bcbe2f8ab2e6a8b7f692ed687c37de0c826696cb5673729f6ca75a3f91eb579b

Resubmissions

13/01/2023, 03:47

230113-eb63vshf9t 8

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2023, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

L4150_Lite_LA.exe
Size

13.2MB
MD5

58d4ce0a1db6b881c2a9d37da8bc7a5b
SHA1

bac1a43872f9a792ba845506116df000d79fb5d4
SHA256

bcbe2f8ab2e6a8b7f692ed687c37de0c826696cb5673729f6ca75a3f91eb579b
SHA512

0628707d48f60caeab5746805a89299267d2c3e2cbed56260e2e13d2d2251a45b37702d428e26153dc1fbde96b936e9f631247cadac20aaa5ce071fe5e3e4416
SSDEEP

393216:1kOLJYPAb/EMm4LaTnhnMUeeHInjQzjZTw10DcPjQ7dlc3STyT6h9EJ:24Fm6aLhMqInjSjJw1ecPqlcQyTK9E

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1196	L4150_Lite_LA.tmp
3324	Setup.exe
1460	Splash.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Setup.exe

Loads dropped DLL 2 IoCs

pid	Process
3324	Setup.exe
3324	Setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EpsonCDInstaller.INI	Setup.exe
File opened for modification	C:\Windows\EpsonCDInstaller.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1196	L4150_Lite_LA.tmp
1196	L4150_Lite_LA.tmp
3324	Setup.exe
3324	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1196	L4150_Lite_LA.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3324	Setup.exe
3324	Setup.exe
1460	Splash.exe
1460	Splash.exe
3324	Setup.exe
3324	Setup.exe
3324	Setup.exe
3324	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1196	3464	L4150_Lite_LA.exe	79
PID 3464 wrote to memory of 1196	3464	L4150_Lite_LA.exe	79
PID 3464 wrote to memory of 1196	3464	L4150_Lite_LA.exe	79
PID 1196 wrote to memory of 3324	1196	L4150_Lite_LA.tmp	82
PID 1196 wrote to memory of 3324	1196	L4150_Lite_LA.tmp	82
PID 1196 wrote to memory of 3324	1196	L4150_Lite_LA.tmp	82
PID 3324 wrote to memory of 1460	3324	Setup.exe	84
PID 3324 wrote to memory of 1460	3324	Setup.exe	84
PID 3324 wrote to memory of 1460	3324	Setup.exe	84

C:\Users\Admin\AppData\Local\Temp\L4150_Lite_LA.exe
"C:\Users\Admin\AppData\Local\Temp\L4150_Lite_LA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\is-C0C90.tmp\L4150_Lite_LA.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C0C90.tmp\L4150_Lite_LA.tmp" /SL5="$8005E,13481749,348160,C:\Users\Admin\AppData\Local\Temp\L4150_Lite_LA.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\L4150\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\L4150\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Users\Admin\AppData\Local\Temp\L4150\res\Splash.exe
      "C:\Users\Admin\AppData\Local\Temp\L4150\res\Splash.exe" 5000
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\L4150\Network\EpsonNetSetup\ENSF.DLL

Filesize
379KB

MD5
fe166f5c21fabcd26d31cc18075c2cfc

SHA1
20b755e6832b869b6cf44587c24b214c5e4731b2

SHA256
4be62db859fd60655d77bfcfd0af51dc4192fcfd01abe841af983781194f8816

SHA512
4854b6e674a70e9ca80c2f3c51b29681dc29b766645bf0594e875aaaabc8b4e5a7a7dfae427580608aec0093b8218fda70969731755b9fbb718ee44303775b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\Network\EpsonNetSetup\ENSF.dll

Filesize
379KB

MD5
fe166f5c21fabcd26d31cc18075c2cfc

SHA1
20b755e6832b869b6cf44587c24b214c5e4731b2

SHA256
4be62db859fd60655d77bfcfd0af51dc4192fcfd01abe841af983781194f8816

SHA512
4854b6e674a70e9ca80c2f3c51b29681dc29b766645bf0594e875aaaabc8b4e5a7a7dfae427580608aec0093b8218fda70969731755b9fbb718ee44303775b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\Setup.exe

Filesize
864KB

MD5
04e5cc5a15a79b210beaf7be15d0b2a8

SHA1
c6fc0b18bf49536e3506668f1c32b91577fa1539

SHA256
a9717b283617c6e28b8ea7bb2aa712932b526af356beca2cb3a9bb419d37fe4b

SHA512
2e298d76a8e5950218005303aa7850f1f17bcd84f0eea9cbbfc2d782e0af27710eb1fef962be7ecca31188f955c658bf57b54127896bcfd3bae33383b46d8bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\Setup.exe

Filesize
864KB

MD5
04e5cc5a15a79b210beaf7be15d0b2a8

SHA1
c6fc0b18bf49536e3506668f1c32b91577fa1539

SHA256
a9717b283617c6e28b8ea7bb2aa712932b526af356beca2cb3a9bb419d37fe4b

SHA512
2e298d76a8e5950218005303aa7850f1f17bcd84f0eea9cbbfc2d782e0af27710eb1fef962be7ecca31188f955c658bf57b54127896bcfd3bae33383b46d8bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\res\EPSoftware.dll

