f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6

Analysis

max time kernel
40s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe
Size

315KB
MD5

3bb1de9231d020e3d350d9463b3a15a0
SHA1

251ec12031e4e164d2c27b7c0dcaf0121bfb1493
SHA256

f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6
SHA512

92bebf58c2ae61865f4f666dcdcfc568ae267a86b098fdf712a385dc5c2524601fdcd8eb9188128cbfa7b8bd445da3b14947cc670c2c0b00cc0156b7048db9be
SSDEEP

6144:jr3bUzkuvcBYC47l2xiFjox21H9mbWnqnHB/Jc9BItkszgx4ygDu:jrckuveY3fFj4ThVkszC4yn

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1348	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe
1348	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe
1348	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1348	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1500	1348	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe	29
PID 1348 wrote to memory of 1500	1348	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe	29
PID 1348 wrote to memory of 1500	1348	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe	29
PID 1348 wrote to memory of 1500	1348	f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe	29

C:\Users\Admin\AppData\Local\Temp\f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe
"C:\Users\Admin\AppData\Local\Temp\f8ebf05e54bde692562905cc8a127712942bd5c4ec5e547e027dd92d72b3cca6.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin1E16.bat"
  2⤵
  PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\0A47ABEC\cfg\1.ini

Filesize
1KB

MD5
d50de4febe16a720fba835e5cdd5cdc2

SHA1
572c7d45bfea335b80ff3c042051d0c8663cb8a4

SHA256
44db763464e125dbabe34b0d60b3a2535c1544598ad77e29c9bfc5c594697a1b

SHA512
1f0681861bfd9c919905d1ba7e92e6f19d921fd9f0f6f04bc9a8263e6a6835de8ee56d6461e4a6e53f76481d16cc3ba20eecf1a92b63465e9e59479371d84ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin1E16.bat

Filesize
50B

MD5
9a5819ead68a9ffa90b0790da8178025

SHA1
975fe0af37f9c312c8fc9ad112fd43f0acc91535

SHA256
b0d451371c54c444c0d7a68c2fe7a70b9e86a34c6e593acd6a2e48057470ee65

SHA512
746d9c8f4047d0dfcd74ef5d408714f703d7c4a98742185e6d41db258012aac4bf0b6f7e1444ac6bfc6f167274bc68b2203f448b645451dcabcc2fc5f8f6be92

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu2A4B8BF4.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{428F6D60-2207-4C49-AEA2-6A25996C4F96}\Custom.dll

Filesize
91KB

MD5
c28c3116543d19ffee5966b48581b7ed

SHA1
22b079cbdf1296ca1bc94f01dde55ea5564b1023

SHA256
d4ca435fbb22d5df35a1cc01fee202e9c74fa57f63de8d9b7bf332aa32234bbd

SHA512
f49da550af68e6c1862e7876ea87227f1aa80c4cd6b3072167355fba70ba35a5cf9bc56adbd21dc67fa9fcca36fe732f7689006463b82931722996accdc796aa

Download Submit
\Users\Admin\AppData\Local\Temp\{428F6D60-2207-4C49-AEA2-6A25996C4F96}\_Setup.dll

Filesize
173KB

MD5
aef1a3ee471bad9c1afdd55d8393022a

SHA1
4ecb4e71e29e61ce49fe4a473a536bb83f692343

SHA256
14a536918883f8f84d5fdb44ba52c947d0a52f7f56230c5760dc1af1ce141297

SHA512
967882acad88612dd1a7109a360100d6d631761034d0241e01cb2e454bee7a4f149e75b4240dc284a9e0c155cf16c9849ab0157016199ddce026647f15a23835

Download Submit
memory/1348-55-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download