068a98b0b9ec409759990189eeb2a16fff6a7d76bd145c533d3c566098936b92

Analysis

max time kernel
120s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

110b6df9f45eefba239f4a46b8fed02f.exe
Size

314KB
MD5

110b6df9f45eefba239f4a46b8fed02f
SHA1

a907eb579c830c551160b53a7db25773b87f8ac1
SHA256

068a98b0b9ec409759990189eeb2a16fff6a7d76bd145c533d3c566098936b92
SHA512

9c84102edbb43869da576ccb59c4cd8ccb7cbc27a2e91849b2fd6a46ecbb0fc678b9682f74c8c6e8d2d388e4ce01a6997c26ab449f21a75511a7c061f44846b0
SSDEEP

6144:IrAbUzkuvcBYC47l2xn88NEymFTYO67qzVxzRRwrl:Ir1kuveY35YO67Wxz7wrl

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2224	110b6df9f45eefba239f4a46b8fed02f.exe
2224	110b6df9f45eefba239f4a46b8fed02f.exe
2224	110b6df9f45eefba239f4a46b8fed02f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	110b6df9f45eefba239f4a46b8fed02f.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	110b6df9f45eefba239f4a46b8fed02f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2224	110b6df9f45eefba239f4a46b8fed02f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	110b6df9f45eefba239f4a46b8fed02f.exe

C:\Users\Admin\AppData\Local\Temp\110b6df9f45eefba239f4a46b8fed02f.exe
"C:\Users\Admin\AppData\Local\Temp\110b6df9f45eefba239f4a46b8fed02f.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Tsu3358575D.dll

Filesize
98KB

MD5
5eb12f40ec1263f8538265cb3857548e

SHA1
b88abb5a7dccd4ec307920799f40c6837ba96b86

SHA256
97a52df7e6722c42ebe418a80e9ede92d1f42f087fabecf36ec47daa6e2ff00c

SHA512
3d9dfe34286031e0cfd24115bea91b876206ec7bfbf14747955a98bb536a07388e04fd5b1e9f85364440301726d455852c115f76db2f0852c18a492096ae7221

Download Submit
\Users\Admin\AppData\Local\Temp\{39BE94EE-3C98-425A-A0B1-74BAE25DB618}\Custom.dll

Filesize
91KB

MD5
71ffb31fe40a3f10913982ee89fa764c

SHA1
c17fa19479a7559f666a30d2932a2b9d540bd0ee

SHA256
b0e3f473796f639cab1354971740405bc39a096839ac53b4dfaae2c4acb71599

SHA512
6913a278fa38b9cef7b317ed7eab7773447dbc786d60531455c5cb28d82c677b472f2c50b3b9e1a8a71290757f064c828721633fb5f7bef47897dc740b1567ab

Download Submit
\Users\Admin\AppData\Local\Temp\{39BE94EE-3C98-425A-A0B1-74BAE25DB618}\_Setup.dll

Filesize
170KB

MD5
449e327ad7b62d3a446b1d5c97c76dea

SHA1
834bfc7bef4a08ddf4dfaf0e1a1f424b66456903

SHA256
2d0f7824d781e1372ea5a931dc5aba9a76164adfbf95d0a50a785403bc0a2e2f

SHA512
f99fbd4d5e2084a91fc21a2467a447350b14a61940c30482f67c28877863693c41f9e928a39752e7fecffc8bfba609b887ddaa5bbd70e1fec18483bf1e85e986

Download Submit