12c88bb02450d0a590cdae200351e13acaa400b07595e531a13699eee8dc706b

Analysis

max time kernel
15s
max time network
48s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0697057c61226781aadc5a0f99f57b7c.exe
Size

315KB
MD5

0697057c61226781aadc5a0f99f57b7c
SHA1

b9120b3ede27ecebbb62cca3930fdb7e2345bb89
SHA256

12c88bb02450d0a590cdae200351e13acaa400b07595e531a13699eee8dc706b
SHA512

2743299f9873362efafd306556b8f60fd8c659377f121f173bda8d7ba56ae7ae90ade187a47ecbd0b286b9377a20c95292ae128b8f6e87fa02c4857f14a6276e
SSDEEP

6144:ur2bUzkuvcBYC47l2xib6HwzFyytCr88oDG1GI25i1snqq0Q:ur/kuveY3dGwUECr88oDG1GIS+bq0Q

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2712	0697057c61226781aadc5a0f99f57b7c.exe
2712	0697057c61226781aadc5a0f99f57b7c.exe
2712	0697057c61226781aadc5a0f99f57b7c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0697057c61226781aadc5a0f99f57b7c.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	0697057c61226781aadc5a0f99f57b7c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2712	0697057c61226781aadc5a0f99f57b7c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 984	2712	0697057c61226781aadc5a0f99f57b7c.exe	32
PID 2712 wrote to memory of 984	2712	0697057c61226781aadc5a0f99f57b7c.exe	32
PID 2712 wrote to memory of 984	2712	0697057c61226781aadc5a0f99f57b7c.exe	32
PID 2712 wrote to memory of 984	2712	0697057c61226781aadc5a0f99f57b7c.exe	32

C:\Users\Admin\AppData\Local\Temp\0697057c61226781aadc5a0f99f57b7c.exe
"C:\Users\Admin\AppData\Local\Temp\0697057c61226781aadc5a0f99f57b7c.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6711.bat"
  2⤵
  PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\C34AA9EF\cfg\1.ini

Filesize
368B

MD5
3a9830a2f57ef1e602de02bd9cc8eb56

SHA1
5135a0295755e536b833c6c6010900ff99cdbabf

SHA256
8d138bedf3228f7ef9405940526a73f49395fd2917aa22e7d5596297e222da42

SHA512
87ed85acdc1509bb02e437f50e7a90695f66b2a7a996a526f0310ba277de9ce8d7343983e2ae0b5dbedcca832bb90da802d7182972f1b14be0a203cfbd14cc41

Download Submit
C:\ProgramData\InstallMate\{E9584DA0-F79F-47BD-A556-BFBD32BB6F56}\TsuDll.dll

Filesize
140KB

MD5
6a1db455b97568d7a16812723e15ab7c

SHA1
ada9f59e03c38afb9c4c139047ac0d4f78056c3c

SHA256
4c2de53c1846f9f861ada8cecb3245c4bef6fa7c789e92eb638e17f2195a3edb

SHA512
eea571c6715350e920b2b734d6fe3ba894b66f0b4ec3e2519f1dda46327cf5062bb438a6c87433e77ac4375bf15b3ba769f4bb336e28eea2c7432f4589b4b1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6711.bat

Filesize
50B

MD5
7225dd3ea9b843eb70074d6fbdce5421

SHA1
79bd33788ea42dc88c2222bb8bce31b86242447d

SHA256
b684a9eb5affd8ad9282d5b5b7a0af12c41642e70a65b12a85e0cb61cf0fccca

SHA512
8b7e07fd4bec32f72e1bf33630ba3a68c85ca8f0d9c81e2902382de5d35a42866bf96a3a6c6a7f4730a0d65df7da88124772435dc354755b3db56cb54d4d4db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9584DA0-F79F-47BD-A556-BFBD32BB6F56}\Readme.txt

Filesize
2KB

MD5
0741869b7a2ba1b03c786427671272be

SHA1
d66e5450264d65653cfbd28cf61e88847da2c86b

SHA256
11e23a437ea1071bea16172258577ef7a8fb2b86382f895597f58953695f03f9

SHA512
403bf96446e10d04b5f540780907ebe3f75ce43764e5fb5126b2d9b891553fc14d7f1d110e34ef70fe68df8df45df8859cd16b9770afea9e92ec394120d882fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9584DA0-F79F-47BD-A556-BFBD32BB6F56}\Setup.exe

Filesize
9KB

MD5
1c524612cc904a61d7377aec55378012

SHA1
e036d44dcec3043d5be6321c577a3e4b09c5efdf

SHA256
b95e9c34a1bdf6fd0f05a5727cf1a510647db9eb0c02a3e0a1108dbef6617d8e

SHA512
77bab747fc7d728dc3dcc128d0f396f5dbf38a93496c500fe5eb844b02e271741d198bbd72a8001a826e92ec132b03f4a4ec008b3aee4c023f32c36db5e6f654

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9584DA0-F79F-47BD-A556-BFBD32BB6F56}\Setup.ico

Filesize
4KB

MD5
6c80269225128ee55311a1ae6167b38a

SHA1
b82893276e5b2464b22d745d29746b7042f58a46

SHA256
592e44bfe0cc5c5d39a10908f86654b233e676e724d04c9cf45c03f2cda49e05

SHA512
6bb8c51441463c379f5156ea0cba058e9267d0f6e2d9f477034d9eb5095f7fb46e1c8c989f926ff76153fae87cd1d26178bb58566e8be05eecb96874d5887668

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9584DA0-F79F-47BD-A556-BFBD32BB6F56}\_Setup.dll

Filesize
138KB

MD5
7f8817f4b19635af436fb8202ac6a755

SHA1
1a372bcb6f9094fe8ce093896807c04ea1c93209

SHA256
06e71ed586c86cfbf694f20bf9c2569cb772a891ac8e47384a877fe7666cac8f

SHA512
c44bab313d59780582394ce58bcaa9316f65edc821117d6f31268f24e2c75327d505a10c895b857864625fa8d3ed486813342026678ab257daa07446625d7f92

Download Submit
\Users\Admin\AppData\Local\Temp\TsuB3B7C02F.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{E9584DA0-F79F-47BD-A556-BFBD32BB6F56}\Custom.dll

Filesize
91KB

MD5
1e003f7cd537f729059dbf13c4b177ed

SHA1
8b13d68eeee3e3be94d961e03a57353245df2fdd

SHA256
3b4b5014529df5e4884b64e60c2bbb0a21c986a15f84d82dc2d4490a020741f4

SHA512
7ca111f01d6e9180bf1c5b8d6875e92182edf40c211888716ee1288d08dd7b68dacaeeaf2acc614d2cf4ca49a1eaa5228b5124572f628a937f895b05f5764fc0

Download Submit
\Users\Admin\AppData\Local\Temp\{E9584DA0-F79F-47BD-A556-BFBD32BB6F56}\_Setup.dll

Filesize
173KB

MD5
f6d936594abe3af2e6a7aa6e58cb26c4

SHA1
4592b94ae4ccd795cdc758627239073264ac4ae9

SHA256
3cc0918fc22ec780a8523c53dc114c854ef204849b493b95426d3d70e5e673a5

SHA512
a85066315502e32002cc56bb0f126f26a4b1048424888f102611c0095d24db67d437f61e1cca0346f7c3e6453fc6c572ff5de2cc0029d501163e7abc7030c84a

Download Submit