712cd78ba7f33cd4f5fca205f76e8e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03712cd78ba7f33cd4f5fca205f76e8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2156	2128	03712cd78ba7f33cd4f5fca205f76e8e.exe	28
PID 2128 wrote to memory of 2156	2128	03712cd78ba7f33cd4f5fca205f76e8e.exe	28
PID 2128 wrote to memory of 2156	2128	03712cd78ba7f33cd4f5fca205f76e8e.exe	28
PID 2128 wrote to memory of 2156	2128	03712cd78ba7f33cd4f5fca205f76e8e.exe	28
PID 2128 wrote to memory of 2156	2128	03712cd78ba7f33cd4f5fca205f76e8e.exe	28
PID 2128 wrote to memory of 2156	2128	03712cd78ba7f33cd4f5fca205f76e8e.exe	28
PID 2128 wrote to memory of 2156	2128	03712cd78ba7f33cd4f5fca205f76e8e.exe	28
PID 2156 wrote to memory of 2404	2156	03712cd78ba7f33cd4f5fca205f76e8e.exe	29
PID 2156 wrote to memory of 2404	2156	03712cd78ba7f33cd4f5fca205f76e8e.exe	29
PID 2156 wrote to memory of 2404	2156	03712cd78ba7f33cd4f5fca205f76e8e.exe	29
PID 2156 wrote to memory of 2404	2156	03712cd78ba7f33cd4f5fca205f76e8e.exe	29
PID 2156 wrote to memory of 2404	2156	03712cd78ba7f33cd4f5fca205f76e8e.exe	29
PID 2156 wrote to memory of 2404	2156	03712cd78ba7f33cd4f5fca205f76e8e.exe	29
PID 2156 wrote to memory of 2404	2156	03712cd78ba7f33cd4f5fca205f76e8e.exe	29

C:\Users\Admin\AppData\Local\Temp\03712cd78ba7f33cd4f5fca205f76e8e.exe
"C:\Users\Admin\AppData\Local\Temp\03712cd78ba7f33cd4f5fca205f76e8e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\03712cd78ba7f33cd4f5fca205f76e8e.exe
  "C:\Users\Admin\AppData\Local\Temp\03712cd78ba7f33cd4f5fca205f76e8e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\03712cd78ba7f33cd4f5fca205f76e8e.exe
    "C:\Users\Admin\AppData\Local\Temp\03712cd78ba7f33cd4f5fca205f76e8e.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\vnHgmtNQGEriB9PVWxy\extramod.dll

Filesize
73KB

MD5
ba02602ad0e9cfd7077a49b0a7effb60

SHA1
d7d64ddb87b4b8e29654506e78f7afe7c50e9a05

SHA256
45a8553a3da3cad7f2adf0422a237879965155687973248491a784709f644d33

SHA512
652c8ab424010c82d3f8181dfa7aed531db5a9cb55541a5c646ca6a16b344392190e76af96a339d7804bdc27bd2ee64593d160af5c07edbac50cafa16645569b

Download Submit
\Users\Admin\AppData\Local\Temp\vnHgmtNQGEriB9PVWxy\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\vnHgmtNQGEriB9PVWxy\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\vnHgmtNQGEriB9PVWxy\shared_library.dll

Filesize
200KB

MD5
2c5702aaaf0d6cb042b67d750a93bc2f

SHA1
e1ba0d8ff6d4e9a5780e1d769639243271e1df62

SHA256
010eb568755f192c6571cfb1aaf05daa6aee3293793ad90f1cff46ea1e32e868

SHA512
217dd3bc3684d9d0427eab78344300b98ac2ccbe25b8977a94f9274d7f1a030e766c8e75875f69cf450ce83fbec23ef27724657b3c78690cea2d6fef98fb88fa

Download Submit
memory/2404-5-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2404-10-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2404-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2404-14-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2404-20-0x000000007EEF0000-0x000000007EF00000-memory.dmp

Filesize
64KB

Download