3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d

Analysis

max time kernel
82s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe
Size

324KB
MD5

71dad9770f05df00bcde9d08efa6aee0
SHA1

8e77790537fc9fe09d61497160217cb66899082e
SHA256

3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d
SHA512

f83f48b93fd13216af8ca03b31f2474d2abd8922783e4a20191c2d9c701b45e36e11fb21516dc9a2ca5b7ba1066ce425f1cb9e67e2836966aa8c60bebefb28a0
SSDEEP

6144:7rwP9uEo2S1YnQmCX492DkwNP3qpYF+gkWr01QLNTMuLYlT0Ysrw0EW0gDmOu4q:7rUu6/eIo4bQLNgf27M0d0gDm9

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3036	3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe
3036	3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe
3036	3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe
3036	3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe

C:\Users\Admin\AppData\Local\Temp\3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe
"C:\Users\Admin\AppData\Local\Temp\3fa8397e0b6c8825000ee96b8bb9e2255d879ade82bb94302bb535adc65a0c9d.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tsu1A595315.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A352641A-A1C5-4BFA-A911-E9E778B146EC}\Custom.dll

Filesize
73KB

MD5
56e4e9e881524397c9f6dca5ca70b1e8

SHA1
8ad77bad589591171eb94a593c3814a3b742f79c

SHA256
2e6e83c80a887c82c890053f491e0cb24074967b5ae7af7c8c4bcae78af2a22b

SHA512
130c83dfc0db281bd7999edc6c295f122ab3ba00c69353daad988866680a6994365874eb29122b8473930d2ba0df58bdfb27eb8897a819f79c8b8e31e6597700

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A352641A-A1C5-4BFA-A911-E9E778B146EC}\_Setup.dll

Filesize
178KB

MD5
544cd326c7ff8786127b4a8bdfce4188

SHA1
bdc4e984a02ad23592871f15639bd9b36235ad78

SHA256
f9347487cdae8dc01f10099c36f601a498a552ced184de2d2e704414fa37381a

SHA512
bac0e15b680a6b35d2638058599d13f7813f1ebd3427985691b497c23e56145db6191dca6837116f29a6e2c6d3c8cc2f1b3ef8d6271f87607fb6d7e0f24d5feb

Download Submit