fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd

Analysis

max time kernel
126s
max time network
149s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe
Size

331KB
MD5

2be6ca74839fc561c31bb8e72a83cf72
SHA1

d783741d5e882f4579a42e086487871d428abf9f
SHA256

fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd
SHA512

5a1f688ead4f7dc93512c739dedc62f35e56385ba89d95253b2b0301c27b2aac14642b7fb31840e39794f90abd625ee2e4ad3b8b3b1c1ffc998d9fd3cf01255e
SSDEEP

6144:Miz3sFH6uzSM41JiQKDGtrXhTIZxCxykOxvQYRJsOBErsp:MizsdzsrBr3uosjvQ4BEgp

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

Processes:

fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe

pid	process
2028	fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe
2028	fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe
2028	fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe

pid process

2028 fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe

C:\Users\Admin\AppData\Local\Temp\fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe
"C:\Users\Admin\AppData\Local\Temp\fa0e68fd26b13a7afd89e72c62026c47daee81c8e3299ee5f96d17801dbffbdd.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\TsuB8160D3F.dll
Filesize
278KB

MD5
0dab45171079ed149d085eb328ae6651

SHA1
72c0a2ca047d08bdaec89e4f90d515cf2cb0a874

SHA256
fd0e5db89ed182858dd4375c2cd4291cab58e96dc759d40741b79441267e1492

SHA512
26cde548f4e57bdeeabe03efbfc961b83f9e227eb6a64366358e97a60f05cff514f1aa5c7cd8ec4710e1cfb89fcb5a769cc255c579babb6495e09f1ce2d5de42

Download Submit
\Users\Admin\AppData\Local\Temp\{93B0E63C-D041-4C4C-AA80-79753BF87A1E}\Custom.dll
Filesize
91KB

MD5
de9b2b1e7a24b7fdf9d37fd648790812

SHA1
68547d76fa4f37f4fdbb3867735e0211b3c4615e

SHA256
050cf735db8f9b071f90b3113dca58935b7e5422871852501ca146cabb42b07d

SHA512
baa73c2e11025324821b03efc49787de541972521cf237ba1d842ada2b75376faee1817e8b853095d146d1fb06f4317a7714b506f43637a9225c3cab7afa100e

Download Submit
\Users\Admin\AppData\Local\Temp\{93B0E63C-D041-4C4C-AA80-79753BF87A1E}\_Setup.dll
Filesize
172KB

MD5
a48ce1992b79a24e02a5280dcd6597ca

SHA1
90c04ae83824b063217e657f8ec5033436d3598f

SHA256
dbb62a224d6ce11c1c24197e626e3c3e1e2e1f64d1bae38c95c40f7ba84f9465

SHA512
9f5b68d965fd08a2023c80800714395e5f66b59aad54ae63addef38abe7f2f17abff22f8c634a401f79ef7649bf79355fb94c4868af088f7f98f0451ede1a370

Download Submit
memory/2028-55-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download