f4c243c8fd76d9bb68f092ca038ee9eee6ff38033a5baed6065d617c8ce4bb53

Analysis

max time kernel
181s
max time network
234s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7924ab13c16cf99decbd9d953d9399c.exe
Size

1.9MB
MD5

f7924ab13c16cf99decbd9d953d9399c
SHA1

4d60e2936f8c13cb48175613071f923d1a23bc03
SHA256

f4c243c8fd76d9bb68f092ca038ee9eee6ff38033a5baed6065d617c8ce4bb53
SHA512

051e50682b3d1592f840b749ffcb773570fa8f144f349013e7d091c948f61c49d6bc6b84cc11e59b259b4f0ca0e3607b6ad85e90d196a5d82e20b20c510b0452
SSDEEP

49152:+08pEKXcPTC7WHI1xoA7xU81kHR6gWakurxp9U:+08pEQce7Wo1T

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3264	f7924ab13c16cf99decbd9d953d9399c.exe
3264	f7924ab13c16cf99decbd9d953d9399c.exe
3264	f7924ab13c16cf99decbd9d953d9399c.exe
3264	f7924ab13c16cf99decbd9d953d9399c.exe
3264	f7924ab13c16cf99decbd9d953d9399c.exe
3264	f7924ab13c16cf99decbd9d953d9399c.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f7924ab13c16cf99decbd9d953d9399c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 4524	2224	f7924ab13c16cf99decbd9d953d9399c.exe	91
PID 2224 wrote to memory of 4524	2224	f7924ab13c16cf99decbd9d953d9399c.exe	91
PID 2224 wrote to memory of 4524	2224	f7924ab13c16cf99decbd9d953d9399c.exe	91
PID 4524 wrote to memory of 3264	4524	f7924ab13c16cf99decbd9d953d9399c.exe	92
PID 4524 wrote to memory of 3264	4524	f7924ab13c16cf99decbd9d953d9399c.exe	92
PID 4524 wrote to memory of 3264	4524	f7924ab13c16cf99decbd9d953d9399c.exe	92

C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe
"C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe
  "C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe
    "C:\Users\Admin\AppData\Local\Temp\f7924ab13c16cf99decbd9d953d9399c.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rfCBipUC1AmPpUUfeAc\1lYdh2qjQ.dll

Filesize
74KB

MD5
c9615703879a9e8aefe5149d5ee7ffaa

SHA1
e9e152fcb956436d2521ea89666a60e6aa4da179

SHA256
fb45356482d89288223e06d2c70107150df2a81be6351b0aa27eb3345da2ca51

SHA512
636ca645291a2adac2eb92dcd7fbbb5d84d6467d1ef8f0cbdbfed04ac20c20722c0dbc17613e61ef6ef6822b2de8a6378361d2c771165ef1ff7f7d82bb0d9801

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfCBipUC1AmPpUUfeAc\2Anod3rgqm.dll

Filesize
200KB

MD5
1f7bd201509f06224923d81011d17e5f

SHA1
714c8294180cddc5fa87287f26932993c6f6fed6

SHA256
d372f7a2512d1a2483e36f2c4ea2bb57ce6c6c25e8c614461b668e29af057b97

SHA512
b284b7ec57cdb4fe0f2e1216d3655626ab2e1e3956c084af4b177e629f20bce829afd04a9905506a7b87b550b5d0198c7d7571000beb016a713b5917645c99b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfCBipUC1AmPpUUfeAc\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfCBipUC1AmPpUUfeAc\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
memory/2224-0-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3264-2-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3264-10-0x0000000000760000-0x0000000000777000-memory.dmp

Filesize
92KB

Download
memory/3264-17-0x00000000008A0000-0x00000000008D6000-memory.dmp

Filesize
216KB

Download
memory/3264-20-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3264-21-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3264-22-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3264-23-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3264-25-0x000000007FE30000-0x000000007FE40000-memory.dmp

Filesize
64KB

Download
memory/3264-24-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/4524-1-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download