ec5e76fc15c50ca01076bf4f22ce1de6ba1d670dedfdcc4142cdeda1d0da0899

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2023, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LadaCuScule-6.113-amd64.exe
Size

1.8MB
MD5

c1d090b29c5550d995f4eff4c3599a5d
SHA1

45a4102e3fc0ed02dd9865928680c214e3a27d37
SHA256

ec5e76fc15c50ca01076bf4f22ce1de6ba1d670dedfdcc4142cdeda1d0da0899
SHA512

b5e218219a4953ee958a85ab7db76d298dd29bd069cc23d0b211297495d9babd85346630d7ff00707a02ef0ca5fc75d82d99a97a19694ab1e7d08034ddc6c1c7
SSDEEP

49152:W8fDQwdhJtWAcDi9148d0FB6d4YUvtsfco1C:QOvtWAc2z47Fod4Z2fX1C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3048	ns7670.tmp

Loads dropped DLL 7 IoCs

pid	Process
3772	LadaCuScule-6.113-amd64.exe
3772	LadaCuScule-6.113-amd64.exe
3772	LadaCuScule-6.113-amd64.exe
3772	LadaCuScule-6.113-amd64.exe
3772	LadaCuScule-6.113-amd64.exe
3772	LadaCuScule-6.113-amd64.exe
3772	LadaCuScule-6.113-amd64.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	LadaCuScule-6.113-amd64.exe
File opened for modification	C:\Windows\System32\GroupPolicy	LadaCuScule-6.113-amd64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 4408	3772	LadaCuScule-6.113-amd64.exe	86
PID 3772 wrote to memory of 4408	3772	LadaCuScule-6.113-amd64.exe	86
PID 3772 wrote to memory of 3048	3772	LadaCuScule-6.113-amd64.exe	88
PID 3772 wrote to memory of 3048	3772	LadaCuScule-6.113-amd64.exe	88
PID 3048 wrote to memory of 4796	3048	ns7670.tmp	90
PID 3048 wrote to memory of 4796	3048	ns7670.tmp	90
PID 3772 wrote to memory of 3852	3772	LadaCuScule-6.113-amd64.exe	91
PID 3772 wrote to memory of 3852	3772	LadaCuScule-6.113-amd64.exe	91
PID 3772 wrote to memory of 4500	3772	LadaCuScule-6.113-amd64.exe	93
PID 3772 wrote to memory of 4500	3772	LadaCuScule-6.113-amd64.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LadaCuScule-6.113-amd64.exe
"C:\Users\Admin\AppData\Local\Temp\LadaCuScule-6.113-amd64.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\SYSTEM32\cscript.exe
  cscript.exe "C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\icf.vbs" get
  2⤵
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\ns7670.tmp
  "C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\ns7670.tmp" SchTasks.exe /query /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /NH /HRESULT
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SYSTEM32\SchTasks.exe
    SchTasks.exe /query /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /NH /HRESULT
    3⤵
    PID:4796
- C:\Windows\SYSTEM32\certutil.exe
  certutil.exe -verifystore Root 008144d712922d4f29168a16fef21c66576317df
  2⤵
  PID:3852
- C:\Windows\SYSTEM32\certutil.exe
  certutil.exe -verifystore Root 6393703c54b4b780af37ea6fa9b40723ff014c76
  2⤵
  PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LadaCuScule\LadaCuScule2.ini

Filesize
11KB

MD5
9b949a75a6653b40ba33f1e256c1d1dd

SHA1
33dd8be79632e1de9dd1552f3377301efe5a3ccf

SHA256
3cba70ded615758f626fbfdd22041dc8c8641b9732808a7249d525c8a615738d

SHA512
29279c0219997ce536e91adc35e28c4582a4c29a7c4d120949057bd66ad209f1dc585fc286f9bf863831a730258fdb10a86d195b276635f3618a51c7be55aafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\ExecDos.dll

Filesize
10KB

MD5
cd666abb7369f040296a3c15307ea22d

SHA1
e4fc79975a1c22e982bd87d00d06eda61733ebd0

SHA256
7ca0219fcde222519adaaca31d804582c4fca0df58f0ec6395456a5b2c5769b1

SHA512
aa02fc4210275cf9438882e617ad5d3bdedfe665ca43600e6f1c6467ee338a578539d0a9fd7ebd350f30d94845bcf681bf7bbeec5e7e65bb394cbe57afff7a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\ExecDos.dll

