a421bec61c141760bf319891f0120e1484cbc047ced4d3830b216ed12d034662

General

Target

0953be86f51ae54484ecf2dcf83784ac.exe
Size

1.9MB
MD5

0953be86f51ae54484ecf2dcf83784ac
SHA1

0fe80cd3a290736b82c82c2eb11b9f5775c74614
SHA256

a421bec61c141760bf319891f0120e1484cbc047ced4d3830b216ed12d034662
SHA512

c3c0008dc8701367b4cb8b74b550443baddf1a8c9563b73e2d1d8814463264801c7f374db6fe8cb9a3f021a648548f891a029a1f729f499f364e4e6ea8055d33
SSDEEP

49152:+08pEKXcPTC7WHI1xoA7xU81kHR6gWakurxp9U:+08pEQce7Wo1X

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1912	0953be86f51ae54484ecf2dcf83784ac.exe
1912	0953be86f51ae54484ecf2dcf83784ac.exe
1912	0953be86f51ae54484ecf2dcf83784ac.exe
1912	0953be86f51ae54484ecf2dcf83784ac.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0953be86f51ae54484ecf2dcf83784ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2748	3052	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 3052 wrote to memory of 2748	3052	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 3052 wrote to memory of 2748	3052	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 3052 wrote to memory of 2748	3052	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 3052 wrote to memory of 2748	3052	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 3052 wrote to memory of 2748	3052	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 3052 wrote to memory of 2748	3052	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 2748 wrote to memory of 1912	2748	0953be86f51ae54484ecf2dcf83784ac.exe	17
PID 2748 wrote to memory of 1912	2748	0953be86f51ae54484ecf2dcf83784ac.exe	17
PID 2748 wrote to memory of 1912	2748	0953be86f51ae54484ecf2dcf83784ac.exe	17
PID 2748 wrote to memory of 1912	2748	0953be86f51ae54484ecf2dcf83784ac.exe	17
PID 2748 wrote to memory of 1912	2748	0953be86f51ae54484ecf2dcf83784ac.exe	17
PID 2748 wrote to memory of 1912	2748	0953be86f51ae54484ecf2dcf83784ac.exe	17
PID 2748 wrote to memory of 1912	2748	0953be86f51ae54484ecf2dcf83784ac.exe	17

C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe
"C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe
  "C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe"
  2⤵
  - Loads dropped DLL
  - Checks whether UAC is enabled
  PID:1912

C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe
"C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\NRZzLcoTVf4K16sqzOP\1wD9SJWAn.dll

Filesize
74KB

MD5
c9615703879a9e8aefe5149d5ee7ffaa

SHA1
e9e152fcb956436d2521ea89666a60e6aa4da179

SHA256
fb45356482d89288223e06d2c70107150df2a81be6351b0aa27eb3345da2ca51

SHA512
636ca645291a2adac2eb92dcd7fbbb5d84d6467d1ef8f0cbdbfed04ac20c20722c0dbc17613e61ef6ef6822b2de8a6378361d2c771165ef1ff7f7d82bb0d9801

Download Submit
\Users\Admin\AppData\Local\Temp\NRZzLcoTVf4K16sqzOP\2b2VkRdZTI.dll

Filesize
200KB

MD5
1f7bd201509f06224923d81011d17e5f

SHA1
714c8294180cddc5fa87287f26932993c6f6fed6

SHA256
d372f7a2512d1a2483e36f2c4ea2bb57ce6c6c25e8c614461b668e29af057b97

SHA512
b284b7ec57cdb4fe0f2e1216d3655626ab2e1e3956c084af4b177e629f20bce829afd04a9905506a7b87b550b5d0198c7d7571000beb016a713b5917645c99b3

Download Submit
\Users\Admin\AppData\Local\Temp\NRZzLcoTVf4K16sqzOP\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\NRZzLcoTVf4K16sqzOP\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
memory/1912-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1912-20-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1912-18-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1912-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1912-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1912-13-0x0000000000320000-0x0000000000356000-memory.dmp

Filesize
216KB

Download
memory/1912-21-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/1912-8-0x00000000001E0000-0x00000000001F7000-memory.dmp

Filesize
92KB

Download
memory/3052-0-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing