f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
Size

316KB
MD5

020aa7744a4d589cac1f0d412439b6d0
SHA1

ba59fc6931504e47dcd722264e1026c68670e383
SHA256

f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908
SHA512

d76e3b744caf60f88e6f08a290ad17a2c2fb94ed53fd20bf8ba61cb2b3ac2fce6149bede7407af53958000356e1c70cf4889e78b17212bbf5261f69336bdb5d7
SSDEEP

6144:erFbUzkuvcBYC47l2xWFAS3r/n2KvN48uFPPDZyMY:er2kuveY3ZF31N4XxZjY

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3912	f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
3912	f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
3912	f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3912	f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
3912	f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe

C:\Users\Admin\AppData\Local\Temp\f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe
"C:\Users\Admin\AppData\Local\Temp\f15de4cae4850143db07ef4b74f479281d30bca396353b2e3b7943616b0fa908.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TsuDC436D46.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C15CCA44-8BDB-4935-ABDE-C3F91ABFE8B2}\Custom.dll

Filesize
91KB

MD5
74187f0d3091d876c86cd59e6d274723

SHA1
da269d0d9db1815e599dcd4342eb7664d70c3eb6

SHA256
d1e0c357c47d79cc8ba115e7553ffc0825aacc7ef4708fc9f5e71f3fd4d01350

SHA512
2ffab239d2efa6423fd08ca1f9b0b76bc6cd65902fd7ca56955b6737a92d4559e21c22c79895f3b02a57a48e6dd75057ff1d76e2e149d28cf808d24465d12e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C15CCA44-8BDB-4935-ABDE-C3F91ABFE8B2}\_Setup.dll

Filesize
173KB

MD5
a6c39fc01edc16a6e57993c823eff346

SHA1
7353185a6988dbb095cb45972d93596f306e9a53

SHA256
be04588168f4c44d71d197f2777922d72afa11f81d8e9c7badbd61bc7abb2ce5

SHA512
65a762ebf88c4d0ada482411a5f0ec7532206c3145e4148c82a7a1989ba682a7805e78025650720e780eaf6541859431471306f699d582077f4b61ff4f2a421e

Download Submit