99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1

General

Target

99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe
Size

869KB
MD5

a1e7945e74bf923ae4f1026788efea0a
SHA1

3163f414709ba341f28eeefe1f7dd5e0bb610c8a
SHA256

99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1
SHA512

683b3fd54564253b534be552cf8e03b1779aae084c7af992f601e20c3a252b7356e9fa7af74852b9063178fca6c82257b503166361b84610a0cb000a04d8d201
SSDEEP

12288:ExK4t1ZCpDXFBRE7loUE8ie4nleGW7OKywcuto0IjxkJy09MvTno1p93VCIsfGKi:Ert1YpDDa7GtreqfiTZIyR6no1P3V6m5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1732	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe
1732	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe
1732	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe
1732	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2908	2160	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	28
PID 2160 wrote to memory of 2908	2160	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	28
PID 2160 wrote to memory of 2908	2160	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	28
PID 2160 wrote to memory of 2908	2160	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	28
PID 2160 wrote to memory of 2908	2160	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	28
PID 2160 wrote to memory of 2908	2160	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	28
PID 2160 wrote to memory of 2908	2160	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	28
PID 2908 wrote to memory of 1732	2908	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	29
PID 2908 wrote to memory of 1732	2908	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	29
PID 2908 wrote to memory of 1732	2908	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	29
PID 2908 wrote to memory of 1732	2908	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	29
PID 2908 wrote to memory of 1732	2908	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	29
PID 2908 wrote to memory of 1732	2908	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	29
PID 2908 wrote to memory of 1732	2908	99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe	29

C:\Users\Admin\AppData\Local\Temp\99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe
"C:\Users\Admin\AppData\Local\Temp\99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe
  "C:\Users\Admin\AppData\Local\Temp\99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe
    "C:\Users\Admin\AppData\Local\Temp\99a6de420fa86f0e0a84e67cf970dfd7bc5289cf9ede1e93b56dd548ed1c59d1.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\biwKhHG7qPtLyEmCL3x\1KkvZ2An7.dll

Filesize
75KB

MD5
9042e311fd7a8eb08c1fdd60f97854e3

SHA1
f0ca96ace58b2d38990eb341d0857799fce12bf7

SHA256
aa91662713834c8eb0e2d85e50d560cf1219a345196e94d27cd76a732eea045b

SHA512
a88baa9dab5a63e48de0e303c5317427a178e9f792993b0715d4366c4ef5255d8c293aa88278ad467e12a8f21657c2621d9880790ea575df08b84ebabb8088f8

Download Submit
\Users\Admin\AppData\Local\Temp\biwKhHG7qPtLyEmCL3x\2U1pcdGbiX.dll

Filesize
200KB

MD5
c2ac0c02d7d036e226bee60bd58d6959

SHA1
a271ae6fb59606395ee6fee3bdfd10e65b6d7759

SHA256
56ec445510f70b40e0fc67b38fa94bb6f184519bdb555e8eadda82e05e3063a0

SHA512
05888855c588611489b6b338dff8982ed6293d4f32d9a4970d950fffc3f7456e45bee19467388dda73fe29f832705ad76740ea864d71e9f39e59744c2e6b0196

Download Submit
\Users\Admin\AppData\Local\Temp\biwKhHG7qPtLyEmCL3x\lua51.dll

Filesize
494KB

MD5
a6b2b32da766e6e79c81073ad4c19716

SHA1
0c1502b829105bdc13c4f075842833e5113c92da

SHA256
850c99ae0349faa19bd5218aec4790f34a2a541e8304e4ecc2393ac39a50d327

SHA512
5e2e63bf0e5d801d194351a1028b296fde07a331ac0a9388e07bae3c990e1e9dc45fab0826e455803e113f2e48b61bbf40038fd1c2754e0ebc2a8befc445c6ab

Download Submit
\Users\Admin\AppData\Local\Temp\biwKhHG7qPtLyEmCL3x\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
memory/1732-5-0x00000000003B0000-0x00000000003C7000-memory.dmp

Filesize
92KB

Download
memory/1732-10-0x0000000000420000-0x0000000000456000-memory.dmp

Filesize
216KB

Download
memory/1732-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1732-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1732-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1732-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1732-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing