e789a6e6e52c30deacb7d20805ec300038c4c9f2f92d73a27a1d9c9dd7802289

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d3551639b232de882d1396c1780e520.exe
Size

1.5MB
MD5

3d3551639b232de882d1396c1780e520
SHA1

335c6cc43c820943dc62db9d2245bef54a15d78e
SHA256

e789a6e6e52c30deacb7d20805ec300038c4c9f2f92d73a27a1d9c9dd7802289
SHA512

9330a61bb236c75e7cfe0fb8ab7093250428fa22b257e9396b6f62acd4dbba84e8a523d2ff28f47d3af9a82df778e8a14e6682a6abfa6aff536fa0a483a9bece
SSDEEP

24576:TphwrIhv1qQjtY2jBe4NNl51X32mmYJL1g6gTcTK0gJnSpillA:TpHx1zd7/xpg6vTLgVmillA

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3d3551639b232de882d1396c1780e520.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2356	3d3551639b232de882d1396c1780e520.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe
2356	3d3551639b232de882d1396c1780e520.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2872	2356	3d3551639b232de882d1396c1780e520.exe	28
PID 2356 wrote to memory of 2872	2356	3d3551639b232de882d1396c1780e520.exe	28
PID 2356 wrote to memory of 2872	2356	3d3551639b232de882d1396c1780e520.exe	28
PID 2356 wrote to memory of 2872	2356	3d3551639b232de882d1396c1780e520.exe	28
PID 2872 wrote to memory of 2744	2872	cmd.exe	30
PID 2872 wrote to memory of 2744	2872	cmd.exe	30
PID 2872 wrote to memory of 2744	2872	cmd.exe	30
PID 2872 wrote to memory of 2744	2872	cmd.exe	30
PID 2744 wrote to memory of 2692	2744	net.exe	31
PID 2744 wrote to memory of 2692	2744	net.exe	31
PID 2744 wrote to memory of 2692	2744	net.exe	31
PID 2744 wrote to memory of 2692	2744	net.exe	31

C:\Users\Admin\AppData\Local\Temp\3d3551639b232de882d1396c1780e520.exe
"C:\Users\Admin\AppData\Local\Temp\3d3551639b232de882d1396c1780e520.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop Spooler
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\net.exe
    net stop Spooler
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Spooler
      4⤵
      PID:2692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f4425e2dbad18b27a473d5a9828e43bb

SHA1
f84d6b92656d00d081ee5ef8ab21b7028c12938b

SHA256
eae8a0f72b92e0d3e2095001df76d8eb25d1161bf9256b145e1e59c8a3b8dc5a

SHA512
60ee6dccc9a54e1024359103ea054f80d3b7f647214f82562c7a569dba3fd46c54d8975ce4a1a8fcb03211e124fc1ef27a2dd6fa93861db8cf0fd79ccad0abde

Download Submit
memory/2356-27-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-29-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-3-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-20-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-23-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-24-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-25-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-26-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2356-0-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2356-30-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-28-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-31-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-32-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-33-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-34-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-35-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-36-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-37-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2356-38-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download