105df86820f6622e54376cadf52997718e1adbfc8f6399bf2ba46631502c8be0

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d926007621112f518e3bf2a091025f8.exe
Size

876KB
MD5

0d926007621112f518e3bf2a091025f8
SHA1

e47cd2b8a2ad65de5e26577f9deecf281e6c9443
SHA256

105df86820f6622e54376cadf52997718e1adbfc8f6399bf2ba46631502c8be0
SHA512

a395bb67dc422cb1f4e757efb1acae66c1d574bf9bc127876fabc79d43ae2405fc526f4a0676fc23e8203bfbb8cb7d7e6aefa9b93f2df3fc905a5aeae1a97ec2
SSDEEP

24576:qpMLKmtvPyHu73LQqdbu4y9pNg4W7HMlG3bOAHCkbr:YiKmHyOrLjxPp7sGh

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2924	0d926007621112f518e3bf2a091025f8.exe
2924	0d926007621112f518e3bf2a091025f8.exe
2924	0d926007621112f518e3bf2a091025f8.exe
2924	0d926007621112f518e3bf2a091025f8.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0d926007621112f518e3bf2a091025f8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 3048	3052	0d926007621112f518e3bf2a091025f8.exe	17
PID 3052 wrote to memory of 3048	3052	0d926007621112f518e3bf2a091025f8.exe	17
PID 3052 wrote to memory of 3048	3052	0d926007621112f518e3bf2a091025f8.exe	17
PID 3052 wrote to memory of 3048	3052	0d926007621112f518e3bf2a091025f8.exe	17
PID 3052 wrote to memory of 3048	3052	0d926007621112f518e3bf2a091025f8.exe	17
PID 3052 wrote to memory of 3048	3052	0d926007621112f518e3bf2a091025f8.exe	17
PID 3052 wrote to memory of 3048	3052	0d926007621112f518e3bf2a091025f8.exe	17
PID 3048 wrote to memory of 2924	3048	0d926007621112f518e3bf2a091025f8.exe	16
PID 3048 wrote to memory of 2924	3048	0d926007621112f518e3bf2a091025f8.exe	16
PID 3048 wrote to memory of 2924	3048	0d926007621112f518e3bf2a091025f8.exe	16
PID 3048 wrote to memory of 2924	3048	0d926007621112f518e3bf2a091025f8.exe	16
PID 3048 wrote to memory of 2924	3048	0d926007621112f518e3bf2a091025f8.exe	16
PID 3048 wrote to memory of 2924	3048	0d926007621112f518e3bf2a091025f8.exe	16
PID 3048 wrote to memory of 2924	3048	0d926007621112f518e3bf2a091025f8.exe	16

C:\Users\Admin\AppData\Local\Temp\0d926007621112f518e3bf2a091025f8.exe
"C:\Users\Admin\AppData\Local\Temp\0d926007621112f518e3bf2a091025f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\0d926007621112f518e3bf2a091025f8.exe
  "C:\Users\Admin\AppData\Local\Temp\0d926007621112f518e3bf2a091025f8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048

C:\Users\Admin\AppData\Local\Temp\0d926007621112f518e3bf2a091025f8.exe
"C:\Users\Admin\AppData\Local\Temp\0d926007621112f518e3bf2a091025f8.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sAyF2e3YjvcOhMo2c7S\extramod.dll

Filesize
73KB

MD5
cf543e36bd516a35bd9a4b53a298158b

SHA1
567b09bce55e272d53f4974d84a096a8562cbda8

SHA256
8e003b6fdd64f635af7e6fa013e8e50af7413e68e92e3820c70565decc542b74

SHA512
dd19553abe81f2ba5035fd41ae41a996def419a2d554a470cfe9f8ddb8806e4602eaab0502fa4f4657330902a22eebe33a85c2f60ded3f9948620b36e60cae69

Download Submit
\Users\Admin\AppData\Local\Temp\sAyF2e3YjvcOhMo2c7S\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\sAyF2e3YjvcOhMo2c7S\shared_library.dll

Filesize
200KB

MD5
a61f3c8ec0f8050209c81af6feca8826

SHA1
0ec17fa1047e605882d9c0cb60af866837662644

SHA256
b3b1863d16b48c4f575776778faba1e6a3b77bc42371b518a6f517789de40f91

SHA512
b6154cb4fb6dd2cba0fd589c7db7765f36daea223ecfd87392caec9e671274f04ee280351b3e69cb8e839de4bd7f7a17cd04a5d624d81dbecfda6ec800c0cebd

Download Submit
memory/2924-5-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/2924-14-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2924-20-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/2924-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2924-10-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download