ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe
Size

332KB
MD5

81f26a8951d436eb2f862a5e1f5573fa
SHA1

2ebe95e4ba154478579491b22f8b0f5a3b610900
SHA256

ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48
SHA512

24c70ba8ef288d11ee9340aba1840b90bdb0da1d5fd4e1468b6460e4d1999c5f48698bd60fe5ace9b854e30fca6bfb73ebf4f13ed31b57025fb228593c7ff73a
SSDEEP

6144:HrwB9uEo2S1YnQmCX492DkwNP3qpYFAbM+MDxdAVxvPNFzrkUvlaLQKyPy6HKaJB:HrGu6/eIo4+PejvvlvKyPvq2B

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1064	ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe
1064	ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe
1064	ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1064	ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe
1064	ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe

C:\Users\Admin\AppData\Local\Temp\ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe
"C:\Users\Admin\AppData\Local\Temp\ad96c936cde8e761eb47a0e7ba8c1a892347878cf9f3e5223a7788ba23c2fd48.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tsu5156A243.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D3249264-8F39-46B4-A45F-C71B08C7B092}\Custom.dll

Filesize
91KB

MD5
156e10be1df7468b247c4a6f629b1c9e

SHA1
b84da289fa8bec345109ac49e4ec6754179efc49

SHA256
c568abf39b7c7be25a72e3ccb846a055ada002fa382c3431fd4fc8f755c42568

SHA512
326c826eae92d738d03af35caf0d35cc304cde4ce29c26d1da5360b7372ed01aa8d08a71029a3dd74b5c3d41f60c96a2aa22a18e66e776138a4bb911f9289433

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D3249264-8F39-46B4-A45F-C71B08C7B092}\_Setup.dll

Filesize
179KB

MD5
c84009c68bf58a0aa7b82a1018a326d7

SHA1
7ba454ed320f825d14aab502ec84b783d6a66d49

SHA256
2dc9fdffee50f843b249cbb36a105606335e9450ca017d73e449a0644ccf50e5

SHA512
0f850cb456a73e342ec251d450475db77b0430dbe552c6e7c8c9d2a8d05f433bc6e3edafeb0d1f43598bbf2c436a52c00912bc41c7edbf085761eae405706564

Download Submit