05c0e56fd2b86c323556a166fbe1a2ecb11b3e2195c51a7bdf41b1acb2c7e61d

Analysis

max time kernel
138s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39079304cdde74c97e91415df93626cb.exe
Size

877KB
MD5

39079304cdde74c97e91415df93626cb
SHA1

d4d38d47b04b5ebe6304d324284e8fe3334caa68
SHA256

05c0e56fd2b86c323556a166fbe1a2ecb11b3e2195c51a7bdf41b1acb2c7e61d
SHA512

78060c6982b4fe4a76a73e53772ca2186b66017fa96fad79f3689f7120101a76284612eb1a9cec3e73e53e6d372ead2c6c61f29d68a0028caf0ad6bf2fcb1e46
SSDEEP

24576:otMLKmtvPyHu71gvi4iKx0nWOZy9pNg4W7HMc+cN+2QHC6h:aiKmHyO5AX0p7scTQR

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3888	39079304cdde74c97e91415df93626cb.exe
3888	39079304cdde74c97e91415df93626cb.exe
3888	39079304cdde74c97e91415df93626cb.exe
3888	39079304cdde74c97e91415df93626cb.exe
3888	39079304cdde74c97e91415df93626cb.exe
3888	39079304cdde74c97e91415df93626cb.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	39079304cdde74c97e91415df93626cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 4604	944	39079304cdde74c97e91415df93626cb.exe	94
PID 944 wrote to memory of 4604	944	39079304cdde74c97e91415df93626cb.exe	94
PID 944 wrote to memory of 4604	944	39079304cdde74c97e91415df93626cb.exe	94
PID 4604 wrote to memory of 3888	4604	39079304cdde74c97e91415df93626cb.exe	95
PID 4604 wrote to memory of 3888	4604	39079304cdde74c97e91415df93626cb.exe	95
PID 4604 wrote to memory of 3888	4604	39079304cdde74c97e91415df93626cb.exe	95

C:\Users\Admin\AppData\Local\Temp\39079304cdde74c97e91415df93626cb.exe
"C:\Users\Admin\AppData\Local\Temp\39079304cdde74c97e91415df93626cb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\39079304cdde74c97e91415df93626cb.exe
  "C:\Users\Admin\AppData\Local\Temp\39079304cdde74c97e91415df93626cb.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\39079304cdde74c97e91415df93626cb.exe
    "C:\Users\Admin\AppData\Local\Temp\39079304cdde74c97e91415df93626cb.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BvRTmNphs4ae0R0YcCW\extramod.dll

Filesize
73KB

MD5
62287931c83ce752cc6bf50ef1a1d66a

SHA1
badc5a194f4b81da38bdd3d666c48fbfb124e713

SHA256
b310ef006113f01c173f55159d6c37a6b0c49cd6d9f165cd8febe5d0c7d91917

SHA512
6264b06253d23a9eaf1c169bc773fd1a588b0b8e735338bfbce52afe6477e22672497b21546c7f042ae608e811066f66b45f5d32007d38c6de7201f049bc991b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvRTmNphs4ae0R0YcCW\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvRTmNphs4ae0R0YcCW\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvRTmNphs4ae0R0YcCW\shared_library.dll

Filesize
200KB

MD5
0b55d198229be5b03c01860c7df9d851

SHA1
4da4a036762b5bcf8ea47cbd8cdf89ceebe36a1a

SHA256
429c4ce70c1cafd770832282529aea12012d913f1dd0cd27aa6cd66bb2407be2

SHA512
8c98f087899732b6d74a1cd4c68683057f236e05a422903d3477088e0964fc8db8e471c582840a80f59101998d09d0cec0f88fbf2e5948d4fe504661d24c1de4

Download Submit
memory/3888-18-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3888-17-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3888-14-0x0000000002120000-0x0000000002156000-memory.dmp

Filesize
216KB

Download
memory/3888-19-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3888-20-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3888-21-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3888-22-0x000000007FE30000-0x000000007FE40000-memory.dmp

Filesize
64KB

Download
memory/3888-23-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3888-7-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3888-29-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download