fba5612ed177354569658bbdb7fa377c9e14beaf6f048ac7e06356e50eb705ab

General

Target

8949cb8d89ff5f00c632ffab6ccd2557.dll
Size

654KB
MD5

8949cb8d89ff5f00c632ffab6ccd2557
SHA1

388b53db496665a472ce89cd5e8bdd9f11a858f1
SHA256

fba5612ed177354569658bbdb7fa377c9e14beaf6f048ac7e06356e50eb705ab
SHA512

5aefd242922c3a128c0915e101d8ede0550797167cb4c75b1f9ea0afc4f60b3688658f789a72a5ba1af6210379a0d25c6856d5039a0b6d1afa40dd29a162fde1
SSDEEP

12288:W7l0RPYJxekbujnCPn1P9dkrQkazv4EP+e/F8Ljv5hAsVwh7lJ+xuGAvBxaWS:W7eZ2x7KnAL7aLdhA5/QfAv4

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\kck86s.sys	SLXLEOWB.exe
File created	C:\Windows\SysWOW64\drivers\kck86s.sys	SLXLEOWB.exe
File created	C:\Windows\SysWOW64\drivers\x64kdss.sys	SLXLEOWB.exe

Executes dropped EXE 1 IoCs

pid	Process
4204	SLXLEOWB.exe

Loads dropped DLL 3 IoCs

pid	Process
4204	SLXLEOWB.exe
4204	SLXLEOWB.exe
4204	SLXLEOWB.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SLXLEOWB.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdfvmgr.exe	SLXLEOWB.exe
File opened for modification	C:\Windows\SysWOW64\SLXLEOWB.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Kdfhok.dll	SLXLEOWB.exe
File created	C:\Windows\SysWOW64\kdfapi.dll	SLXLEOWB.exe
File opened for modification	C:\Windows\SysWOW64\kcu86s.dll	SLXLEOWB.exe
File created	C:\Windows\SysWOW64\kcu86s.dll	SLXLEOWB.exe
File opened for modification	C:\Windows\SysWOW64\kdfvmgr.exe	SLXLEOWB.exe
File created	C:\Windows\SysWOW64\SLXLEOWB.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\proDefense.dll	SLXLEOWB.exe
File created	C:\Windows\SysWOW64\proDefense.dll	SLXLEOWB.exe
File created	C:\Windows\SysWOW64\Kdfhok.dll	SLXLEOWB.exe
File opened for modification	C:\Windows\SysWOW64\kdfapi.dll	SLXLEOWB.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1284	rundll32.exe
1284	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4204	SLXLEOWB.exe
4204	SLXLEOWB.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4204	SLXLEOWB.exe
4204	SLXLEOWB.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1284	rundll32.exe
1284	rundll32.exe
1284	rundll32.exe
1284	rundll32.exe
1284	rundll32.exe
4204	SLXLEOWB.exe
4204	SLXLEOWB.exe
4204	SLXLEOWB.exe
4204	SLXLEOWB.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1284	1096	rundll32.exe	17
PID 1096 wrote to memory of 1284	1096	rundll32.exe	17
PID 1096 wrote to memory of 1284	1096	rundll32.exe	17
PID 1284 wrote to memory of 4204	1284	rundll32.exe	35
PID 1284 wrote to memory of 4204	1284	rundll32.exe	35
PID 1284 wrote to memory of 4204	1284	rundll32.exe	35

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8949cb8d89ff5f00c632ffab6ccd2557.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8949cb8d89ff5f00c632ffab6ccd2557.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\SLXLEOWB.exe
    "C:\Windows\system32\SLXLEOWB.exe" -PID=0x00000504-TID=0x000001d4-APP=0x000000b2
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdfhok.dll

Filesize
52KB

MD5
0eebea21f3146bbc7e2f786973a7ac82

SHA1
91a511b570e31dd5b62d903b70dd75f56953d9d8

SHA256
080eb806040a7dfbdff15bf50ce6f28d896012154d46fd32f6419b1ce69982fe

SHA512
c0ebd3531ebed1951ca4a5181b2778be2302bd14998e59393e2b75a540e63dee0bae40cccd98b4f54e6a55cfd120dcf975464189b99262d48eef071aa7574d4a

Download Submit
C:\Windows\SysWOW64\SLXLEOWB.exe

Filesize
318KB

MD5
f4975d52b66a0ca0fe77482bce9174d8

SHA1
e8d437645c8656583ac0b42ead29ba92320557c3

SHA256
aa6a09e8fb65e34580ed4187e288080994aa257e3cfab4b5f848bd52119620ac

SHA512
90cddea9c9a247e063ee40b3e2e2fae34ad17accc8a3589a497beb8d60da37ddac9ee6b6be2694483e63b3fb5753f59b3160cb8509da0c3fe4f8048de08b9f81

Download Submit
C:\Windows\SysWOW64\SLXLEOWB.exe

Filesize
250KB

MD5
6fd1346852240adb47b7c25ec285a8f9

SHA1
033f93147b2024b310de949d9d28be0decc2771f

SHA256
07e19b052b6296d4a9b4bc54bc6a65cc2e6bc3a004fbb062e35c1b5d2da54954

SHA512
b9603fc9a94905d164d4082292e787521d8c9353f2606d594898791944f57c446814ae5213eb6a8b071348d5519d654ad3348e76028fc829f8c64448705b3010

Download Submit
C:\Windows\SysWOW64\proDefense.dll

Filesize
60KB

MD5
6a8deda7da32637d2f19b1784d5d1a28

SHA1
34d96780b580037dbadcd4810680c62cda2c40c4

SHA256
6ed7dfd460b39b0d02e5f5754b292bc48c961f051cc3521806ba29df5092a1a5

SHA512
3c3ab26b7d91dbbfa4e7463488e3e7476f1fc43c7efd0402148674bf91f3c0c770d7d91ce85d75d53fda06fbb6af040fb72858dada92ced72de274b2cf1c8a95

Download Submit
memory/1284-0-0x0000000010000000-0x0000000010204000-memory.dmp

Filesize
2.0MB

Download
memory/4204-18-0x0000000000720000-0x000000000072F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing