24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 05:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9.exe
Size

334KB
MD5

48dc1ac0ca1539202f90cd0968dbc8a0
SHA1

6ee8e4d392f3ff0d950e8e4f7fed2c76086cb500
SHA256

24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9
SHA512

2befb7efa1bbdabc920830a2c4bc5649b96f4e6bac950ad93ed8c060c43db89801eb5b0576468d0c7e789a59ad5fb633a29766ffbb978cd8e6578f41f86998a1
SSDEEP

6144:rrv3cRbUzkuvcBYC47l2xgu8Gbi2NXjueHmjXMbB4e3DUvvHM34:rrv3cSkuveY3GbPv773DU3M34

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1348	24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9.exe
1348	24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9.exe
1348	24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1348	24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9.exe

C:\Users\Admin\AppData\Local\Temp\24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9.exe
"C:\Users\Admin\AppData\Local\Temp\24063fc7bba5f455e6f6e258b676b8c32aabc7f849d7070b7ac4540e3fcaddd9.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Tsu2E603BA9.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{46F14A38-5C1B-4D4E-AFA5-14399D1268CE}\Custom.dll

Filesize
91KB

MD5
03ca3605fbe9d25a9118e3182476c9be

SHA1
9927b82a825e80cfb729deb18f1c168bec922b02

SHA256
b15c45312f308023d96b33ca0f05e61d0c9dd8167529fdcd3e483ce0b5229770

SHA512
5f03ca99bfe3a10083d8b7e35692a2479aeaffac4c64c2f718fa4d6a64ac2598d64bcd644ab821ea9a79e0feb3bac832cac7829b64659225587a1db4ca6f160d

Download Submit
\Users\Admin\AppData\Local\Temp\{46F14A38-5C1B-4D4E-AFA5-14399D1268CE}\_Setup.dll

Filesize
183KB

MD5
0423b358302bf9e8c2f7c689204e5891

SHA1
97688b7efdbdc08e96f49a9cb0641371862564c5

SHA256
ed14c4c0feac06fe1a78edb74878073e3369f80f0951c9cede2a2ff8868871e1

SHA512
a7717879f60adef1f7221088e37125604da4ef26dcf5f9ca17a217e51c8b6d78c7a6278bc7373c1a654e93fed5363e998df0a2ae712f29f4d53fae362622aa32

Download Submit
memory/1348-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download