Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-t8k9zsfa5z
Target aL4N.exe
SHA256 6cd56f8b0f3051ce9f26ae38ad4a63cabb913380a35741028bdccb78ac5b0edf
Tags
evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6cd56f8b0f3051ce9f26ae38ad4a63cabb913380a35741028bdccb78ac5b0edf

Threat Level: Likely malicious

The file aL4N.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Modifies Windows Firewall

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:43

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:43

Reported

2024-03-02 16:46

Platform

win7-20240220-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aL4N.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aL4N.exe C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aL4N.exe C:\Users\Admin\AppData\Roaming\aL4N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\aL4N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\aL4N.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\aL4N.exe\"" C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aL4N.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\aL4N.exe\"" C:\Users\Admin\AppData\Roaming\aL4N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\aL4N.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\aL4N.exe

"C:\Users\Admin\AppData\Local\Temp\aL4N.exe"

C:\Users\Admin\AppData\Roaming\aL4N.exe

"C:\Users\Admin\AppData\Roaming\aL4N.exe" "del" C:\Users\Admin\AppData\Local\Temp\aL4N.exe

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\aL4N.exe" "aL4N.exe" ENABLE

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp
N/A 127.0.0.1:1245 tcp

Files

\Users\Admin\AppData\Roaming\aL4N.exe

MD5 8be9a518d5e5d5aa5f2fe7f0b122f901
SHA1 398ffdbb4cec5b16d5ef43200ff2d91167e97ac6
SHA256 6cd56f8b0f3051ce9f26ae38ad4a63cabb913380a35741028bdccb78ac5b0edf
SHA512 945ff2ce0725b1c694186f3e550607532898bdcea1ee314e84975f8a7744b4b7f083981866033d62e46b86e8c1c6aca1bcf9a1057d9a19d4e318a7a16e63b61e

C:\Users\Admin\AppData\Roaming\aL4N.exe.ini

MD5 301a3e5a5c08c60b2952122a97e1a838
SHA1 c85da2ebd9e1098eed686b8c74016bee728bb942
SHA256 89886e624db56b7f7e7a0a857fc7e63ebfffe9eb69b329489b79dd0a3e24f7fa
SHA512 ce1dcdad347d6c8e6a798b915f8a8d8ac1be4851c0064ab62e80aa85103a472f402b688e94950099a812db1134917fe9d51a7dfa0504e0174e94acdad8ee34d9