6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 15:59 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe
Size

303KB
MD5

da50ed509b0c0333689b1f06fbd2dfe1
SHA1

4fb2b74b80f76a62f73e4a09d6f69b0240e41fae
SHA256

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b
SHA512

0ea04e95bfba3a2236864481a2d7ec4a78a9f0ebb536efb126a9e8350efb14258414dcd87e4b4e374aa2eea57390be53752ad9ba8c7dfe79e8cdeca78bf45275
SSDEEP

6144:krkX6Y0JQBkQRl7174NpNUM+UHs+h43nRLFJO2t3OEhLSMwcU9P4WbXQx7B:krkX63yRl1uqM+gs+2RLTf+QLShvQx7B

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3416	6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe
3416	6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe
3416	6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3416	6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe
3416	6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

C:\Users\Admin\AppData\Local\Temp\6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe
"C:\Users\Admin\AppData\Local\Temp\6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3416

Network

DNS

c1.stylefun.info

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Remote address:

8.8.8.8:53

Request

c1.stylefun.info

IN A

Response
DNS

r1.stylefun.info

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Remote address:

8.8.8.8:53

Request

r1.stylefun.info

IN A

Response
DNS

c2.styleapp.info

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Remote address:

8.8.8.8:53

Request

c2.styleapp.info

IN A

Response
DNS

c2.styleapp.info

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Remote address:

8.8.8.8:53

Request

c2.styleapp.info

IN A

Response
DNS

r2.styleapp.info

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Remote address:

8.8.8.8:53

Request

r2.styleapp.info

IN A

Response
DNS

c1.stylefun.info

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Remote address:

8.8.8.8:53

Request

c1.stylefun.info

IN A

Response
DNS

c2.styleapp.info

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Remote address:

8.8.8.8:53

Request

c2.styleapp.info

IN A

Response
DNS

c1.stylefun.info

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Remote address:

8.8.8.8:53

Request

c1.stylefun.info

IN A

Response
DNS

c2.styleapp.info

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

Remote address:

8.8.8.8:53

Request

c2.styleapp.info

IN A

Response
DNS

151.122.125.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

151.122.125.40.in-addr.arpa

IN PTR

Response
DNS

14.110.152.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.110.152.52.in-addr.arpa

IN PTR

Response
DNS

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

13.69.239.72:443

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
8.253.208.112:80

46 B
40 B
1
1
8.253.208.120:80

46 B
40 B
1
1

8.8.8.8:53

c1.stylefun.info

dns

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

62 B
141 B
1
1

DNS Request

c1.stylefun.info
8.8.8.8:53

r1.stylefun.info

dns

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

62 B
141 B
1
1

DNS Request

r1.stylefun.info
8.8.8.8:53

c2.styleapp.info

dns

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

124 B
282 B
2
2

DNS Request

c2.styleapp.info

DNS Request

c2.styleapp.info
8.8.8.8:53

r2.styleapp.info

dns

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

62 B
141 B
1
1

DNS Request

r2.styleapp.info
8.8.8.8:53

c1.stylefun.info

dns

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

62 B
141 B
1
1

DNS Request

c1.stylefun.info
8.8.8.8:53

c2.styleapp.info

dns

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

62 B
141 B
1
1

DNS Request

c2.styleapp.info
8.8.8.8:53

c1.stylefun.info

dns

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

62 B
141 B
1
1

DNS Request

c1.stylefun.info
8.8.8.8:53

c2.styleapp.info

dns

6db8994a83baf5e3c968b2433e06ea02a3d999c70c095040b1ad887c67194b6b.exe

62 B
141 B
1
1

DNS Request

c2.styleapp.info
8.8.8.8:53

151.122.125.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

151.122.125.40.in-addr.arpa
8.8.8.8:53

14.110.152.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

14.110.152.52.in-addr.arpa
8.8.8.8:53

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TsuD93B45BB.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8E83363F-7800-4D0B-AFE0-3022556014C9}\Custom.dll

Filesize
73KB

MD5
1713b561bb7c2f3a9b699322beef883e

SHA1
da6f6c7ad03afb8bf5641388ff65eb5c89aa75cf

SHA256
f540f8a893afbb753a4c034587e3840b01ffa791930a9c3d6ea25d6700c3e688

SHA512
c13216bf04f47579e48c4b9be488f1fc68452402eb925ebd55603f61638738b9ccaadfe7d8d9843415cc252ceaee75b2d7ded8766316a9d1f4290860978b9023

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8E83363F-7800-4D0B-AFE0-3022556014C9}\_Setup.dll

Filesize
166KB

MD5
bce2e58dbea7c20d5f71bc6b82f4343e

SHA1
41a14ecccc1175ed755e4e44f7bc89ed3a946a05

SHA256
f61285c41cf9396e9ce6bf38b29bfa3539c12c729582625636344e518252e4cb

SHA512
6ec4b531be8869443887a6289bad27ff483330d576bc7a18b29675dd26f2dba7b4cf513322dc6db240ee50c540abf69fb80f380e4bd64c8f839539d93ac346af

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.