11773c6998d1c6b0762d31b335dd33f33fda88f197013708ce272e6708ecd4fe

Analysis

max time kernel
7s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cefd355d0fa6242cc258a0a69c2c6d9.exe
Size

876KB
MD5

7cefd355d0fa6242cc258a0a69c2c6d9
SHA1

459fc14309056138ee098884590f304c44f57930
SHA256

11773c6998d1c6b0762d31b335dd33f33fda88f197013708ce272e6708ecd4fe
SHA512

d95235c47aecf74714d736355697701862d22e91616dd6b453dec982843c438726fa09bb26b1679c33684b57d8ffb39c218e3d9cdb003cd208d16eea6f72d55a
SSDEEP

24576:ICMLKmtvPyHu7iqNd2rmy9pNg4W7HMLG3bOAHCJJk5:tiKmHyOfUrYp7s8L5

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
4800	7cefd355d0fa6242cc258a0a69c2c6d9.exe
4800	7cefd355d0fa6242cc258a0a69c2c6d9.exe
4800	7cefd355d0fa6242cc258a0a69c2c6d9.exe
4800	7cefd355d0fa6242cc258a0a69c2c6d9.exe
4800	7cefd355d0fa6242cc258a0a69c2c6d9.exe
4800	7cefd355d0fa6242cc258a0a69c2c6d9.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7cefd355d0fa6242cc258a0a69c2c6d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 972	2240	7cefd355d0fa6242cc258a0a69c2c6d9.exe	14
PID 2240 wrote to memory of 972	2240	7cefd355d0fa6242cc258a0a69c2c6d9.exe	14
PID 2240 wrote to memory of 972	2240	7cefd355d0fa6242cc258a0a69c2c6d9.exe	14
PID 972 wrote to memory of 4800	972	7cefd355d0fa6242cc258a0a69c2c6d9.exe	16
PID 972 wrote to memory of 4800	972	7cefd355d0fa6242cc258a0a69c2c6d9.exe	16
PID 972 wrote to memory of 4800	972	7cefd355d0fa6242cc258a0a69c2c6d9.exe	16

C:\Users\Admin\AppData\Local\Temp\7cefd355d0fa6242cc258a0a69c2c6d9.exe
"C:\Users\Admin\AppData\Local\Temp\7cefd355d0fa6242cc258a0a69c2c6d9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\7cefd355d0fa6242cc258a0a69c2c6d9.exe
  "C:\Users\Admin\AppData\Local\Temp\7cefd355d0fa6242cc258a0a69c2c6d9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\7cefd355d0fa6242cc258a0a69c2c6d9.exe
    "C:\Users\Admin\AppData\Local\Temp\7cefd355d0fa6242cc258a0a69c2c6d9.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HQAKbv4h1NkKk03v8Nt\lua51.dll

Filesize
94KB

MD5
7ba72d2a48c7385da71b8820fc0c4b0b

SHA1
4e2c6b49082a6964216d2d32437ff2da8d9dcd33

SHA256
e3f3c3a5dd1cf0861f1485673bd9c49e329b3fed6c9eff99f98b8dfe61c00a32

SHA512
87ea7410b8683968b4eaffe0747f4554c355f0f407d315b78cea7db55a3bab048b4d295ac740a2de6d9d59e29c3f718a92165a10b6bd55612ef0e88cef0cbd36

Download Submit
memory/4800-7-0x0000000000660000-0x0000000000676000-memory.dmp

Filesize
88KB

Download
memory/4800-18-0x000000007FE30000-0x000000007FE40000-memory.dmp

Filesize
64KB

Download
memory/4800-17-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4800-14-0x0000000002140000-0x0000000002176000-memory.dmp

Filesize
216KB

Download
memory/4800-24-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download