132bf5cbdd39d79e130edacfef3b7526af223eb3f9978c25fcf9dc9cd80e1c46

General

Target

794c2cd8e88015f067e827dfee27151e.exe
Size

874KB
MD5

794c2cd8e88015f067e827dfee27151e
SHA1

2d8bf5eada2ec2866db0a081ba55eb269d2d59b8
SHA256

132bf5cbdd39d79e130edacfef3b7526af223eb3f9978c25fcf9dc9cd80e1c46
SHA512

2d253b436787da01b5d754d30f55320f04a0f7a3eb7c874926c335335db9dcc759778b47370ce408da32f1dc3af7db1ea7c3441efa48e1988e56db678574bbe4
SSDEEP

24576:gqMLKmtvPyHu7c8v5XsK4y9pNg4W7HMRGlbOAHC6l:RiKmHyOgoHip7sId

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2928	794c2cd8e88015f067e827dfee27151e.exe
2928	794c2cd8e88015f067e827dfee27151e.exe
2928	794c2cd8e88015f067e827dfee27151e.exe
2928	794c2cd8e88015f067e827dfee27151e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	794c2cd8e88015f067e827dfee27151e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2232	2896	794c2cd8e88015f067e827dfee27151e.exe	28
PID 2896 wrote to memory of 2232	2896	794c2cd8e88015f067e827dfee27151e.exe	28
PID 2896 wrote to memory of 2232	2896	794c2cd8e88015f067e827dfee27151e.exe	28
PID 2896 wrote to memory of 2232	2896	794c2cd8e88015f067e827dfee27151e.exe	28
PID 2896 wrote to memory of 2232	2896	794c2cd8e88015f067e827dfee27151e.exe	28
PID 2896 wrote to memory of 2232	2896	794c2cd8e88015f067e827dfee27151e.exe	28
PID 2896 wrote to memory of 2232	2896	794c2cd8e88015f067e827dfee27151e.exe	28
PID 2232 wrote to memory of 2928	2232	794c2cd8e88015f067e827dfee27151e.exe	29
PID 2232 wrote to memory of 2928	2232	794c2cd8e88015f067e827dfee27151e.exe	29
PID 2232 wrote to memory of 2928	2232	794c2cd8e88015f067e827dfee27151e.exe	29
PID 2232 wrote to memory of 2928	2232	794c2cd8e88015f067e827dfee27151e.exe	29
PID 2232 wrote to memory of 2928	2232	794c2cd8e88015f067e827dfee27151e.exe	29
PID 2232 wrote to memory of 2928	2232	794c2cd8e88015f067e827dfee27151e.exe	29
PID 2232 wrote to memory of 2928	2232	794c2cd8e88015f067e827dfee27151e.exe	29

C:\Users\Admin\AppData\Local\Temp\794c2cd8e88015f067e827dfee27151e.exe
"C:\Users\Admin\AppData\Local\Temp\794c2cd8e88015f067e827dfee27151e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\794c2cd8e88015f067e827dfee27151e.exe
  "C:\Users\Admin\AppData\Local\Temp\794c2cd8e88015f067e827dfee27151e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\794c2cd8e88015f067e827dfee27151e.exe
    "C:\Users\Admin\AppData\Local\Temp\794c2cd8e88015f067e827dfee27151e.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\roy6MW1ceZ9gok7WgiE\extramod.dll

Filesize
73KB

MD5
e6f4f11534bfeea5f1ae9a6273838864

SHA1
f47d053f6eca6bdc6892bb190f0d02ac2dc95eb1

SHA256
896cac771311a2edd372ef2555faaaaf93cf2ab5560b2f4a1c38c7308c715659

SHA512
d78084db0a336bcb449f2b3d10f57ce98acff68824edb766d622a42764176d27040e7a8dbf5fa7792ccef44abfbe3061dc1120098eb0fb8d42aaa4a81eb8a0b5

Download Submit
\Users\Admin\AppData\Local\Temp\roy6MW1ceZ9gok7WgiE\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\roy6MW1ceZ9gok7WgiE\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\roy6MW1ceZ9gok7WgiE\shared_library.dll

Filesize
200KB

MD5
62884a5609eb622118bc5fad1bb25016

SHA1
ef071c600328fe522163b23770a01f51a8cf16ef

SHA256
b53a76862c4faf29fc744cac5d7febd316cd00ea0f57db9a0397f26013b8bafe

SHA512
5826a95e16765d1aba77c99546f18330cf8a1f9f82f273fcd9d79735331978060872c4bfdcf42280caed201bf21c4d6b855db94d4e8418cc41ec2051f6f6f90c

Download Submit
memory/2928-5-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/2928-10-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2928-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2928-14-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2928-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2928-21-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing