069dddcb7dad8d84b8edb2aa3cfe74a4924fc02c53a3c561a11bfa4bf451711b

Analysis

max time kernel
136s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b7e791b7736b0a81b506e0f88be09a3.exe
Size

313KB
MD5

0b7e791b7736b0a81b506e0f88be09a3
SHA1

deae0adc4726483cfe82ddbf340a75cf2b028cb4
SHA256

069dddcb7dad8d84b8edb2aa3cfe74a4924fc02c53a3c561a11bfa4bf451711b
SHA512

1fd20584ba83a56572f92bb58e4e40475daad094a6967e851fd9f3c78400c846e7e926e64be79d20ad48f4262ad3b384e060569436234d29c89ca1be4bc7e6b1
SSDEEP

6144:0rJ9uEo2S1YnQmCX492DkwNP3qpYFkwlWKM23DpJQ+JXUOy1Lr3Dv1A+CiyGdUz4:0rfu6/eIo4XwlWKM231t5UnRr3DdRp5R

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4860	0b7e791b7736b0a81b506e0f88be09a3.exe
4860	0b7e791b7736b0a81b506e0f88be09a3.exe
4860	0b7e791b7736b0a81b506e0f88be09a3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	0b7e791b7736b0a81b506e0f88be09a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0b7e791b7736b0a81b506e0f88be09a3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4860	0b7e791b7736b0a81b506e0f88be09a3.exe
4860	0b7e791b7736b0a81b506e0f88be09a3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 956	4860	0b7e791b7736b0a81b506e0f88be09a3.exe	96
PID 4860 wrote to memory of 956	4860	0b7e791b7736b0a81b506e0f88be09a3.exe	96
PID 4860 wrote to memory of 956	4860	0b7e791b7736b0a81b506e0f88be09a3.exe	96

C:\Users\Admin\AppData\Local\Temp\0b7e791b7736b0a81b506e0f88be09a3.exe
"C:\Users\Admin\AppData\Local\Temp\0b7e791b7736b0a81b506e0f88be09a3.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin70F1.bat"
  2⤵
  PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\FE8A5453\cfg\1.ini

Filesize
40KB

MD5
f2b28b165747468c88ef4e1df60a6601

SHA1
0515cb22048f232872251630c28b97bcb4f18dda

SHA256
be70bd6ea6c6c0779570a02324dc1fb8847a6202faf35efb9a189ef2f19138c4

SHA512
9b0abea9158437a8c5ff422b5debeaf7600611efc4b845dffb3098884d3a090ecf3449b66b4051a9e1319141096a5542f0b6ba9454960561bff85be0a3f303ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu1645694C.dll

Filesize
77KB

MD5
83c79b3f4a0f9d40eea12c2189a51593

SHA1
954af97d969b68d8149565adaf3b2c9613c936a1

SHA256
31fee174e305e7f9c01715d14a4dd9c7b9ce0cd88756712a0bcfdedf1acbf362

SHA512
04b031efeb9c174b7c56a7b8348dea05cf8c528eb1894c10112e78164ca9a81dc30e3ba94ed5d6c32d16e7c4e65b07c8a488dbd019c02d404e1e5fdbd4409e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu1645694C.dll

Filesize
94KB

MD5
05a4675d2b1a235db22a4134706f298a

SHA1
9fcc93beb529e66b3f8a422f6d72e05f5622b419

SHA256
c78f4d025bade6058e830a70372ab1244259e91b0707430fe288ab3ffcb03741

SHA512
c6e8f9df46e0bf4b1cb7bfbab8e65710ae2b755c0b78549692a03fc22f756a10b81eaa7af2f455db91e6b86ab9672b8fdb5d01d9b3853851b1b4c5f9aab956fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin70F1.bat

Filesize
50B

MD5
3e7be24e5f9e45cc15976c81c5df435b

SHA1
ab15ca4ef704d7ba11da9435eb210152129ff37a

SHA256
8cd986a5ac99604162eebb03035b575431c608506132e68beb8fee4c9350a739

SHA512
454b3b06e679b820c9cb1967691196f46c44017b15d073d4e1cabb2ad7a805494b04a483e2cbe5c05057c3f56586287b953464128418a2e79da9d4a6922199b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{756555FB-D08F-4957-ABBC-98ADAE86770D}\Custom.dll

Filesize
91KB

MD5
ff33f0dca8e465e62457a5d57f813834

SHA1
02c225b40081d24495470a20fbd149251e48ee7c

SHA256
23d11ebfa55366f4d35746e2383a1b322720ec326e558b3818529316e630a905

SHA512
7bd0dc479ea4cd27faa8927e4e81e26c76a66163f05b678ebdfba537950c7f871ff29f0b7ff6c4875c1024433fb285bc545357c143231bb3ff24b81d54690368

Download Submit
C:\Users\Admin\AppData\Local\Temp\{756555FB-D08F-4957-ABBC-98ADAE86770D}\Readme.txt

Filesize
2KB

MD5
f5c1f964843429181f815eafd7f9f290

SHA1
c095c90d039a79728ace769c5855ccbcb11197e0

SHA256
c051e38a159863dd711ba6cd4a5ecdd56520dae190c27ea8dab086105e2fbffe

SHA512
6e096826dd1aaf9118da6a0353050f313c660dd78be542a5696a127bfef270171de604e46c3df19206830258cb6a80cfe82b77a272a150f2d59d48a94138d630

Download Submit
C:\Users\Admin\AppData\Local\Temp\{756555FB-D08F-4957-ABBC-98ADAE86770D}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{756555FB-D08F-4957-ABBC-98ADAE86770D}\Setup.ico

Filesize
4KB

MD5
a128ea6883ee5bb3499f9e88ea449a15

SHA1
69e667cac80f6401ad8c50c1d5ca2b9978e31b89

SHA256
ef9efd67ea5e382f6e865cfd6f2c0bd11c2d8434162abcd2f61c2fad5c67e66b

SHA512
e97c711087e82bf20a89b18492adfd868526aea9213a1c84ebc97039e2b03c96827aec611def68e951430e7aa06f2dd0753a6effe42b5e8ef1d6725f41868d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\{756555FB-D08F-4957-ABBC-98ADAE86770D}\_Setup.dll

Filesize
169KB

MD5
d8bbf8e88cf9821dd260f2c41505344a

SHA1
4a527f16683c49f70f613ee2ed7185f164ff8df7

SHA256
cecd634e90c0908eca56369fa102009e35a2bd82617c2cb09bcf17f6b2c45337

SHA512
2c1e4c8c31553183a90fafdc86a2ded69d6c963c1ab5573c5b68b0d67c7e0c41dee2d534283105d04d077a8e229b1cc855cc0e0a5f7a501bc36ddc1806dd9418

Download Submit
C:\Users\Admin\AppData\Local\Temp\{756555FB-D08F-4957-ABBC-98ADAE86770D}\_Setup.dll

Filesize
101KB

MD5
6f6b32a4f0fdbe74e5fa32bbdaf215dd

SHA1
e4f3720b8f80a7144d90c3370f5ae974ac8fb4e1

SHA256
42092f3ce15350f9f7daf16ce354f8f961a355b44fc09f377194c6eb08b5f8b6

SHA512
5969e96788ada17a84215987a804c44f5bd659ac8de82394cac20cf55b33026c497fa0046907a2081e65d64190d1107bfc3b3145629208b4ab551b401a01709c

Download Submit