2358c69899ac96d5f7007aba7d4d01e2fab3f5fbe12278209d166124cccbdc67

Analysis

max time kernel
144s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aaf3705158412e8d4f9c6de5459a16a.exe
Size

877KB
MD5

4aaf3705158412e8d4f9c6de5459a16a
SHA1

a5d0dbb9c487a7d4b551701cec72f680897c5090
SHA256

2358c69899ac96d5f7007aba7d4d01e2fab3f5fbe12278209d166124cccbdc67
SHA512

75104930fc3eba0072472b89b6f8fca85cb66f042f78b1ebdef678afc3fc8309dee1ed7b6ef60668ee74b90c46fcc8efc6a43c7958e558d55cbd8d99020e81b4
SSDEEP

24576:LaMLKmtvPyHu7CkCy9pNg4W7HM8EcN+2QHCNNY:uiKmHyOOJp7s8BQp

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3004	4aaf3705158412e8d4f9c6de5459a16a.exe
3004	4aaf3705158412e8d4f9c6de5459a16a.exe
3004	4aaf3705158412e8d4f9c6de5459a16a.exe
3004	4aaf3705158412e8d4f9c6de5459a16a.exe
3004	4aaf3705158412e8d4f9c6de5459a16a.exe
3004	4aaf3705158412e8d4f9c6de5459a16a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4aaf3705158412e8d4f9c6de5459a16a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2564	1272	4aaf3705158412e8d4f9c6de5459a16a.exe	92
PID 1272 wrote to memory of 2564	1272	4aaf3705158412e8d4f9c6de5459a16a.exe	92
PID 1272 wrote to memory of 2564	1272	4aaf3705158412e8d4f9c6de5459a16a.exe	92
PID 2564 wrote to memory of 3004	2564	4aaf3705158412e8d4f9c6de5459a16a.exe	93
PID 2564 wrote to memory of 3004	2564	4aaf3705158412e8d4f9c6de5459a16a.exe	93
PID 2564 wrote to memory of 3004	2564	4aaf3705158412e8d4f9c6de5459a16a.exe	93

C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe
"C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe
  "C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe
    "C:\Users\Admin\AppData\Local\Temp\4aaf3705158412e8d4f9c6de5459a16a.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FXCJSZ4EqCNqMaqCVYB\extramod.dll

Filesize
73KB

MD5
e1674d9729a94e5f366c618246e5c468

SHA1
8abd8c990522c38d3213b0022e8f51ba9a17bd76

SHA256
d6287f8e70d8a1dc3683bc2e9f68b1cd7eda8e45a562a6a71df7eb5ac106a9fe

SHA512
f44622758893ae91fec46ca33d50b8176f9babaa485792baf8ee35a328ad8fc945dcf4cf0d234d7fda6331c678ca6624803105db55e781071af372e8da19dba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXCJSZ4EqCNqMaqCVYB\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXCJSZ4EqCNqMaqCVYB\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXCJSZ4EqCNqMaqCVYB\shared_library.dll

Filesize
200KB

MD5
b1f123d02b786e96198b42f8d793db38

SHA1
121b38f8e30995065617b13df7b9182adaea6da7

SHA256
6f6fb0c1f04ea9b4dc7601611d6e9433f978094b0a93492a373674ce9374831e

SHA512
729f9ca3d9f01c7c689fc7bda783f8d9e62168fc6cbcbb9c8e5328ef8a952e0bd3153a9dec7694b19a73ac5cf0a8af25e45b4ed711c13a59ab7e8154a5a99bcf

Download Submit
memory/3004-18-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3004-17-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3004-14-0x0000000002120000-0x0000000002156000-memory.dmp

Filesize
216KB

Download
memory/3004-19-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3004-20-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3004-21-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3004-22-0x000000007FE30000-0x000000007FE40000-memory.dmp

Filesize
64KB

Download
memory/3004-23-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3004-7-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/3004-29-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download