06248aca0896c44c60dacdd4c255ccc709aa15e030ec7d61df5a55ebb64cd330

General

Target

75f27281487e0895477e670972cc1ffd.exe
Size

877KB
MD5

75f27281487e0895477e670972cc1ffd
SHA1

81b6b568e941c9333ad5e2d355f797ee1e596312
SHA256

06248aca0896c44c60dacdd4c255ccc709aa15e030ec7d61df5a55ebb64cd330
SHA512

9130c5e14ec8f1645379241d8d861919feca682f1197a05e55a228b259a87a96e9f29baa57957e1db4cd3d7b57be78e8f4a063de01045913b5cf58b20eb578ac
SSDEEP

24576:fxMLKmtvPyHu7y17r0nmy9pNg4W7HMc1cN+2QHCU3:piKmHyOQJp7scsQt

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2776	75f27281487e0895477e670972cc1ffd.exe
2776	75f27281487e0895477e670972cc1ffd.exe
2776	75f27281487e0895477e670972cc1ffd.exe
2776	75f27281487e0895477e670972cc1ffd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75f27281487e0895477e670972cc1ffd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2156	1900	75f27281487e0895477e670972cc1ffd.exe	28
PID 1900 wrote to memory of 2156	1900	75f27281487e0895477e670972cc1ffd.exe	28
PID 1900 wrote to memory of 2156	1900	75f27281487e0895477e670972cc1ffd.exe	28
PID 1900 wrote to memory of 2156	1900	75f27281487e0895477e670972cc1ffd.exe	28
PID 1900 wrote to memory of 2156	1900	75f27281487e0895477e670972cc1ffd.exe	28
PID 1900 wrote to memory of 2156	1900	75f27281487e0895477e670972cc1ffd.exe	28
PID 1900 wrote to memory of 2156	1900	75f27281487e0895477e670972cc1ffd.exe	28
PID 2156 wrote to memory of 2776	2156	75f27281487e0895477e670972cc1ffd.exe	29
PID 2156 wrote to memory of 2776	2156	75f27281487e0895477e670972cc1ffd.exe	29
PID 2156 wrote to memory of 2776	2156	75f27281487e0895477e670972cc1ffd.exe	29
PID 2156 wrote to memory of 2776	2156	75f27281487e0895477e670972cc1ffd.exe	29
PID 2156 wrote to memory of 2776	2156	75f27281487e0895477e670972cc1ffd.exe	29
PID 2156 wrote to memory of 2776	2156	75f27281487e0895477e670972cc1ffd.exe	29
PID 2156 wrote to memory of 2776	2156	75f27281487e0895477e670972cc1ffd.exe	29

C:\Users\Admin\AppData\Local\Temp\75f27281487e0895477e670972cc1ffd.exe
"C:\Users\Admin\AppData\Local\Temp\75f27281487e0895477e670972cc1ffd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\75f27281487e0895477e670972cc1ffd.exe
  "C:\Users\Admin\AppData\Local\Temp\75f27281487e0895477e670972cc1ffd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\75f27281487e0895477e670972cc1ffd.exe
    "C:\Users\Admin\AppData\Local\Temp\75f27281487e0895477e670972cc1ffd.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ndV5wFGjxgwl1DVYr77\extramod.dll

Filesize
73KB

MD5
48eb01b0df30e1d62c9f87451ca9cff5

SHA1
dd9355cae94c563d2033a7afdc9397de92461fcc

SHA256
f6083bff50ac6701e3560d45ed4fd00b3fbd8cc02fc179e09e14c06f26ebc663

SHA512
786bb70f39b379ba476a37f52285300c01825d35317842fa5b364626e8626370768fea70be12377d20d3b4c5680e1b2b0665528be5ee7f9b344108ad215671be

Download Submit
\Users\Admin\AppData\Local\Temp\ndV5wFGjxgwl1DVYr77\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\ndV5wFGjxgwl1DVYr77\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\ndV5wFGjxgwl1DVYr77\shared_library.dll

Filesize
200KB

MD5
1429c8bd9f83eec1d15b903c7d1e5e82

SHA1
3a5cdea59c7161488e10d69989815deb28484c56

SHA256
43a94fd12987fe197e694c7a5973030b3b179998813d82dd336877093ae22578

SHA512
2b0500f5c51f0c202a0f2ff6c425e9795e42550781406cdb4fecfb1712817a9a603903e07ff14114b7fed33efc7731432cff7a0011c764f3b3c6b5a3cae3e4da

Download Submit
memory/2776-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2776-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2776-10-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2776-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2776-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2776-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2776-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2776-5-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2776-20-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2776-19-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2776-26-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing