a421bec61c141760bf319891f0120e1484cbc047ced4d3830b216ed12d034662

Analysis

max time kernel
148s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0953be86f51ae54484ecf2dcf83784ac.exe
Size

1.9MB
MD5

0953be86f51ae54484ecf2dcf83784ac
SHA1

0fe80cd3a290736b82c82c2eb11b9f5775c74614
SHA256

a421bec61c141760bf319891f0120e1484cbc047ced4d3830b216ed12d034662
SHA512

c3c0008dc8701367b4cb8b74b550443baddf1a8c9563b73e2d1d8814463264801c7f374db6fe8cb9a3f021a648548f891a029a1f729f499f364e4e6ea8055d33
SSDEEP

49152:+08pEKXcPTC7WHI1xoA7xU81kHR6gWakurxp9U:+08pEQce7Wo1X

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2288	0953be86f51ae54484ecf2dcf83784ac.exe
2288	0953be86f51ae54484ecf2dcf83784ac.exe
2288	0953be86f51ae54484ecf2dcf83784ac.exe
2288	0953be86f51ae54484ecf2dcf83784ac.exe
2288	0953be86f51ae54484ecf2dcf83784ac.exe
2288	0953be86f51ae54484ecf2dcf83784ac.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0953be86f51ae54484ecf2dcf83784ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3148	4272	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 4272 wrote to memory of 3148	4272	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 4272 wrote to memory of 3148	4272	0953be86f51ae54484ecf2dcf83784ac.exe	16
PID 3148 wrote to memory of 2288	3148	0953be86f51ae54484ecf2dcf83784ac.exe	20
PID 3148 wrote to memory of 2288	3148	0953be86f51ae54484ecf2dcf83784ac.exe	20
PID 3148 wrote to memory of 2288	3148	0953be86f51ae54484ecf2dcf83784ac.exe	20

C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe
"C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe
  "C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe
    "C:\Users\Admin\AppData\Local\Temp\0953be86f51ae54484ecf2dcf83784ac.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XOmoK4oZ3fhcBEi0vxF\1dwU86x5u.dll

Filesize
74KB

MD5
c9615703879a9e8aefe5149d5ee7ffaa

SHA1
e9e152fcb956436d2521ea89666a60e6aa4da179

SHA256
fb45356482d89288223e06d2c70107150df2a81be6351b0aa27eb3345da2ca51

SHA512
636ca645291a2adac2eb92dcd7fbbb5d84d6467d1ef8f0cbdbfed04ac20c20722c0dbc17613e61ef6ef6822b2de8a6378361d2c771165ef1ff7f7d82bb0d9801

Download Submit
C:\Users\Admin\AppData\Local\Temp\XOmoK4oZ3fhcBEi0vxF\2kMW9X5KDe.dll

Filesize
146KB

MD5
d8ffc11dd6f46e86488761989f8c3e38

SHA1
6f09dd0ec75fc222d69a31ff40bdf883746efbb5

SHA256
a0d737e5e07777e91d04b9e86bc3e47fb3d8f37aad3c5e3330bb1b5350a58a91

SHA512
de83ce938fe8525abec888a332b62104853522d4677a617309739267984eaada1b0f6cc700253f252ac1c23609d0fa47997212acb72b9e2e44b0681569095945

Download Submit
C:\Users\Admin\AppData\Local\Temp\XOmoK4oZ3fhcBEi0vxF\2kMW9X5KDe.dll

Filesize
200KB

MD5
1f7bd201509f06224923d81011d17e5f

SHA1
714c8294180cddc5fa87287f26932993c6f6fed6

SHA256
d372f7a2512d1a2483e36f2c4ea2bb57ce6c6c25e8c614461b668e29af057b97

SHA512
b284b7ec57cdb4fe0f2e1216d3655626ab2e1e3956c084af4b177e629f20bce829afd04a9905506a7b87b550b5d0198c7d7571000beb016a713b5917645c99b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XOmoK4oZ3fhcBEi0vxF\lua51.dll

Filesize
40KB

MD5
e44cf6d81af9d4c33c7a28c3b9bbeaf4

SHA1
5daefff90e441c8408fed06659b5f5d66da2bad9

SHA256
21f9a6d4b1d98656808c281a8665888e2b4e4387e00b46a4965eb9d7fbd9576a

SHA512
3c5de95dc67634cb6a8cce63fe2f96c3328ace3a49ac4f2cd8f42bac2d9b4614891463818517e631f61239710db5fd84d5f7dd650c11df9ba7931ee79b3ec07f

Download Submit
memory/2288-21-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/2288-23-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/2288-22-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/2288-20-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/2288-24-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/2288-25-0x000000007FE30000-0x000000007FE40000-memory.dmp

Filesize
64KB

Download
memory/2288-10-0x0000000000670000-0x0000000000687000-memory.dmp

Filesize
92KB

Download
memory/2288-17-0x0000000000AA0000-0x0000000000AD6000-memory.dmp

Filesize
216KB

Download
memory/2288-2-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3148-1-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4272-0-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download