Filesize
281KB

MD5
ea35f8089b57823ca6ab59bb1c4dc65f

SHA1
8e82331732426b8d81db4284bb31146d0990ba50

SHA256
bd56de634c591242a56210e9fe1c3cac2a4d98314dda8d8c3e6e723e47d2634a

SHA512
e6bfc5f0a8b49919ca6cb2643a4119937eb96493a6010d181b90182d0e9f142351f31787ddebda21491c5d98a3175a625fa258c83bf38b969ccb0b6898791acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\res\EPSoftware.dll

Filesize
281KB

MD5
ea35f8089b57823ca6ab59bb1c4dc65f

SHA1
8e82331732426b8d81db4284bb31146d0990ba50

SHA256
bd56de634c591242a56210e9fe1c3cac2a4d98314dda8d8c3e6e723e47d2634a

SHA512
e6bfc5f0a8b49919ca6cb2643a4119937eb96493a6010d181b90182d0e9f142351f31787ddebda21491c5d98a3175a625fa258c83bf38b969ccb0b6898791acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\res\English\language.ini

Filesize
6KB

MD5
2007c172fb741bb0c26ab36ac9bc4749

SHA1
f3eafc981bc9e79ddfda4165c53678d3f9fb8296

SHA256
b543475b1960fd1b1ca47f505d32f31bb61d764ef735762e2a03776e57dcbc67

SHA512
0548af2c017538de9987a2f33a592af820fdc80b0dca4bf9e0523ee9823a45a09bd4d0e464eb06d5ff2ba8940cc3c8511e157eb27151fc3bfbf019fb392850ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\res\English\uistrings.ini

Filesize
10KB

MD5
b14cfad67c39a04c3435ccf98ad3c95b

SHA1
6d6fbb9a27828f553bf2dc1aa73f27812d668fd7

SHA256
bb5e9d14f05cb7bc6975f48b616ac2ffb0910cb00f697a5b060a35513d06617b

SHA512
f8a2bd174bf06b5958a0d07d86fa8d5e03d0e1ef9d6b47dd804969d4debabfee4ad0bbf3e851b9377ca084354639a9ff916d30bc504f1de98abb1f9310384ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\res\Spanish\language.ini

Filesize
6KB

MD5
15d14a9c7b78e8e9f073799a8ef7f946

SHA1
39ec22f926e6f1599b58acc8b7a282b7584c1a0d

SHA256
4d8d2fca1d456dee4a5329c4a291d19beccbd6913813e68c9dd07e2229251ffe

SHA512
b8dd4685bfcfcfa47fb61cd17edcfbb1da641718a9c1729ce9bde96999a3b362307eb9aca4c47f1eb9cd7579c265f3403c10536e61e52fb999397b1ccd59e634

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\res\Splash.exe

Filesize
2.6MB

MD5
59472313e464e19320f2aafdb541ba62

SHA1
a54108d5e7d68c5bd16d95a3c4bde6ec47466a94

SHA256
51033cc3311dda2c154da72dc5f7bebc8f1168d51f07fec4eb833d43fd74f4a4

SHA512
8e5ca315ba3eef94adb21c566c5d64cc00e62b8d9ee61bfcd91e7bc676f23759bea0d3d257e95770018e6c2b69f25e8e0e8d1c67f204eda525cfcf9f4ed53375

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\res\Splash.exe

Filesize
2.6MB

MD5
59472313e464e19320f2aafdb541ba62

SHA1
a54108d5e7d68c5bd16d95a3c4bde6ec47466a94

SHA256
51033cc3311dda2c154da72dc5f7bebc8f1168d51f07fec4eb833d43fd74f4a4

SHA512
8e5ca315ba3eef94adb21c566c5d64cc00e62b8d9ee61bfcd91e7bc676f23759bea0d3d257e95770018e6c2b69f25e8e0e8d1c67f204eda525cfcf9f4ed53375

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\res\defaultBackground.png

Filesize
62KB

MD5
060e7a6829d04e59741e23a24b7ec65d

SHA1
15bc563c50bbcdef404132a4a876bb8b71f51cd9

SHA256
a57c44f0c852ef55ae681a69d596b9d417a3477f43c46f2a070cab81d8e05a78

SHA512
94c5f0a059504b81b9013137d1ef6eec617830369a0d8f4aad91b5c7377011c9f8044a586bec2fa79fe98cd7cb1dca4214b9fce53c6b9efd4f64e96a3f7cc87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4150\res\epson.ini

Filesize
768B

MD5
21ec04ed757c58c61dd19a5dbf8ba3ef

SHA1
e7a3489b7b8e6edcc8524d1b87ea2d63dfc73db9

SHA256
093b5b9de6410b2b3165a82f1457dfdcbb40d9b7ea2b20e96b7a6ac813b88ef6

SHA512
964eed446469d211ebe2eff1c95a1d69be297db88fe48cd8f2d8cda860977038a7ba38c42e71afa441fc395287482340074acf4e24692def04977f84805a79be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C0C90.tmp\L4150_Lite_LA.tmp

Filesize
992KB

MD5
a6fc596624b3567cbfbf2aad85dd8b2f

SHA1
51c3e982a72a51b00f8634b267bd19935dc2ee0f

SHA256
d2560f86b3f8a616f30255a1216ab66b66bbe09f8f56fe8f1215eeff45c8f617

SHA512
43a6bf8abd803ab802cfccc8ffaba42d33f8a4e95885ac1289f84224699930e03ffcd62083b00c323ad06a08a11e30e0e9ce751f4e0fba4d05430dac28801eb0

Download Submit
memory/3464-132-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3464-136-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download