23389d9d84dc41b873d095afdba7495fb5fed5f65038b8d9d97390003956701f

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d6667fac12e920d892f04c34519c52.exe
Size

876KB
MD5

73d6667fac12e920d892f04c34519c52
SHA1

78c04b8fd1acf96695c04d1fa1f9bd33fcefc721
SHA256

23389d9d84dc41b873d095afdba7495fb5fed5f65038b8d9d97390003956701f
SHA512

58ac33dbc82b651e5de305b5b739d8f903ba283fd7324f04c76226470775b578c04ac4c4baff25bc50476801ce9d93facc25451235ac911c3874d20a35fcd3aa
SSDEEP

24576:wkMLKmtvPyHu7yCzAmiKv4y9pNg4W7HMoG3bOAHC56k:/iKmHyOrAcvip7snw

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2728	73d6667fac12e920d892f04c34519c52.exe
2728	73d6667fac12e920d892f04c34519c52.exe
2728	73d6667fac12e920d892f04c34519c52.exe
2728	73d6667fac12e920d892f04c34519c52.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	73d6667fac12e920d892f04c34519c52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1368	1516	73d6667fac12e920d892f04c34519c52.exe	28
PID 1516 wrote to memory of 1368	1516	73d6667fac12e920d892f04c34519c52.exe	28
PID 1516 wrote to memory of 1368	1516	73d6667fac12e920d892f04c34519c52.exe	28
PID 1516 wrote to memory of 1368	1516	73d6667fac12e920d892f04c34519c52.exe	28
PID 1516 wrote to memory of 1368	1516	73d6667fac12e920d892f04c34519c52.exe	28
PID 1516 wrote to memory of 1368	1516	73d6667fac12e920d892f04c34519c52.exe	28
PID 1516 wrote to memory of 1368	1516	73d6667fac12e920d892f04c34519c52.exe	28
PID 1368 wrote to memory of 2728	1368	73d6667fac12e920d892f04c34519c52.exe	29
PID 1368 wrote to memory of 2728	1368	73d6667fac12e920d892f04c34519c52.exe	29
PID 1368 wrote to memory of 2728	1368	73d6667fac12e920d892f04c34519c52.exe	29
PID 1368 wrote to memory of 2728	1368	73d6667fac12e920d892f04c34519c52.exe	29
PID 1368 wrote to memory of 2728	1368	73d6667fac12e920d892f04c34519c52.exe	29
PID 1368 wrote to memory of 2728	1368	73d6667fac12e920d892f04c34519c52.exe	29
PID 1368 wrote to memory of 2728	1368	73d6667fac12e920d892f04c34519c52.exe	29

C:\Users\Admin\AppData\Local\Temp\73d6667fac12e920d892f04c34519c52.exe
"C:\Users\Admin\AppData\Local\Temp\73d6667fac12e920d892f04c34519c52.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\73d6667fac12e920d892f04c34519c52.exe
  "C:\Users\Admin\AppData\Local\Temp\73d6667fac12e920d892f04c34519c52.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\73d6667fac12e920d892f04c34519c52.exe
    "C:\Users\Admin\AppData\Local\Temp\73d6667fac12e920d892f04c34519c52.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\g1SXT04mu7VhTSrWzk4\extramod.dll

Filesize
73KB

MD5
60d3fe46288cd8cfb5ff7d06e285f335

SHA1
03d4cd2364321a82f8aea4c6c3ff12946c181c94

SHA256
e5d6610f6f690a078eb33ced642ddc8c696e49509156ed3771b843cf69f5bc81

SHA512
acaa04d8ce4acc1518c6f8a055539559f009fa5c0c39b16d3ccb232347ce960c688c2fe3fb8971448d5ea65fb10408dad51a602ee394046f6f6973915c6ec5cd

Download Submit
\Users\Admin\AppData\Local\Temp\g1SXT04mu7VhTSrWzk4\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\g1SXT04mu7VhTSrWzk4\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\g1SXT04mu7VhTSrWzk4\shared_library.dll

Filesize
200KB

MD5
5e778c2e85d5e69dc954204c385a8675

SHA1
2fe5caf49a765d0b14bcb566ba42f4629a9b1cd1

SHA256
e972766211090485d57f9fdb316c63d247a8a42028b9bcaf5439c2586ec8234a

SHA512
14e2631d57e96885603f00c132627c8930509a510d45f49d75eb634e2537fc2a841aeeade74575290f5c677df046f1ffeffb9d5fb52652b33c9c591ce6e5db1b

Download Submit
memory/2728-5-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download
memory/2728-10-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2728-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2728-14-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2728-20-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download