2358c69899ac96d5f7007aba7d4d01e2fab3f5fbe12278209d166124cccbdc67

General

Target

4aaf3705158412e8d4f9c6de5459a16a.exe
Size

877KB
MD5

4aaf3705158412e8d4f9c6de5459a16a
SHA1

a5d0dbb9c487a7d4b551701cec72f680897c5090
SHA256

2358c69899ac96d5f7007aba7d4d01e2fab3f5fbe12278209d166124cccbdc67
SHA512

75104930fc3eba0072472b89b6f8fca85cb66f042f78b1ebdef678afc3fc8309dee1ed7b6ef60668ee74b90c46fcc8efc6a43c7958e558d55cbd8d99020e81b4
SSDEEP

24576:LaMLKmtvPyHu7CkCy9pNg4W7HM8EcN+2QHCNNY:uiKmHyOOJp7s8BQp

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2336	4aaf3705158412e8d4f9c6de5459a16a.exe
2336	4aaf3705158412e8d4f9c6de5459a16a.exe
2336	4aaf3705158412e8d4f9c6de5459a16a.exe
2336	4aaf3705158412e8d4f9c6de5459a16a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4aaf3705158412e8d4f9c6de5459a16a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2416	2288	4aaf3705158412e8d4f9c6de5459a16a.exe	28
PID 2288 wrote to memory of 2416	2288	4aaf3705158412e8d4f9c6de5459a16a.exe	28
PID 2288 wrote to memory of 2416	2288	4aaf3705158412e8d4f9c6de5459a16a.exe	28
PID 2288 wrote to memory of 2416	2288	4aaf3705158412e8d4f9c6de5459a16a.exe	28
PID 2288 wrote to memory of 2416	2288	4aaf3705158412e8d4f9c6de5459a16a.exe	28
PID 2288 wrote to memory of 2416	2288	4aaf3705158412e8d4f9c6de5459a16a.exe	28
PID 2288 wrote to memory of 2416	2288	4aaf3705158412e8d4f9c6de5459a16a.exe	28
PID 2416 wrote to memory of 2336	2416	4aaf3705158412e8d4f9c6de5459a16a.exe	29
PID 2416 wrote to memory of 2336	2416	4aaf3705158412e8d4f9c6de5459a16a.exe	29
PID 2416 wrote to memory of 2336	2416	4aaf3705158412e8d4f9c6de5459a16a.exe	29
PID 2416 wrote to memory of 2336	2416	4aaf3705158412e8d4f9c6de5459a16a.exe	29
PID 2416 wrote to memory of 2336	2416	4aaf3705158412e8d4f9c6de5459a16a.exe	29
PID 2416 wrote to memory of 2336	2416	4aaf3705158412e8d4f9c6de5459a16a.exe	29
PID 2416 wrote to memory of 2336	2416	4aaf3705158412e8d4f9c6de5459a16a.exe	29

C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe
"C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe
  "C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe
    "C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gyF2PfHRJPaXc6szWeB\extramod.dll

Filesize
73KB

MD5
e1674d9729a94e5f366c618246e5c468

SHA1
8abd8c990522c38d3213b0022e8f51ba9a17bd76

SHA256
d6287f8e70d8a1dc3683bc2e9f68b1cd7eda8e45a562a6a71df7eb5ac106a9fe

SHA512
f44622758893ae91fec46ca33d50b8176f9babaa485792baf8ee35a328ad8fc945dcf4cf0d234d7fda6331c678ca6624803105db55e781071af372e8da19dba5

Download Submit
\Users\Admin\AppData\Local\Temp\gyF2PfHRJPaXc6szWeB\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\gyF2PfHRJPaXc6szWeB\shared_library.dll

Filesize
92KB

MD5
bc4f596eb73268a12feef78e2e206986

SHA1
743fad4b67572d118375e2eb01b91fbaf84cd722

SHA256
e1cfa10743bacf79c83e1cb205858f8f0379cce8fcc1ce6638ff69a99837ac7a

SHA512
2469467be9876d2425c8e6518bc370545b2b28a5986ddc465e221920800b2e4116ca1b5613726fc74b44459b13d426303634b6cfd66418411912eea357b317a7

Download Submit
memory/2336-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2336-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2336-26-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/2336-20-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2336-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2336-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2336-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2336-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2336-10-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2336-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2336-5-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing