e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51

Analysis

max time kernel
92s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe
Size

314KB
MD5

a0b093c9be8ca9cdd5ce7f1bb1f2a740
SHA1

10f58f5841d604581c988c1e59d3f45d15f502a7
SHA256

e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51
SHA512

2f02a01a623b34dc5baf35413e10f29d4cf5028f38e4d7347dc1b885f22851f4e31c8661fea203da419e79280d302c8f40e4f03ed4231ef3821a9009d20f012f
SSDEEP

6144:FreyVm/vbUzkuvcBYC47l2x1SVkJlzhrx7iY+1t8sBf4+sO6Xd5y5x9B:FrzVm/kkuveY3MGWzlx7DMS7dG9B

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1984	e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe
1984	e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe
1984	e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe
1984	e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe

C:\Users\Admin\AppData\Local\Temp\e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe
"C:\Users\Admin\AppData\Local\Temp\e78cd8e6bfc1bbd4c79ff6d66e1fe6b980d4ec4b2dcd319dac53072566c4ce51.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TsuEBDBFFED.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7CE883C0-AD22-494B-ABA0-E500A70BA136}\Custom.dll

Filesize
91KB

MD5
a2a81b0e4c80fb76704b1d79e937aff8

SHA1
2c6bdb07bba01186b59dbf1ba107bd27c2d9e00d

SHA256
a59dcfc80305319700a9390f0e9770c446497b8b6b373c5dfd32bc08b13f47aa

SHA512
c3e02e446a69b6fb45d0cbd6c6d9943b4163e5002edaaf10893a35c5fb02d9d4e83863352bf28fd0ce85a7f18e9fa4c7f61a3083d9f2aa0d6d88e0a5d100f6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7CE883C0-AD22-494B-ABA0-E500A70BA136}\_Setup.dll

Filesize
173KB

MD5
63c4055bdfe2b293be2e5d245bcb58a0

SHA1
3dc358a031c34b9709dae920f0aad796fe2153b5

SHA256
ecde6d486664067d0da60ef52d416f9d405d0bb3bf8c0d7cfbf3931583bd4136

SHA512
95804ce3635b64567b145afffb602d4e34480fa314a9db5d703802956003b8db2e80457a07729104309f850d41f2694ad8c4da081ebed48c7b6749ce986e1f7e

Download Submit