f4c243c8fd76d9bb68f092ca038ee9eee6ff38033a5baed6065d617c8ce4bb53

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7924ab13c16cf99decbd9d953d9399c.exe
Size

1.9MB
MD5

f7924ab13c16cf99decbd9d953d9399c
SHA1

4d60e2936f8c13cb48175613071f923d1a23bc03
SHA256

f4c243c8fd76d9bb68f092ca038ee9eee6ff38033a5baed6065d617c8ce4bb53
SHA512

051e50682b3d1592f840b749ffcb773570fa8f144f349013e7d091c948f61c49d6bc6b84cc11e59b259b4f0ca0e3607b6ad85e90d196a5d82e20b20c510b0452
SSDEEP

49152:+08pEKXcPTC7WHI1xoA7xU81kHR6gWakurxp9U:+08pEQce7Wo1T

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
3040	f7924ab13c16cf99decbd9d953d9399c.exe
3040	f7924ab13c16cf99decbd9d953d9399c.exe
3040	f7924ab13c16cf99decbd9d953d9399c.exe
3040	f7924ab13c16cf99decbd9d953d9399c.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f7924ab13c16cf99decbd9d953d9399c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2036	1520	f7924ab13c16cf99decbd9d953d9399c.exe	16
PID 1520 wrote to memory of 2036	1520	f7924ab13c16cf99decbd9d953d9399c.exe	16
PID 1520 wrote to memory of 2036	1520	f7924ab13c16cf99decbd9d953d9399c.exe	16
PID 1520 wrote to memory of 2036	1520	f7924ab13c16cf99decbd9d953d9399c.exe	16
PID 1520 wrote to memory of 2036	1520	f7924ab13c16cf99decbd9d953d9399c.exe	16
PID 1520 wrote to memory of 2036	1520	f7924ab13c16cf99decbd9d953d9399c.exe	16
PID 1520 wrote to memory of 2036	1520	f7924ab13c16cf99decbd9d953d9399c.exe	16
PID 2036 wrote to memory of 3040	2036	f7924ab13c16cf99decbd9d953d9399c.exe	17
PID 2036 wrote to memory of 3040	2036	f7924ab13c16cf99decbd9d953d9399c.exe	17
PID 2036 wrote to memory of 3040	2036	f7924ab13c16cf99decbd9d953d9399c.exe	17
PID 2036 wrote to memory of 3040	2036	f7924ab13c16cf99decbd9d953d9399c.exe	17
PID 2036 wrote to memory of 3040	2036	f7924ab13c16cf99decbd9d953d9399c.exe	17
PID 2036 wrote to memory of 3040	2036	f7924ab13c16cf99decbd9d953d9399c.exe	17
PID 2036 wrote to memory of 3040	2036	f7924ab13c16cf99decbd9d953d9399c.exe	17

C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe
"C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe
  "C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe"
  2⤵
  - Loads dropped DLL
  - Checks whether UAC is enabled
  PID:3040

C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe
"C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-0-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3040-18-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/3040-21-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/3040-20-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/3040-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/3040-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/3040-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/3040-13-0x0000000000330000-0x0000000000366000-memory.dmp

Filesize
216KB

Download
memory/3040-8-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download