05f8de50093280c4160daebb573cf0f79bd94cf7a721d1571a1352841213b46f

General

Target

720ceb08fa14a227b5194069a5255f15.exe
Size

876KB
MD5

720ceb08fa14a227b5194069a5255f15
SHA1

50644f2c22328f4b44e0467369ee38f338f8c995
SHA256

05f8de50093280c4160daebb573cf0f79bd94cf7a721d1571a1352841213b46f
SHA512

fe7fae9ca660ab568c52b608fc303f2854354b89f7c235492a64527eb6e0f524f5af9c3201a916c665b3974d331a967c88bb3ee35fccce3542c0abe2ac7a827f
SSDEEP

24576:ePMLKmtvPyHu7btwMy9pNg4W7HM0G3bOAHCHd5:2iKmHyO3tHp7srW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2028	720ceb08fa14a227b5194069a5255f15.exe
2028	720ceb08fa14a227b5194069a5255f15.exe
2028	720ceb08fa14a227b5194069a5255f15.exe
2028	720ceb08fa14a227b5194069a5255f15.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	720ceb08fa14a227b5194069a5255f15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2932	2052	720ceb08fa14a227b5194069a5255f15.exe	28
PID 2052 wrote to memory of 2932	2052	720ceb08fa14a227b5194069a5255f15.exe	28
PID 2052 wrote to memory of 2932	2052	720ceb08fa14a227b5194069a5255f15.exe	28
PID 2052 wrote to memory of 2932	2052	720ceb08fa14a227b5194069a5255f15.exe	28
PID 2052 wrote to memory of 2932	2052	720ceb08fa14a227b5194069a5255f15.exe	28
PID 2052 wrote to memory of 2932	2052	720ceb08fa14a227b5194069a5255f15.exe	28
PID 2052 wrote to memory of 2932	2052	720ceb08fa14a227b5194069a5255f15.exe	28
PID 2932 wrote to memory of 2028	2932	720ceb08fa14a227b5194069a5255f15.exe	29
PID 2932 wrote to memory of 2028	2932	720ceb08fa14a227b5194069a5255f15.exe	29
PID 2932 wrote to memory of 2028	2932	720ceb08fa14a227b5194069a5255f15.exe	29
PID 2932 wrote to memory of 2028	2932	720ceb08fa14a227b5194069a5255f15.exe	29
PID 2932 wrote to memory of 2028	2932	720ceb08fa14a227b5194069a5255f15.exe	29
PID 2932 wrote to memory of 2028	2932	720ceb08fa14a227b5194069a5255f15.exe	29
PID 2932 wrote to memory of 2028	2932	720ceb08fa14a227b5194069a5255f15.exe	29

C:\Users\Admin\AppData\Local\Temp\720ceb08fa14a227b5194069a5255f15.exe
"C:\Users\Admin\AppData\Local\Temp\720ceb08fa14a227b5194069a5255f15.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\720ceb08fa14a227b5194069a5255f15.exe
  "C:\Users\Admin\AppData\Local\Temp\720ceb08fa14a227b5194069a5255f15.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\720ceb08fa14a227b5194069a5255f15.exe
    "C:\Users\Admin\AppData\Local\Temp\720ceb08fa14a227b5194069a5255f15.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Ov7dWnq23GVw8GPOuPQ\extramod.dll

Filesize
73KB

MD5
2f427a229b5f025bfbeb7a5465bd14c1

SHA1
8722a1bb86a7bbb870d5993f353fcba4300d68a8

SHA256
b80e0c85913c1af5418d5cf0679e8912b64649f6b19c768775cbd9a850161a48

SHA512
d81354c33fe00baef66ad910823a19f68e02b981168e5551e34023d07eb6b3d3504f86e947d99c54e50dd9de2ce67bb52a752246ba09d0ab7342777f8269d113

Download Submit
\Users\Admin\AppData\Local\Temp\Ov7dWnq23GVw8GPOuPQ\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\Ov7dWnq23GVw8GPOuPQ\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\Ov7dWnq23GVw8GPOuPQ\shared_library.dll

Filesize
200KB

MD5
c22c31c3beaa5d1acd28be22f4ee6cb0

SHA1
bdcc3d48170bb17797645d0867fb9f3c431997de

SHA256
1d752198bfd87981b9261db291dab32f668d5827fea4e863967fc7bdb00d2c81

SHA512
992940106731c0cad1ef41e2f9d8c702608addb6575a151804cc1760bc7762ce79faf93176711e4b8e1b22d3e76d39101184059dfb463508f8585a21da01f8fd

Download Submit
memory/2028-5-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2028-10-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2028-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2028-14-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2028-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2028-21-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing