bdc9d1464bc134fba84ad814eab3901f7f16ec8da8647f1a01aa66e63f69cfd4

General

Target

b9dc1399a6f3b9f4e2143f97c8b33c7e.exe
Size

100KB
MD5

b9dc1399a6f3b9f4e2143f97c8b33c7e
SHA1

959a332b99fb39b6e743b9c46cd509906fee23eb
SHA256

bdc9d1464bc134fba84ad814eab3901f7f16ec8da8647f1a01aa66e63f69cfd4
SHA512

602a3f186e61e1e8bdc402bd2e79fce7c12f7b8e2f595b52b432c2439cc3a587ee47ca7cdcc5f5c59b406099b26a41719d84d11062ab03752d9afe17857dda85
SSDEEP

3072:fg5qO5/oPeu37EgnA0oe+JQzBvD7Vly8:NO5/oPeurVgnQtvD7S

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	ld11.exe

Loads dropped DLL 4 IoCs

pid	Process
2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe
1724	ld11.exe
1724	ld11.exe
1724	ld11.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OKOTray = "C:\\Users\\Public\\Music\\ld11.exe"	ld11.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ld11.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\dxxdv34567.bat	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Microsoft\Internet Explorer\Main	ld11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\TP = "4"	ld11.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1724	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	28
PID 2088 wrote to memory of 1724	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	28
PID 2088 wrote to memory of 1724	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	28
PID 2088 wrote to memory of 1724	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	28
PID 2088 wrote to memory of 1724	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	28
PID 2088 wrote to memory of 1724	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	28
PID 2088 wrote to memory of 1724	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	28
PID 2088 wrote to memory of 2624	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	29
PID 2088 wrote to memory of 2624	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	29
PID 2088 wrote to memory of 2624	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	29
PID 2088 wrote to memory of 2624	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	29
PID 2088 wrote to memory of 2624	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	29
PID 2088 wrote to memory of 2624	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	29
PID 2088 wrote to memory of 2624	2088	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe	29

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b9dc1399a6f3b9f4e2143f97c8b33c7e.exe

C:\Users\Admin\AppData\Local\Temp\b9dc1399a6f3b9f4e2143f97c8b33c7e.exe
"C:\Users\Admin\AppData\Local\Temp\b9dc1399a6f3b9f4e2143f97c8b33c7e.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2088
- C:\Users\Public\Music\ld11.exe
  C:\Users\Public\Music\ld11.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\dxxdv34567.bat
  2⤵
  - Deletes itself
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\dxxdv34567.bat

Filesize
249B

MD5
4f8e06c27d0d557be8be293383bd44bc

SHA1
d5adcf73082fbf02b7c9b55f93e8ff9aa99bc213

SHA256
780f7f022b878a3e99fdfa085f721109211c271f25066cc9876850066fe58502

SHA512
e29e0de5502cc2f4be91392e9982baf3b946b5ddd57edc012586b39bc5e37f1f29f4f758ca338b2ca606cca316b5eff6f64dd0f4555bfe6964c530df5eaf7e07

Download Submit
\Users\Public\Music\ld11.exe

Filesize
100KB

MD5
b9dc1399a6f3b9f4e2143f97c8b33c7e

SHA1
959a332b99fb39b6e743b9c46cd509906fee23eb

SHA256
bdc9d1464bc134fba84ad814eab3901f7f16ec8da8647f1a01aa66e63f69cfd4

SHA512
602a3f186e61e1e8bdc402bd2e79fce7c12f7b8e2f595b52b432c2439cc3a587ee47ca7cdcc5f5c59b406099b26a41719d84d11062ab03752d9afe17857dda85

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads