50b5025d1f9b419a0e2c083126e203ffbc0315e0aa9499d5a331b5753d2847e2

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0952200ea6a999ccc119dfe234eb01a7.exe
Size

313KB
MD5

0952200ea6a999ccc119dfe234eb01a7
SHA1

c9678e9968cfe7e348eff72f4c69e2952df5d765
SHA256

50b5025d1f9b419a0e2c083126e203ffbc0315e0aa9499d5a331b5753d2847e2
SHA512

df272095498b915c4cbf76ce4ba94740d859b6ff747a8aceb84dd7dc6f7b416a1e38b99bd1ce046fbc16b090e696761eb4087f7ff98410379d9e5a563a7be784
SSDEEP

6144:HrV+6Y0JQBkQRl7174NpNUM+UHs+RGIZZCunCNROUawjhDMJwD07:HrV+63yRl1uqM+gs+bLC8CNMUaohDMJ9

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2928	0952200ea6a999ccc119dfe234eb01a7.exe
2928	0952200ea6a999ccc119dfe234eb01a7.exe
2928	0952200ea6a999ccc119dfe234eb01a7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0952200ea6a999ccc119dfe234eb01a7.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	0952200ea6a999ccc119dfe234eb01a7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2928	0952200ea6a999ccc119dfe234eb01a7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	0952200ea6a999ccc119dfe234eb01a7.exe

C:\Users\Admin\AppData\Local\Temp\0952200ea6a999ccc119dfe234eb01a7.exe
"C:\Users\Admin\AppData\Local\Temp\0952200ea6a999ccc119dfe234eb01a7.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\TsuDE2F9384.dll

Filesize
9KB

MD5
ded6dfe906e46a08dab6267357162ad8

SHA1
c795a2b35e30e8bad9d4889d8570b2e326e7425c

SHA256
ac91cd5690f396db70f8eb75a88340b34ad4e41f3f229bacaf2e78a5136f17c2

SHA512
56df0f2bf22752a5a5a5d36288f435ae59690bdf559264d36efb9f3e33a349783eda041b0c30d5bae36f1e64417f23a6228558c494322104a22f35615fa0fcd1

Download Submit
\Users\Admin\AppData\Local\Temp\{E6FD9F7A-59DC-449F-A674-11FE3D1EBD8C}\Custom.dll

Filesize
43KB

MD5
25a0c67e1f656aa8b96f7c0567c5a2ef

SHA1
b5c1a17b211022746619c18f13e4df26854b9aca

SHA256
344ed8ec9f73bc64c60bc0d131a22822005cf1eeb137551b41a5fea0234ff3b6

SHA512
1298ca4c4f9ae909744444bd263477609ace6dddf7e3d3d43915ab2400aba774a1eb31a9cfac5998c0e7bfb2a161381c99eb1b6dd0dfdbdd314c9e1ca894386d

Download Submit
\Users\Admin\AppData\Local\Temp\{E6FD9F7A-59DC-449F-A674-11FE3D1EBD8C}\_Setup.dll

Filesize
22KB

MD5
b6caf356e2316481b9d06d3d59d484c1

SHA1
a28da0d1ca446e1f0d5db33adc36e0fc7fa1fa1a

SHA256
849add9c8f22554cd1724762536602b323aa8c866c284b55b11a372ed7c90a5b

SHA512
bbf98540f42cf35c6b0780dd36f9efe5269274092397daa6cc4312c1ce083c22142244f190f5bffb0d19d402a4af7effbe3a51f27d68b485f5800c986d2377e9

Download Submit