Filesize
10KB

MD5
cd666abb7369f040296a3c15307ea22d

SHA1
e4fc79975a1c22e982bd87d00d06eda61733ebd0

SHA256
7ca0219fcde222519adaaca31d804582c4fca0df58f0ec6395456a5b2c5769b1

SHA512
aa02fc4210275cf9438882e617ad5d3bdedfe665ca43600e6f1c6467ee338a578539d0a9fd7ebd350f30d94845bcf681bf7bbeec5e7e65bb394cbe57afff7a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\ExecDos.dll

Filesize
10KB

MD5
cd666abb7369f040296a3c15307ea22d

SHA1
e4fc79975a1c22e982bd87d00d06eda61733ebd0

SHA256
7ca0219fcde222519adaaca31d804582c4fca0df58f0ec6395456a5b2c5769b1

SHA512
aa02fc4210275cf9438882e617ad5d3bdedfe665ca43600e6f1c6467ee338a578539d0a9fd7ebd350f30d94845bcf681bf7bbeec5e7e65bb394cbe57afff7a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\ExecDos.dll

Filesize
10KB

MD5
cd666abb7369f040296a3c15307ea22d

SHA1
e4fc79975a1c22e982bd87d00d06eda61733ebd0

SHA256
7ca0219fcde222519adaaca31d804582c4fca0df58f0ec6395456a5b2c5769b1

SHA512
aa02fc4210275cf9438882e617ad5d3bdedfe665ca43600e6f1c6467ee338a578539d0a9fd7ebd350f30d94845bcf681bf7bbeec5e7e65bb394cbe57afff7a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\NScurl.dll

Filesize
3.9MB

MD5
ebdff0a35f71bea6464584536384f328

SHA1
0cb1ed91a290183d17ef405e38828edfc47c0922

SHA256
0161a430c6f7eb30725512cab0a3c0f8cc605bfae1a13eac515d6d2d96e9c342

SHA512
595d7130534792c307b5f94acb049384f6a1d923016bfaa2615c5edd6dadfea06596192c9336adfc691f2c9600db3e2333b2d0dbfac1f9d3e6d9240e22bfd444

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\NSutils.dll

Filesize
48KB

MD5
60b75af545e16500ca0f18aa1ad50193

SHA1
54eef3cb4f818e281b23888ca9a4c45d2688e5f4

SHA256
5dfbc25d61c7e8e2747fde3d79f4361fc51d366b3d23ba97ca19702c4815e494

SHA512
fae5da2aca2a41d463bcf8e13d407ff14c690eb74a4b3ea6c0c15604fda8a15f3a24497c51feeec5433c1b3ff5d3217fd9e23380ed3eaf7953b56a96ce0750ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\System.dll

Filesize
24KB

MD5
6833add83e5dd26ac5a8e2a91b69498f

SHA1
b5bc81ab25c65c927ea1dbab3562376ac0700283

SHA256
8c17f0f43e73a834ec37d696b442b9b18723f42f5d5156d97fab05280de3b917

SHA512
8b84417d14507a81fad781714a06518f81749f34478e5f18d27a6fa74918ad83d78dc0cd2e0cb80d437d4fea2e04f782ae014251a2dc54e6c4032e1a9dc6e22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\icf.vbs

Filesize
3KB

MD5
7c76270a153792ab06f8b43356f96e11

SHA1
ae6e6eac704b6b589d184257d305de74a1002bb3

SHA256
111fb9971a3efea1bc69223adb1e80970ea921a89bd3ad52cd682e0b9561e31d

SHA512
29a091a39e59090f48df60d829659c1d29d5cad1f696930499513b1aa5e0047bd6dcc4d65e2dd3c69250f517fdc6d9b6273ec585a9048db402f11396f1776e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\ns7670.tmp

Filesize
10KB

MD5
4df69394331d88c7b88922297e3b4538

SHA1
6e55851decf06f4e1d567aa516d023987809f819

SHA256
916e75fdb0e0e22fb260167f6a98cf60fb6e475833af2871114e35bad548eaf2

SHA512
dbd66e947efddc21fbe60ccd6be9e8d0f813d90fde1734c83ddfaeeeb3307e10d2c0ffea059f8d5bb2410d42ec4e12a41e8c113f75b1f18dfa71ecf84aa74165

