a0bf5b906910cffe6380718502ea3bef2179dda89db8b3f587a5522c1f064c48

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dabc94293586410419d34ae389e1ca8.exe
Size

240KB
MD5

0dabc94293586410419d34ae389e1ca8
SHA1

801e10012980bf54f99aa16343cb2d513defd5bd
SHA256

a0bf5b906910cffe6380718502ea3bef2179dda89db8b3f587a5522c1f064c48
SHA512

7dc4889401fb32c3782f134defed5d330df3390476fe89f3e4e379df2193cabc8ba22cc16a7b3f8c02ffcd4d0b1cf7a153b8f3d663aadf114f14b17bddf2dafb
SSDEEP

3072:LMH/iHAIgRkBrZqFCPwwQfMBzy3MbzK+PukdQ1BtB+H55qzAcuZhr+88hLRZPsN9:Al+BIFCPwwTzOOPgP+mu/r+8ZN+8V3

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2332	0dabc94293586410419d34ae389e1ca8.exe
2332	0dabc94293586410419d34ae389e1ca8.exe
2332	0dabc94293586410419d34ae389e1ca8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2332	0dabc94293586410419d34ae389e1ca8.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2708	2332	0dabc94293586410419d34ae389e1ca8.exe	28
PID 2332 wrote to memory of 2708	2332	0dabc94293586410419d34ae389e1ca8.exe	28
PID 2332 wrote to memory of 2708	2332	0dabc94293586410419d34ae389e1ca8.exe	28
PID 2332 wrote to memory of 2708	2332	0dabc94293586410419d34ae389e1ca8.exe	28
PID 2332 wrote to memory of 1140	2332	0dabc94293586410419d34ae389e1ca8.exe	30
PID 2332 wrote to memory of 1140	2332	0dabc94293586410419d34ae389e1ca8.exe	30
PID 2332 wrote to memory of 1140	2332	0dabc94293586410419d34ae389e1ca8.exe	30
PID 2332 wrote to memory of 1140	2332	0dabc94293586410419d34ae389e1ca8.exe	30
PID 2332 wrote to memory of 1684	2332	0dabc94293586410419d34ae389e1ca8.exe	31
PID 2332 wrote to memory of 1684	2332	0dabc94293586410419d34ae389e1ca8.exe	31
PID 2332 wrote to memory of 1684	2332	0dabc94293586410419d34ae389e1ca8.exe	31
PID 2332 wrote to memory of 1684	2332	0dabc94293586410419d34ae389e1ca8.exe	31
PID 2332 wrote to memory of 1208	2332	0dabc94293586410419d34ae389e1ca8.exe	32
PID 2332 wrote to memory of 1208	2332	0dabc94293586410419d34ae389e1ca8.exe	32
PID 2332 wrote to memory of 1208	2332	0dabc94293586410419d34ae389e1ca8.exe	32
PID 2332 wrote to memory of 1208	2332	0dabc94293586410419d34ae389e1ca8.exe	32
PID 2332 wrote to memory of 1496	2332	0dabc94293586410419d34ae389e1ca8.exe	35
PID 2332 wrote to memory of 1496	2332	0dabc94293586410419d34ae389e1ca8.exe	35
PID 2332 wrote to memory of 1496	2332	0dabc94293586410419d34ae389e1ca8.exe	35
PID 2332 wrote to memory of 1496	2332	0dabc94293586410419d34ae389e1ca8.exe	35

C:\Users\Admin\AppData\Local\Temp\0dabc94293586410419d34ae389e1ca8.exe
"C:\Users\Admin\AppData\Local\Temp\0dabc94293586410419d34ae389e1ca8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinD474.bat"
  2⤵
  PID:2708
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin64F0.vbs"
  2⤵
  PID:1140
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin64F0.vbs"
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinD70C.bat"
  2⤵
  PID:1208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin5DF9.bat"
  2⤵
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\B4D63104\cfg\1.ini

Filesize
1KB

MD5
ccfa12efabc2a6d905fa33489c8ab42b

SHA1
adc2e1bc1f37c27acff4967e33aa8ffeaf8a8e6f

SHA256
835f2c0f4ebc48bdf76deaf2583763efa6df79ef71ec6ed3195c6d4fb6243107

SHA512
c244bd37305fdad832a189fa15c663e0b37a8b727c28858807d040664dae19af2f76def3ae14dbdae1ad5f1c5864f5a11d9f932ead1381287604cdc6c9c1bc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4D63104\Setup.exe

Filesize
15KB

MD5
4590d6b8d7117db14ffe4d2b478d8bfc

SHA1
f95f1cbc0ea8df08718fe8973bbcce22a2cd0eea

SHA256
6d1cf6f942fb6a881ff96732e5418db018bcfd768bfe6a93d619e42bb92a732d

SHA512
30792be34abcbcb964eca61aa9543d3afbcaec70c5c5ba9e555f1a8163757db000b9ea7dc376668f2f9d5f50121f3fc66fe20eefe378ebe35990e44b5e33b0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4D63104\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4D63104\_Setup.dll

