064b10fc1343b6691b6b4ddcb3c7f3ff05251583d7f7c4a27941afb97f40ce9b

General

Target

6856b8885819321bab3b9552ae033673.exe
Size

876KB
MD5

6856b8885819321bab3b9552ae033673
SHA1

b4e33799370b3a93caa47690fd0c953f511d725a
SHA256

064b10fc1343b6691b6b4ddcb3c7f3ff05251583d7f7c4a27941afb97f40ce9b
SHA512

f261e36a1a901a679b0b49224d1b9903d100fa2b86c6f1e7ed1000138226826060160c0e70fcbfe47b15a2e9a56b903324b812e168155e4aeac411f052b83387
SSDEEP

24576:zdMLKmtvPyHu7dgoA4S3y9pNg4W7HMcYcN+2QHCXRD:ZiKmHyOx7Sp7sclQM

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2544	6856b8885819321bab3b9552ae033673.exe
2544	6856b8885819321bab3b9552ae033673.exe
2544	6856b8885819321bab3b9552ae033673.exe
2544	6856b8885819321bab3b9552ae033673.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6856b8885819321bab3b9552ae033673.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2176	1220	6856b8885819321bab3b9552ae033673.exe	16
PID 1220 wrote to memory of 2176	1220	6856b8885819321bab3b9552ae033673.exe	16
PID 1220 wrote to memory of 2176	1220	6856b8885819321bab3b9552ae033673.exe	16
PID 1220 wrote to memory of 2176	1220	6856b8885819321bab3b9552ae033673.exe	16
PID 1220 wrote to memory of 2176	1220	6856b8885819321bab3b9552ae033673.exe	16
PID 1220 wrote to memory of 2176	1220	6856b8885819321bab3b9552ae033673.exe	16
PID 1220 wrote to memory of 2176	1220	6856b8885819321bab3b9552ae033673.exe	16
PID 2176 wrote to memory of 2544	2176	6856b8885819321bab3b9552ae033673.exe	17
PID 2176 wrote to memory of 2544	2176	6856b8885819321bab3b9552ae033673.exe	17
PID 2176 wrote to memory of 2544	2176	6856b8885819321bab3b9552ae033673.exe	17
PID 2176 wrote to memory of 2544	2176	6856b8885819321bab3b9552ae033673.exe	17
PID 2176 wrote to memory of 2544	2176	6856b8885819321bab3b9552ae033673.exe	17
PID 2176 wrote to memory of 2544	2176	6856b8885819321bab3b9552ae033673.exe	17
PID 2176 wrote to memory of 2544	2176	6856b8885819321bab3b9552ae033673.exe	17

C:\Users\Admin\AppData\Local\Temp\6856b8885819321bab3b9552ae033673.exe
"C:\Users\Admin\AppData\Local\Temp\6856b8885819321bab3b9552ae033673.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\6856b8885819321bab3b9552ae033673.exe
  "C:\Users\Admin\AppData\Local\Temp\6856b8885819321bab3b9552ae033673.exe"
  2⤵
  - Loads dropped DLL
  - Checks whether UAC is enabled
  PID:2544

C:\Users\Admin\AppData\Local\Temp\6856b8885819321bab3b9552ae033673.exe
"C:\Users\Admin\AppData\Local\Temp\6856b8885819321bab3b9552ae033673.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\yu1qLClHaWvvR9Ok6Pz\extramod.dll

Filesize
73KB

MD5
b01d2b9a44796a3ebe1901c8e6b3b555

SHA1
aa61156b30dbb381fb9acaacb046e14641a46202

SHA256
4772a79a22439b608822d2d1d29f29b3d26dc272b92688e94437bfb45f88c6dd

SHA512
bf5628afa126661ce1568052b8aed80bbb70ce8625e0e770dcaa3aa1101a77feaea0e506eb0f11dca4908c70ddb82c6dc626156c2279c7b068f2783316aa2e11

Download Submit
\Users\Admin\AppData\Local\Temp\yu1qLClHaWvvR9Ok6Pz\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\yu1qLClHaWvvR9Ok6Pz\shared_library.dll

Filesize
200KB

MD5
135661e77535ccdc5d8e282854ea31c2

SHA1
063581f9d16e79efb48669306fe83e518109452d

SHA256
b285fe16c7a0fde1ae65ea7106b44ee15429f85381eb3049f2783fde603ba4b6

SHA512
d0d455d1ea88b598e7e999fadb5ac5a98c8aafe25fe5f74e76a469e4f91ece8580da8b11b4f4f1991c7024b24d3f3a0fe9236eeed4976b98cfa5268dafa998cb

Download Submit
memory/2544-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2544-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2544-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2544-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2544-25-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/2544-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2544-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2544-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2544-10-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2544-5-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing