099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 03:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96.exe
Size

314KB
MD5

e264b4a420b23bb1dd47b8be11552ad9
SHA1

e772c60658184e3f56e9b520584bc0e0b6e59472
SHA256

099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96
SHA512

0ba51abc0d823a339b05a7f1a74de28964edd64fc7a6cbf2c9831d9716c5c603847a609f95c092becf3ce4c32cf003fe02fe7ea60ec32413441abc548fd9cb65
SSDEEP

6144:ArAbUzkuvcBYC47l2xn88NEymFTYO67qzVxzRRwi:Ar1kuveY35YO67Wxz7wi

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1424	099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96.exe
1424	099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96.exe
1424	099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1424	099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96.exe

C:\Users\Admin\AppData\Local\Temp\099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96.exe
"C:\Users\Admin\AppData\Local\Temp\099026fa1a57a3bea743a4313415a4402d1d380e44ae91cf7b36c3d46ce20f96.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Tsu620D1803.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{8A1AFCFA-4813-4D78-AF93-003151F9DE0C}\Custom.dll

Filesize
91KB

MD5
71ffb31fe40a3f10913982ee89fa764c

SHA1
c17fa19479a7559f666a30d2932a2b9d540bd0ee

SHA256
b0e3f473796f639cab1354971740405bc39a096839ac53b4dfaae2c4acb71599

SHA512
6913a278fa38b9cef7b317ed7eab7773447dbc786d60531455c5cb28d82c677b472f2c50b3b9e1a8a71290757f064c828721633fb5f7bef47897dc740b1567ab

Download Submit
\Users\Admin\AppData\Local\Temp\{8A1AFCFA-4813-4D78-AF93-003151F9DE0C}\_Setup.dll

Filesize
170KB

MD5
449e327ad7b62d3a446b1d5c97c76dea

SHA1
834bfc7bef4a08ddf4dfaf0e1a1f424b66456903

SHA256
2d0f7824d781e1372ea5a931dc5aba9a76164adfbf95d0a50a785403bc0a2e2f

SHA512
f99fbd4d5e2084a91fc21a2467a447350b14a61940c30482f67c28877863693c41f9e928a39752e7fecffc8bfba609b887ddaa5bbd70e1fec18483bf1e85e986

Download Submit
memory/1424-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download