1201469326d088b1430565ab4cad384dce54bf3c8d20961167a343706b80051d

Analysis

max time kernel
122s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231c04816b08ed4fe5699fcbb0a25dd3.exe
Size

877KB
MD5

231c04816b08ed4fe5699fcbb0a25dd3
SHA1

52ecf5d223816cc5af6dc37208a7e81cb931f150
SHA256

1201469326d088b1430565ab4cad384dce54bf3c8d20961167a343706b80051d
SHA512

a6eb622d71868c2135473b10687d86d5e436a73b4b481125fc3eaf2601a9f8f57ee86b8238a1b97b009fae82593f67317b79e09466402c76effb56cd05da5d19
SSDEEP

24576:GoMLKmtvPyHu780y/4S1y9pNg4W7HMcKcN+2QHCUW:FiKmHyOWp7sc/Qw

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2052	231c04816b08ed4fe5699fcbb0a25dd3.exe
2052	231c04816b08ed4fe5699fcbb0a25dd3.exe
2052	231c04816b08ed4fe5699fcbb0a25dd3.exe
2052	231c04816b08ed4fe5699fcbb0a25dd3.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	231c04816b08ed4fe5699fcbb0a25dd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2056	3028	231c04816b08ed4fe5699fcbb0a25dd3.exe	17
PID 3028 wrote to memory of 2056	3028	231c04816b08ed4fe5699fcbb0a25dd3.exe	17
PID 3028 wrote to memory of 2056	3028	231c04816b08ed4fe5699fcbb0a25dd3.exe	17
PID 3028 wrote to memory of 2056	3028	231c04816b08ed4fe5699fcbb0a25dd3.exe	17
PID 3028 wrote to memory of 2056	3028	231c04816b08ed4fe5699fcbb0a25dd3.exe	17
PID 3028 wrote to memory of 2056	3028	231c04816b08ed4fe5699fcbb0a25dd3.exe	17
PID 3028 wrote to memory of 2056	3028	231c04816b08ed4fe5699fcbb0a25dd3.exe	17
PID 2056 wrote to memory of 2052	2056	231c04816b08ed4fe5699fcbb0a25dd3.exe	16
PID 2056 wrote to memory of 2052	2056	231c04816b08ed4fe5699fcbb0a25dd3.exe	16
PID 2056 wrote to memory of 2052	2056	231c04816b08ed4fe5699fcbb0a25dd3.exe	16
PID 2056 wrote to memory of 2052	2056	231c04816b08ed4fe5699fcbb0a25dd3.exe	16
PID 2056 wrote to memory of 2052	2056	231c04816b08ed4fe5699fcbb0a25dd3.exe	16
PID 2056 wrote to memory of 2052	2056	231c04816b08ed4fe5699fcbb0a25dd3.exe	16
PID 2056 wrote to memory of 2052	2056	231c04816b08ed4fe5699fcbb0a25dd3.exe	16

C:\Users\Admin\AppData\Local\Temp\231c04816b08ed4fe5699fcbb0a25dd3.exe
"C:\Users\Admin\AppData\Local\Temp\231c04816b08ed4fe5699fcbb0a25dd3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\231c04816b08ed4fe5699fcbb0a25dd3.exe
  "C:\Users\Admin\AppData\Local\Temp\231c04816b08ed4fe5699fcbb0a25dd3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056

C:\Users\Admin\AppData\Local\Temp\231c04816b08ed4fe5699fcbb0a25dd3.exe
"C:\Users\Admin\AppData\Local\Temp\231c04816b08ed4fe5699fcbb0a25dd3.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\HAGB2yxxkkW7x1LW9ZM\extramod.dll

Filesize
73KB

MD5
5a61239f788562e02e92c68e7a93e4a2

SHA1
c014bd9e2f1b6ff0242cb3eeca5d8b938f30756f

SHA256
72dd0b9512e85d98664e28da81ed1b01f2dfe5d3b23adbf9decf064fbee5ee60

SHA512
8c212ff5149725175aab696d37f683560ab4bdc63e8ca4692c407c7bb00fce5e38ecc23ae2f011b82efb23ad96362e3ac6f2b64ca9293c07baeb38b913a5d3df

Download Submit
\Users\Admin\AppData\Local\Temp\HAGB2yxxkkW7x1LW9ZM\lua51.dll

Filesize
93KB

MD5
ac13346cd83b17e0f1d9dcd67d4b03ab

SHA1
af4e3a9d6854ab2c072ce4cbdeffc9ca8efd62ce

SHA256
d840535f9582b5db72a3e55eeaf9c9ffb939a572b8893ebc121fe9b53e0102ea

SHA512
7f8c80eaac8e80b37fdb7af107b9ee8da9eda28dea7a88e0d68556f838a9eaa85e3ea203d611c4fea0af08a29a6f5e9ba822c0d23c1612a42092e102661ae7de

Download Submit
memory/2052-5-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2052-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2052-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2052-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2052-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2052-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2052-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2052-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2052-10-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2052-25-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download