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\ns7670.tmp

Filesize
10KB

MD5
4df69394331d88c7b88922297e3b4538

SHA1
6e55851decf06f4e1d567aa516d023987809f819

SHA256
916e75fdb0e0e22fb260167f6a98cf60fb6e475833af2871114e35bad548eaf2

SHA512
dbd66e947efddc21fbe60ccd6be9e8d0f813d90fde1734c83ddfaeeeb3307e10d2c0ffea059f8d5bb2410d42ec4e12a41e8c113f75b1f18dfa71ecf84aa74165

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\nsExec.dll

Filesize
10KB

MD5
26f32e0043b780fc5b96cf3ecc904ab6

SHA1
2658456923cc1d677dc0616d9ce26863b19b5bd1

SHA256
e1cc2b5b2fa129dd6cddd39f06f9ee48a3c68d95a37ac7711bd55ff95ab4987a

SHA512
4b157370bcd91179e6a30704d7a29a9131d47dde9c25bff186fe80437b4ba28668fef800296492bda84ee05018c6e0338ac5b90fe6bcecdeac1e43c4b6fae621

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6C4D.tmp\nsExec.dll

Filesize
10KB

MD5
26f32e0043b780fc5b96cf3ecc904ab6

SHA1
2658456923cc1d677dc0616d9ce26863b19b5bd1

SHA256
e1cc2b5b2fa129dd6cddd39f06f9ee48a3c68d95a37ac7711bd55ff95ab4987a

SHA512
4b157370bcd91179e6a30704d7a29a9131d47dde9c25bff186fe80437b4ba28668fef800296492bda84ee05018c6e0338ac5b90fe6bcecdeac1e43c4b6fae621

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
memory/3048-383-0x0000000001D70000-0x0000000001DA0000-memory.dmp

Filesize
192KB

Download
memory/3048-372-0x0000000000750000-0x00000000007E0000-memory.dmp

Filesize
576KB

Download
memory/3048-375-0x00000000015D0000-0x000000000166E000-memory.dmp

Filesize
632KB

Download
memory/3048-376-0x0000000001670000-0x000000000170B000-memory.dmp

Filesize
620KB

Download
memory/3048-377-0x0000000001710000-0x000000000183A000-memory.dmp

Filesize
1.2MB

Download
memory/3048-378-0x0000000001840000-0x0000000001862000-memory.dmp

Filesize
136KB

Download
memory/3048-379-0x0000000001870000-0x000000000189B000-memory.dmp

Filesize
172KB

Download
memory/3048-380-0x00000000018A0000-0x00000000019AB000-memory.dmp

Filesize
1.0MB

Download
memory/3048-382-0x0000000001C50000-0x0000000001D50000-memory.dmp

Filesize
1024KB

Download
memory/3048-371-0x0000000000EA0000-0x0000000001169000-memory.dmp

Filesize
2.8MB

Download
memory/3048-374-0x0000000001220000-0x00000000013C1000-memory.dmp

Filesize
1.6MB

Download
memory/3048-373-0x0000000001170000-0x000000000121C000-memory.dmp

Filesize
688KB

Download
memory/3048-381-0x0000000001BB0000-0x0000000001C4D000-memory.dmp

Filesize
628KB

Download
memory/3048-369-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/3048-370-0x0000000000C00000-0x0000000000CBE000-memory.dmp

Filesize
760KB

Download
memory/3772-392-0x0000000140000000-0x0000000140332000-memory.dmp

Filesize
3.2MB

Download
memory/3772-393-0x00007FFB88F50000-0x00007FFB8933B000-memory.dmp

Filesize
3.9MB

Download
memory/3772-394-0x00007FFB99630000-0x00007FFB99645000-memory.dmp

Filesize
84KB

Download
memory/3772-395-0x00007FFB998F0000-0x00007FFB998FF000-memory.dmp

Filesize
60KB

Download
memory/3772-412-0x0000000140000000-0x0000000140332000-memory.dmp

Filesize
3.2MB

Download
memory/3772-416-0x0000000140000000-0x0000000140332000-memory.dmp

Filesize
3.2MB

Download
memory/3772-436-0x0000000140000000-0x0000000140332000-memory.dmp

Filesize
3.2MB

Download