Filesize
113KB

MD5
8168ed50180bbfb411b25dbe2001f983

SHA1
e6cd1fe12b78c9c16a1a5e416a6f1135dffa29e3

SHA256
a6c22fda39d8fa9e9f785129cfbacbc691f83cdca6c58c92d817cf1dd4ff237b

SHA512
d94cbf4dd83127a2e277875a854afc56cdfa85978b43a0ff1e8a57cedfb2f1d8e39eace71ca6db8c3d59067afb490bc676382141fab3820a2df559ec9321ea50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin5DF9.bat

Filesize
46B

MD5
ff72b86958ff36086fde091d898d7693

SHA1
aee907a50969303ffb391ae4a5f0bbc6f5b68c7f

SHA256
d5fb995e31b79c8001c47f51c57fa4eb68c1a085edf7a6dc7441293197cbb3aa

SHA512
2c761791ac589b61155a3219b8ca26f2facfe3f1b4ca53e43431147c31f7ba3da1932945d8bdd4d62888e92972d509af247616d1f75c327967d65099138333c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin64F0.vbs

Filesize
3KB

MD5
ccd73aed8d99ad58d6ee9edb35b2d048

SHA1
4c73bcb7b414f493f80756dd5086a46735ad462b

SHA256
c9dedb306fcd28fa013f96f3aec5feec833ec865bcdd669804872e15d3c826e9

SHA512
a5acc6f415315ccb38c2f0f883b7f6fbd1b403d34bff7c3ce498ccdb1fd5b17b9764da45bfe6747da33ad3e2cd8f91a2a9eee91c4284a457861c29210988cb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin64F0.vbs

Filesize
4KB

MD5
d8f35397b99f9e0ebcdfd1a662322e32

SHA1
0b491089d37f3bf263c06b148f71dba7405b502d

SHA256
f7e95912adfa2b8fc85d7ba33576be98b2e77b5a0f1c8067eeb0772026b6ff27

SHA512
2ba8d1d64402d7c944050d7c0e78c3e522b4334a754a91b1d48bffa8fc9846aa29adfd9c43ddd0648e5cd57988503496966f897c0c7f63c5e8fcf7ed652cbd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinD474.bat

Filesize
44B

MD5
d121d99c0a6e7270234b32da2cb9c530

SHA1
b914264672db4c09ed55c56e0baa02700c6e7a82

SHA256
05f8f0c5c319661fbcaefe93c792f41b37bfdbb7b12db40dfbc9c8495e73a55a

SHA512
2f1ac629b04a89b89e560c6a1202c7994fef46410fcb2b86021540c71050df75307b2495064155f69a8505e30536a3fb4385ba1b1c862f4e0adebe6c20a2263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinD70C.bat

Filesize
50B

MD5
e0e0fe089e410ffc3abc9c977764f6a0

SHA1
4767a5531726bca59fb817e771a316f2464ea371

SHA256
f3d0d1d3a6a2f0d653b9a943e24752f91bbb926f06b614986ee7eec2f33fbb11

SHA512
2ca4a678f2c255750cdb898d3c04ce2c7acff95ae746573722b886367f02068969b3e60ceef01cdb103accefe3a402fa1678c26da954c33ab70721ce9107c8b6

Download Submit
\Users\Admin\AppData\Local\Temp\B4D63104\_Setup.dll

Filesize
102KB

MD5
bd327ba1bae56e15d86a06efefa1bff8

SHA1
673fdb5d7c5f4d7f3a57e66322e954435fb49e79

SHA256
4d3913d04447d9b997ce7972c0629997f2d293491337c984991a4c80e31f80e8

SHA512
fa5f2edfb1a7758c55db6f10cbf981a5017d4b7097a3eeede3d3a1580d5028091155c0ecf981fb593c589f5901999a352b0809d1a2ec47fe23786a58d25d952f

Download Submit
\Users\Admin\AppData\Local\Temp\B4D63104\_Setupx.dll

Filesize
18KB

MD5
caca9a299e1f08183e624f4496a140c2

SHA1
943827264cc655e53445f37c4a1ed26daad73a44

SHA256
98783695affb97bec3e6a68b1b231ba92258becceaa52a4711208f207b221683

SHA512
778479c939f93f807faac3baf5720b6c786aa0e4fe37ed1be31ff5d8753b96718be1bc74bafad14e1a41970a98b93d4ef5d07259f39ba81f189236a0cacf0692

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu-091C.dll

Filesize
246KB

MD5
cfe699e0437ceb8309b7ad751d6c847d

SHA1
a19622e994c78885dfc6b29c210ec5cae96d5359

SHA256
f9aa6780533d5d1a233b2dae6d04941e2ca94ab00f10e9e759281181da3f3a26

SHA512
2af04bd0ff6416b0a86d218ca3cc3edd9fd68bb1bc7842652d9f3a0e270e366affdb00f7a9272f89dd534704c269c47c09316ec7781e820fb55935e2e894c5f2

Download Submit