ec5e76fc15c50ca01076bf4f22ce1de6ba1d670dedfdcc4142cdeda1d0da0899

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-06-2023 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LadaCuScule-6.113-amd64.exe
Size

1.8MB
MD5

c1d090b29c5550d995f4eff4c3599a5d
SHA1

45a4102e3fc0ed02dd9865928680c214e3a27d37
SHA256

ec5e76fc15c50ca01076bf4f22ce1de6ba1d670dedfdcc4142cdeda1d0da0899
SHA512

b5e218219a4953ee958a85ab7db76d298dd29bd069cc23d0b211297495d9babd85346630d7ff00707a02ef0ca5fc75d82d99a97a19694ab1e7d08034ddc6c1c7
SSDEEP

49152:W8fDQwdhJtWAcDi9148d0FB6d4YUvtsfco1C:QOvtWAc2z47Fod4Z2fX1C

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
1092	LadaCuScule-6.113-amd64.exe
1092	LadaCuScule-6.113-amd64.exe
1092	LadaCuScule-6.113-amd64.exe
1092	LadaCuScule-6.113-amd64.exe
1092	LadaCuScule-6.113-amd64.exe
1092	LadaCuScule-6.113-amd64.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	LadaCuScule-6.113-amd64.exe
File opened for modification	C:\Windows\System32\GroupPolicy	LadaCuScule-6.113-amd64.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	LadaCuScule-6.113-amd64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1092	LadaCuScule-6.113-amd64.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1524	1092	LadaCuScule-6.113-amd64.exe	28
PID 1092 wrote to memory of 1524	1092	LadaCuScule-6.113-amd64.exe	28
PID 1092 wrote to memory of 1524	1092	LadaCuScule-6.113-amd64.exe	28
PID 1092 wrote to memory of 1912	1092	LadaCuScule-6.113-amd64.exe	30
PID 1092 wrote to memory of 1912	1092	LadaCuScule-6.113-amd64.exe	30
PID 1092 wrote to memory of 1912	1092	LadaCuScule-6.113-amd64.exe	30
PID 1092 wrote to memory of 1128	1092	LadaCuScule-6.113-amd64.exe	32
PID 1092 wrote to memory of 1128	1092	LadaCuScule-6.113-amd64.exe	32
PID 1092 wrote to memory of 1128	1092	LadaCuScule-6.113-amd64.exe	32

C:\Users\Admin\AppData\Local\Temp\LadaCuScule-6.113-amd64.exe
"C:\Users\Admin\AppData\Local\Temp\LadaCuScule-6.113-amd64.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\system32\cscript.exe
  cscript.exe "C:\Users\Admin\AppData\Local\Temp\nsoFF68.tmp\icf.vbs" get
  2⤵
  PID:1524
- C:\Windows\system32\certutil.exe
  certutil.exe -verifystore Root 008144d712922d4f29168a16fef21c66576317df
  2⤵
  PID:1912
- C:\Windows\system32\certutil.exe
  certutil.exe -verifystore Root 6393703c54b4b780af37ea6fa9b40723ff014c76
  2⤵
  PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LadaCuScule\LadaCuScule2.ini

Filesize
11KB

MD5
9b949a75a6653b40ba33f1e256c1d1dd

SHA1
33dd8be79632e1de9dd1552f3377301efe5a3ccf

SHA256
3cba70ded615758f626fbfdd22041dc8c8641b9732808a7249d525c8a615738d

SHA512
29279c0219997ce536e91adc35e28c4582a4c29a7c4d120949057bd66ad209f1dc585fc286f9bf863831a730258fdb10a86d195b276635f3618a51c7be55aafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoFF68.tmp\ExecDos.dll

Filesize
10KB

MD5
cd666abb7369f040296a3c15307ea22d

SHA1
e4fc79975a1c22e982bd87d00d06eda61733ebd0

SHA256
7ca0219fcde222519adaaca31d804582c4fca0df58f0ec6395456a5b2c5769b1

SHA512
aa02fc4210275cf9438882e617ad5d3bdedfe665ca43600e6f1c6467ee338a578539d0a9fd7ebd350f30d94845bcf681bf7bbeec5e7e65bb394cbe57afff7a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoFF68.tmp\icf.vbs

Filesize
3KB

MD5
7c76270a153792ab06f8b43356f96e11

SHA1
ae6e6eac704b6b589d184257d305de74a1002bb3

SHA256
111fb9971a3efea1bc69223adb1e80970ea921a89bd3ad52cd682e0b9561e31d

SHA512
29a091a39e59090f48df60d829659c1d29d5cad1f696930499513b1aa5e0047bd6dcc4d65e2dd3c69250f517fdc6d9b6273ec585a9048db402f11396f1776e4c

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFF68.tmp\ExecDos.dll

Filesize
10KB

MD5
cd666abb7369f040296a3c15307ea22d

SHA1
e4fc79975a1c22e982bd87d00d06eda61733ebd0

SHA256
7ca0219fcde222519adaaca31d804582c4fca0df58f0ec6395456a5b2c5769b1

SHA512
aa02fc4210275cf9438882e617ad5d3bdedfe665ca43600e6f1c6467ee338a578539d0a9fd7ebd350f30d94845bcf681bf7bbeec5e7e65bb394cbe57afff7a8e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFF68.tmp\ExecDos.dll

Filesize
10KB

MD5
cd666abb7369f040296a3c15307ea22d

SHA1
e4fc79975a1c22e982bd87d00d06eda61733ebd0

SHA256
7ca0219fcde222519adaaca31d804582c4fca0df58f0ec6395456a5b2c5769b1

SHA512
aa02fc4210275cf9438882e617ad5d3bdedfe665ca43600e6f1c6467ee338a578539d0a9fd7ebd350f30d94845bcf681bf7bbeec5e7e65bb394cbe57afff7a8e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFF68.tmp\ExecDos.dll

Filesize
10KB

MD5
cd666abb7369f040296a3c15307ea22d

SHA1
e4fc79975a1c22e982bd87d00d06eda61733ebd0

SHA256
7ca0219fcde222519adaaca31d804582c4fca0df58f0ec6395456a5b2c5769b1

SHA512
aa02fc4210275cf9438882e617ad5d3bdedfe665ca43600e6f1c6467ee338a578539d0a9fd7ebd350f30d94845bcf681bf7bbeec5e7e65bb394cbe57afff7a8e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFF68.tmp\NScurl.dll

Filesize
3.9MB

MD5
ebdff0a35f71bea6464584536384f328

SHA1
0cb1ed91a290183d17ef405e38828edfc47c0922

SHA256
0161a430c6f7eb30725512cab0a3c0f8cc605bfae1a13eac515d6d2d96e9c342

SHA512
595d7130534792c307b5f94acb049384f6a1d923016bfaa2615c5edd6dadfea06596192c9336adfc691f2c9600db3e2333b2d0dbfac1f9d3e6d9240e22bfd444

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFF68.tmp\NSutils.dll

Filesize
48KB

MD5
60b75af545e16500ca0f18aa1ad50193

SHA1
54eef3cb4f818e281b23888ca9a4c45d2688e5f4

SHA256
5dfbc25d61c7e8e2747fde3d79f4361fc51d366b3d23ba97ca19702c4815e494

SHA512
fae5da2aca2a41d463bcf8e13d407ff14c690eb74a4b3ea6c0c15604fda8a15f3a24497c51feeec5433c1b3ff5d3217fd9e23380ed3eaf7953b56a96ce0750ba

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFF68.tmp\System.dll

Filesize
24KB

MD5
6833add83e5dd26ac5a8e2a91b69498f

SHA1
b5bc81ab25c65c927ea1dbab3562376ac0700283

SHA256
8c17f0f43e73a834ec37d696b442b9b18723f42f5d5156d97fab05280de3b917

SHA512
8b84417d14507a81fad781714a06518f81749f34478e5f18d27a6fa74918ad83d78dc0cd2e0cb80d437d4fea2e04f782ae014251a2dc54e6c4032e1a9dc6e22a

Download Submit
memory/1092-290-0x0000000140000000-0x0000000140332000-memory.dmp

Filesize
3.2MB

Download
memory/1092-291-0x000007FEF64E0000-0x000007FEF68CB000-memory.dmp

Filesize
3.9MB

Download
memory/1092-293-0x000007FEFBCE0000-0x000007FEFBCEF000-memory.dmp

Filesize
60KB

Download
memory/1092-292-0x000007FEFB190000-0x000007FEFB1A5000-memory.dmp

Filesize
84KB

Download
memory/1092-318-0x0000000140000000-0x0000000140332000-memory.dmp

Filesize
3.2MB

Download
memory/1092-322-0x0000000140000000-0x0000000140332000-memory.dmp

Filesize
3.2MB

Download
memory/1092-326-0x0000000140000000-0x0000000140332000-memory.dmp

Filesize
3.2MB

Download