Analysis Overview
SHA256
6cd56f8b0f3051ce9f26ae38ad4a63cabb913380a35741028bdccb78ac5b0edf
Threat Level: Likely malicious
The file aL4N.exe was found to be: Likely malicious.
Malicious Activity Summary
Modifies Windows Firewall
Executes dropped EXE
Drops startup file
Loads dropped DLL
Adds Run key to start application
Enumerates connected drives
AutoIT Executable
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 16:43
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 16:43
Reported
2024-03-02 16:46
Platform
win7-20240220-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aL4N.exe | C:\Users\Admin\AppData\Roaming\aL4N.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aL4N.exe | C:\Users\Admin\AppData\Roaming\aL4N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\aL4N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aL4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aL4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aL4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aL4N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\aL4N.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\aL4N.exe\"" | C:\Users\Admin\AppData\Roaming\aL4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aL4N.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\aL4N.exe\"" | C:\Users\Admin\AppData\Roaming\aL4N.exe | N/A |
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\aL4N.exe | C:\Users\Admin\AppData\Roaming\aL4N.exe |
| PID 2872 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\aL4N.exe | C:\Users\Admin\AppData\Roaming\aL4N.exe |
| PID 2872 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\aL4N.exe | C:\Users\Admin\AppData\Roaming\aL4N.exe |
| PID 2872 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\aL4N.exe | C:\Users\Admin\AppData\Roaming\aL4N.exe |
| PID 2516 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Roaming\aL4N.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2516 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Roaming\aL4N.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2516 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Roaming\aL4N.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2516 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Roaming\aL4N.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aL4N.exe
"C:\Users\Admin\AppData\Local\Temp\aL4N.exe"
C:\Users\Admin\AppData\Roaming\aL4N.exe
"C:\Users\Admin\AppData\Roaming\aL4N.exe" "del" C:\Users\Admin\AppData\Local\Temp\aL4N.exe
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\aL4N.exe" "aL4N.exe" ENABLE
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp | |
| N/A | 127.0.0.1:1245 | tcp |
Files
\Users\Admin\AppData\Roaming\aL4N.exe
| MD5 | 8be9a518d5e5d5aa5f2fe7f0b122f901 |
| SHA1 | 398ffdbb4cec5b16d5ef43200ff2d91167e97ac6 |
| SHA256 | 6cd56f8b0f3051ce9f26ae38ad4a63cabb913380a35741028bdccb78ac5b0edf |
| SHA512 | 945ff2ce0725b1c694186f3e550607532898bdcea1ee314e84975f8a7744b4b7f083981866033d62e46b86e8c1c6aca1bcf9a1057d9a19d4e318a7a16e63b61e |
C:\Users\Admin\AppData\Roaming\aL4N.exe.ini
| MD5 | 301a3e5a5c08c60b2952122a97e1a838 |
| SHA1 | c85da2ebd9e1098eed686b8c74016bee728bb942 |
| SHA256 | 89886e624db56b7f7e7a0a857fc7e63ebfffe9eb69b329489b79dd0a3e24f7fa |
| SHA512 | ce1dcdad347d6c8e6a798b915f8a8d8ac1be4851c0064ab62e80aa85103a472f402b688e94950099a812db1134917fe9d51a7dfa0504e0174e94acdad8ee34d9 |