24ace6947c0961244fd9bb63233b000e03d03d9d6c2e0abc275b7a9d81188279

General

Target

7439e381dd0f661b2c337ec55024dced.exe
Size

875KB
MD5

7439e381dd0f661b2c337ec55024dced
SHA1

2d1a4c8be66d651832b2da804b2d842f2b06bba1
SHA256

24ace6947c0961244fd9bb63233b000e03d03d9d6c2e0abc275b7a9d81188279
SHA512

c3d869a59dcaad6ea3cd49a26619dbcc2d4c3aea44eddb5b8c41b7f0241f97dfef6a4ece63aed3f646f745cf56f6ae57b1fc35920da68b7e0265fe5308ece46a
SSDEEP

24576:rgMLKmtvPyHu7EtwNy9pNg4W7HM8wcN+2QHCeM:EiKmHyOotAp7s8NQY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
796	7439e381dd0f661b2c337ec55024dced.exe
796	7439e381dd0f661b2c337ec55024dced.exe
796	7439e381dd0f661b2c337ec55024dced.exe
796	7439e381dd0f661b2c337ec55024dced.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7439e381dd0f661b2c337ec55024dced.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1520	1268	7439e381dd0f661b2c337ec55024dced.exe	17
PID 1268 wrote to memory of 1520	1268	7439e381dd0f661b2c337ec55024dced.exe	17
PID 1268 wrote to memory of 1520	1268	7439e381dd0f661b2c337ec55024dced.exe	17
PID 1268 wrote to memory of 1520	1268	7439e381dd0f661b2c337ec55024dced.exe	17
PID 1268 wrote to memory of 1520	1268	7439e381dd0f661b2c337ec55024dced.exe	17
PID 1268 wrote to memory of 1520	1268	7439e381dd0f661b2c337ec55024dced.exe	17
PID 1268 wrote to memory of 1520	1268	7439e381dd0f661b2c337ec55024dced.exe	17
PID 1520 wrote to memory of 796	1520	7439e381dd0f661b2c337ec55024dced.exe	16
PID 1520 wrote to memory of 796	1520	7439e381dd0f661b2c337ec55024dced.exe	16
PID 1520 wrote to memory of 796	1520	7439e381dd0f661b2c337ec55024dced.exe	16
PID 1520 wrote to memory of 796	1520	7439e381dd0f661b2c337ec55024dced.exe	16
PID 1520 wrote to memory of 796	1520	7439e381dd0f661b2c337ec55024dced.exe	16
PID 1520 wrote to memory of 796	1520	7439e381dd0f661b2c337ec55024dced.exe	16
PID 1520 wrote to memory of 796	1520	7439e381dd0f661b2c337ec55024dced.exe	16

C:\Users\Admin\AppData\Local\Temp\7439e381dd0f661b2c337ec55024dced.exe
"C:\Users\Admin\AppData\Local\Temp\7439e381dd0f661b2c337ec55024dced.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\7439e381dd0f661b2c337ec55024dced.exe
  "C:\Users\Admin\AppData\Local\Temp\7439e381dd0f661b2c337ec55024dced.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520

C:\Users\Admin\AppData\Local\Temp\7439e381dd0f661b2c337ec55024dced.exe
"C:\Users\Admin\AppData\Local\Temp\7439e381dd0f661b2c337ec55024dced.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\yqNDAMUVC98iGw9XfOY\extramod.dll

Filesize
73KB

MD5
bcbe6719f6926081535a338038978200

SHA1
16ea039986e3ad9386a8f49b13d8d104933ed80b

SHA256
6b58e1d705c3edabfcce81d3e36e0ae4c9650ea3d8034d53775d0d9d863b95a4

SHA512
a110060f00ef350c19471d6dff596a15137b1807ae68b73346e2290140583306093c913e7afb935e49618f41b1e3b97ee00e0ac5ff4af107aca508c29c2f7660

Download Submit
\Users\Admin\AppData\Local\Temp\yqNDAMUVC98iGw9XfOY\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\yqNDAMUVC98iGw9XfOY\shared_library.dll

Filesize
200KB

MD5
63f534de4d35212c9ab5df430cfa8b7d

SHA1
079eab205e0ddcc89286f2b866eafe6ade36100d

SHA256
dfbf50ad0588800c617599ed021cb9a7d55b2afb7b1426d8042c3683298dc5c5

SHA512
95c7f77b2915020093226335b305b2456611eb6f2ffc2807733d52c6e97a0e1fcd34cd68f8dbaf5fa19e4cb4f4f2ffa9907505cee8fb417da0dd1a419c93978f

Download Submit
memory/796-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/796-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/796-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/796-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/796-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/796-10-0x00000000004E0000-0x0000000000516000-memory.dmp

Filesize
216KB

Download
memory/796-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/796-5-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/796-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/796-25-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing