13482c7c9d4cb022bb5b5f1b9ec1d823327ac9736268809f75cf7c16883e9a31

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b2aedc65960f45749e475568081efe8.exe
Size

877KB
MD5

5b2aedc65960f45749e475568081efe8
SHA1

fa1ded647f377b356c62d8a45de14a5e47a5b2da
SHA256

13482c7c9d4cb022bb5b5f1b9ec1d823327ac9736268809f75cf7c16883e9a31
SHA512

87f6a54d13df2e3bca13be78fb7b90ca31af9f534bcda2e1307d0881c586d608741892fb0dae00cb0f9e7525057903f75015cb84e125c29684750b6db7b40436
SSDEEP

24576:xVMLKmtvPyHu7Dytct6y9pNg4W7HM+G3bOAHCSK:jiKmHyOnUp7sVC

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2792	5b2aedc65960f45749e475568081efe8.exe
2792	5b2aedc65960f45749e475568081efe8.exe
2792	5b2aedc65960f45749e475568081efe8.exe
2792	5b2aedc65960f45749e475568081efe8.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5b2aedc65960f45749e475568081efe8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2264	1364	5b2aedc65960f45749e475568081efe8.exe	17
PID 1364 wrote to memory of 2264	1364	5b2aedc65960f45749e475568081efe8.exe	17
PID 1364 wrote to memory of 2264	1364	5b2aedc65960f45749e475568081efe8.exe	17
PID 1364 wrote to memory of 2264	1364	5b2aedc65960f45749e475568081efe8.exe	17
PID 1364 wrote to memory of 2264	1364	5b2aedc65960f45749e475568081efe8.exe	17
PID 1364 wrote to memory of 2264	1364	5b2aedc65960f45749e475568081efe8.exe	17
PID 1364 wrote to memory of 2264	1364	5b2aedc65960f45749e475568081efe8.exe	17
PID 2264 wrote to memory of 2792	2264	5b2aedc65960f45749e475568081efe8.exe	16
PID 2264 wrote to memory of 2792	2264	5b2aedc65960f45749e475568081efe8.exe	16
PID 2264 wrote to memory of 2792	2264	5b2aedc65960f45749e475568081efe8.exe	16
PID 2264 wrote to memory of 2792	2264	5b2aedc65960f45749e475568081efe8.exe	16
PID 2264 wrote to memory of 2792	2264	5b2aedc65960f45749e475568081efe8.exe	16
PID 2264 wrote to memory of 2792	2264	5b2aedc65960f45749e475568081efe8.exe	16
PID 2264 wrote to memory of 2792	2264	5b2aedc65960f45749e475568081efe8.exe	16

C:\Users\Admin\AppData\Local\Temp\5b2aedc65960f45749e475568081efe8.exe
"C:\Users\Admin\AppData\Local\Temp\5b2aedc65960f45749e475568081efe8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\5b2aedc65960f45749e475568081efe8.exe
  "C:\Users\Admin\AppData\Local\Temp\5b2aedc65960f45749e475568081efe8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264

C:\Users\Admin\AppData\Local\Temp\5b2aedc65960f45749e475568081efe8.exe
"C:\Users\Admin\AppData\Local\Temp\5b2aedc65960f45749e475568081efe8.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\9dH4fefosczw3eB3IMe\extramod.dll

Filesize
10KB

MD5
1ddbe76d3276680a13d785ecf4e14b7e

SHA1
b34c56d75a1d1d47d784b5bc4737315450154662

SHA256
e172c5aa0feedeaae14098b2eb9e8c7f7f7eebb6a734b682c43135a118d30075

SHA512
79a20ade94ab0de3879f487a324c65e38e36dca009662f325063b3a648730f6649a67aaffe0e798e7e0dd2882909198d9aaa26982106bdb940b5409b5b8528cb

Download Submit
\Users\Admin\AppData\Local\Temp\9dH4fefosczw3eB3IMe\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\9dH4fefosczw3eB3IMe\lua51.dll

Filesize
11KB

MD5
4f170ae27bf7dfba6e852dc25c6b47b7

SHA1
dbe9e7d7cc4723d2c63f544959001736ce7818d2

SHA256
9d8930b6643ea20a4cfa0158b3561809bfe5fdcffd80ec05d5b1e29d9e6699f0

SHA512
bb13763b6e29cc74f7db59db27caa8fbadb1c0181fdc43ffa44f0581d251c1caf8b56721491d8b974cb645a534733523ec5be7e307a1bab2af5f98499584520f

Download Submit
\Users\Admin\AppData\Local\Temp\9dH4fefosczw3eB3IMe\shared_library.dll

Filesize
82KB

MD5
33df5dd0ec754e5fc6786e10bde80c7d

SHA1
26b29348156163f242711ab6085b2f8332325eb0

SHA256
c3683024bb16f0398d34b7b8715591fdcdddddb48773495ef369033ee25f1c6b

SHA512
967f2c4ee7a933f2140d39d49c7c37fd6e3a110c65b15fa338a0a6805e56057c6b203218905f6c9ab826cf17926cfe34467d3ca9ffb5206816d1f83bf91ba0a3

Download Submit
memory/2792-5-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2792-14-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2792-20-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/2792-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2792-10-0x00000000002B0000-0x00000000002E6000-memory.dmp

Filesize
216KB

Download