edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d

General

Target

edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe
Size

14KB
MD5

a89f5a781a4d5153ca31ed64ce27b379
SHA1

1a3732ebede98e63d6e95d8634d11728eca61c29
SHA256

edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d
SHA512

acaaefb81e8c4305cf3c400d0066117208bc3b8266ddc0f05013a1bc6426ca7b8e7132ed6469dd7920fdb4b591ae087a9e79b5af7241a52a9242331f1bed2b74
SSDEEP

384:dQ8wvUmai/zbM/XygkxOu6cyhLWqYv1fdlSW:djkUHi7blHhyhi9R

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGFwc0Fw = "\"C:\\Users\\Admin\\AppData\\Roaming\\LapsApp\\edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe\""	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3304	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe
3396	powershell.exe
3396	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe
Token: SeDebugPrivilege	3396	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 3396	3304	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe	84
PID 3304 wrote to memory of 3396	3304	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe	84
PID 3304 wrote to memory of 3396	3304	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe	84

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe

C:\Users\Admin\AppData\Local\Temp\edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe
"C:\Users\Admin\AppData\Local\Temp\edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d.exe'; Add-MpPreference -ExclusionProcess 'edeb7fa25c34426f14f1a4fe13bdcd7b0f3a3d6291e6ca883fe7b9a7503d622d'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xip5xwm0.yrv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3304-0-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/3304-1-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3304-2-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/3304-3-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/3304-55-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3304-54-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3304-53-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3304-51-0x0000000006580000-0x000000000658A000-memory.dmp

Filesize
40KB

Download
memory/3304-50-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3304-49-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3396-35-0x0000000006070000-0x000000000608E000-memory.dmp

Filesize
120KB

Download
memory/3396-41-0x0000000006FD0000-0x0000000006FE1000-memory.dmp

Filesize
68KB

Download
memory/3396-21-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/3396-22-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/3396-23-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/3396-24-0x0000000006090000-0x00000000060C2000-memory.dmp

Filesize
200KB

Download
memory/3396-25-0x0000000070880000-0x00000000708CC000-memory.dmp

Filesize
304KB

Download
memory/3396-12-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/3396-36-0x0000000006AC0000-0x0000000006B63000-memory.dmp

Filesize
652KB

Download
memory/3396-37-0x0000000007410000-0x0000000007A8A000-memory.dmp

Filesize
6.5MB

Download
memory/3396-38-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/3396-39-0x0000000006E40000-0x0000000006E4A000-memory.dmp

Filesize
40KB

Download
memory/3396-40-0x0000000007050000-0x00000000070E6000-memory.dmp

Filesize
600KB

Download
memory/3396-20-0x0000000005730000-0x0000000005A84000-memory.dmp

Filesize
3.3MB

Download
memory/3396-42-0x0000000007000000-0x000000000700E000-memory.dmp

Filesize
56KB

Download
memory/3396-43-0x0000000007010000-0x0000000007024000-memory.dmp

Filesize
80KB

Download
memory/3396-44-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/3396-45-0x00000000070F0000-0x00000000070F8000-memory.dmp

Filesize
32KB

Download
memory/3396-48-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3396-9-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/3396-8-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/3396-7-0x0000000004DC0000-0x00000000053E8000-memory.dmp

Filesize
6.2MB

Download
memory/3396-6-0x0000000004780000-0x0000000004790000-memory.dmp

Filesize
64KB

Download
memory/3396-5-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3396-4-0x00000000024C0000-0x00000000024F6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads