a79252587cc7d3a0dde75735000c2200a2057395e292912e0f689e8369f0609b

Analysis

max time kernel
46s
max time network
56s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/09/2022, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

446efa2611501cb42a0404eb8488cae2.exe
Size

326KB
MD5

446efa2611501cb42a0404eb8488cae2
SHA1

0b38ff543bb4d80ce6fefa10593cbd76169b0a0f
SHA256

a79252587cc7d3a0dde75735000c2200a2057395e292912e0f689e8369f0609b
SHA512

108388f6c143e81baae990ec748ea4188b28e970135d82edec92d11774d8c917135d858944124ded75585c60748dda578ff12b91237c7cfed65c570a75e43628
SSDEEP

6144:ur4o9uEo2S1YnQmCX492DkwNP3qpYFgiZ3ECVUvVvtfBwUvqTRHVeHpBq:ur4Au6/eIo4i0CuvVvZBSTRH0H+

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1680	446efa2611501cb42a0404eb8488cae2.exe
1680	446efa2611501cb42a0404eb8488cae2.exe
1680	446efa2611501cb42a0404eb8488cae2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	446efa2611501cb42a0404eb8488cae2.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	446efa2611501cb42a0404eb8488cae2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1680	446efa2611501cb42a0404eb8488cae2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1236	1680	446efa2611501cb42a0404eb8488cae2.exe	30
PID 1680 wrote to memory of 1236	1680	446efa2611501cb42a0404eb8488cae2.exe	30
PID 1680 wrote to memory of 1236	1680	446efa2611501cb42a0404eb8488cae2.exe	30
PID 1680 wrote to memory of 1236	1680	446efa2611501cb42a0404eb8488cae2.exe	30

C:\Users\Admin\AppData\Local\Temp\446efa2611501cb42a0404eb8488cae2.exe
"C:\Users\Admin\AppData\Local\Temp\446efa2611501cb42a0404eb8488cae2.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin2CA4.bat"
  2⤵
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\155539D3\cfg\1.ini

Filesize
5KB

MD5
d5c4217b2273c7809b926eb2a9cd482d

SHA1
3bfd884174217f0a2211021c4f332a3ae38c0462

SHA256
6538fdc07e007f83b8e9cbe0cd574dfb27e76985b454895c7defc176956d6900

SHA512
38ca38d114dcc07a3dccbc81c499714dad17ee52fa81e5e72abca203de2ccbbb2bb9ec6c4489b4ddb67a1e664f192a0284e8c0dbc8930b0a0a279353f3a99396

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin2CA4.bat

Filesize
50B

MD5
ebe8e860f15d4f36f78f6f2afcbfb360

SHA1
eaf5c5c33329087fd1edefdc1c099e14cf55680c

SHA256
0cd706b6b9d4723d71650945179a0f28cae959f68cb2341d393f14c244207d40

SHA512
3f44cf308d70bd68a4ea9035e97923ee939f24c1c30434ad3697723b8bc8fdfa56e05c17c558bd90d1c57801c171065d25cb85bbbd611b5431c7b94d5f31078d

Download Submit
\Users\Admin\AppData\Local\Temp\TsuAB01D6F0.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{6C4B7A51-D694-4EEB-AC00-9EB6B7A858A7}\Custom.dll

Filesize
91KB

MD5
3c266122a143ea315c18f66885b70874

SHA1
33a6da84382fcace27e302a364499362344e9dd5

SHA256
f9c7555e17e8b3df8bcde0fb439a0e5c9d59f9195260b9a7218c844e4bfe6d19

SHA512
f0066b8c6f0e501fec3eb8aac01aec032f5545be33b2c1c36b7f6b95c4f7095e64b5b3782cc39ed183af7ba549a26a17a1c4ec65cbcd0811fc94fdcd94246f73

Download Submit
\Users\Admin\AppData\Local\Temp\{6C4B7A51-D694-4EEB-AC00-9EB6B7A858A7}\_Setup.dll

Filesize
179KB

MD5
35b1d5b099a7bccc1b38e0ca0ef5c47a

SHA1
3667c7290097cec828bd8e45c14a36b853c61ad2

SHA256
e03a8c9448bd7416f8fd2a5c306708e29972e4c0d6751d5c1dda68d7d0d2550b

SHA512
9c64d17cc6cf361422d2b2f6a9306138e51b9e1b71a6475cc06a67300e9897ee1d03cb6120f966a168003a54f64a0562aa8fd3566e0e66f01906cb31d7297a0f

Download Submit
memory/1680-55-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download