1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5

Analysis

max time kernel
154s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe
Size

327KB
MD5

524753149aadc4a70226a8adc83075d0
SHA1

62edf780518cbf46c6818774a6b68dd54a5497fb
SHA256

1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5
SHA512

beb651b9e5113da23eba2eef36560a358026b067c35ef3721a1a33932ac27fa2d30cbc2185813e63c0d2dd049163807bc64c560d31d8c133fc61bc67bb0145c0
SSDEEP

6144:kKJ9TZmf/mk9O0nz+UtSvYEoIsR2aTrU0l9d44dP2ZQWuuzx6Luzh7e31Cz:kKJXmHmk9O0nzSJ2Bl9dh+eWuuzwyzMa

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3420	1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe
3420	1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe
3420	1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3420	1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe
3420	1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe

C:\Users\Admin\AppData\Local\Temp\1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe
"C:\Users\Admin\AppData\Local\Temp\1a5d86898d9cc13f1d4b19d9b72a8be580b17f61cd5d464dd5633e9b68735ea5.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tsu04861563.dll

Filesize
281KB

MD5
d2f5e22bbaf2127afa9d48ca8c327828

SHA1
88e7ffab374ec625bcb18e5d2633eb4587f3d6c2

SHA256
8838479cfb536fcbf5502f68b9167ac877abe69c59f4066a84ce6c7846c93be5

SHA512
10b7e219d0333a5afb714ae3a43e0ce70d6a92394994e145d53fb9d6742b8ea517ab8e25de25a535779c537652bcff5a020c83ced77a3b44f0970311c65e8594

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55015BA6-980B-40F4-A638-313FFD49C784}\_Setup.dll

Filesize
173KB

MD5
7dc5c89e3c2bf8708d45491b20c1a6c4

SHA1
471d9264456d9b4333a3febccc6dc297588ef901

SHA256
48d65a10e6996bf904ab67897ef52f41fe3bab2dbc94bd2bb2510db7a2b107d9

SHA512
f67747ee384f18361d064d8e5ac30e73837f29fcdc7a997c834f525469dbaf9f399eee533f2b91c0c4cef1191de214a687bbb71597b327cd30097149e3660724

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55015BA6-980B-40F4-A638-313FFD49C784}\_Setupx.dll

Filesize
91KB

MD5
8761be444ba2378852d91edf45b17540

SHA1
cecff53378b83f9a53cb519e6a23e159c227ddd5

SHA256
9f707ab1b7bb7e5a3b3c70aabefb09c8f1bc79f1a1bc1fdc02f41396f04155af

SHA512
a464231bbf2240ff35448932697d6c0c048f3535e481a264bdb6e685f7905aa728c9560c0ec14f40f19bc713e0681f08ab82e0e554709c02645a736f336b938c

Download Submit