24c2ef8e57ec80493b79c83a9e5b875bd9389b5b3be7137e7a9ed015364111d4

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48ba2cebd656c943dd39b46e99b324b6.exe
Size

304KB
MD5

48ba2cebd656c943dd39b46e99b324b6
SHA1

325a02c8c156b736dcc5fd32ba09fc29bbbb1d07
SHA256

24c2ef8e57ec80493b79c83a9e5b875bd9389b5b3be7137e7a9ed015364111d4
SHA512

a4f7885a89a26914fea552f88d8a14db9680fd7340020e880cf92f2e5c622721d34725d858ed9a77c8914b46a4296e36a0a7376166da10133c40447fa2262898
SSDEEP

6144:NrkW9uEo2S1YnQmCX492DkwNP3qpYF4AqqWb+qR9h+uqkNfoM6YV5TmNa1a3SyPL:Nrkuu6/eIo4tQW62T+uTwM6YVxm24L

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2960	48ba2cebd656c943dd39b46e99b324b6.exe
2960	48ba2cebd656c943dd39b46e99b324b6.exe
2960	48ba2cebd656c943dd39b46e99b324b6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	48ba2cebd656c943dd39b46e99b324b6.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	48ba2cebd656c943dd39b46e99b324b6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2960	48ba2cebd656c943dd39b46e99b324b6.exe
2960	48ba2cebd656c943dd39b46e99b324b6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2584	2960	48ba2cebd656c943dd39b46e99b324b6.exe	98
PID 2960 wrote to memory of 2584	2960	48ba2cebd656c943dd39b46e99b324b6.exe	98
PID 2960 wrote to memory of 2584	2960	48ba2cebd656c943dd39b46e99b324b6.exe	98

C:\Users\Admin\AppData\Local\Temp\48ba2cebd656c943dd39b46e99b324b6.exe
"C:\Users\Admin\AppData\Local\Temp\48ba2cebd656c943dd39b46e99b324b6.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin13B9.bat"
  2⤵
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\AFF1DCDC\cfg\1.ini

Filesize
924B

MD5
55621464225c6bc6f9c32f89dd788133

SHA1
71ae8d4044f1ea2e1a4c6deaa3adda8d99921907

SHA256
6c03ce1392d03938071d98798336713b76043a4478c8adf8f76cc7541b58555c

SHA512
b2080918f9b707f431d79674578be067c90b058e2bae83a40b84ad255a3406d0acb69f2e1fd083110e0d2c29fa1fa9738b7816200ac12c2f8d1326a324bc9c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsuA3F3959C.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A89036E1-C4F3-4797-A57C-8CD173731417}\Custom.dll

Filesize
73KB

MD5
56e4e9e881524397c9f6dca5ca70b1e8

SHA1
8ad77bad589591171eb94a593c3814a3b742f79c

SHA256
2e6e83c80a887c82c890053f491e0cb24074967b5ae7af7c8c4bcae78af2a22b

SHA512
130c83dfc0db281bd7999edc6c295f122ab3ba00c69353daad988866680a6994365874eb29122b8473930d2ba0df58bdfb27eb8897a819f79c8b8e31e6597700

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A89036E1-C4F3-4797-A57C-8CD173731417}\_Setup.dll

Filesize
168KB

MD5
9f8992a651c85604676b2bbf54830547

SHA1
bd2a5cd0038899d97d7c652056c948c33c5bc83d

SHA256
61fef12b10bb745094ec1392da30c357d508c2befafddd354cad9922feca8ed4

SHA512
a6d7692bdbf1a19eb582150d5387faf7d08119f7b111a809c3b55f9de5ee74481b62a1a745f6ed3817ac4c0245ca52e4db8026690ba6a48d3006d47771b60ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A89036E1-C4F3-4797-A57C-8CD173731417}\_Setup.dll

Filesize
92KB

MD5
a836eee90c1308153770dc0d1658066d

SHA1
058eff0f9814c64d3b9ae52b78985df222c459a9

SHA256
9a86e0ab0a290535fcf19ec2fe4a6bd310b28666836bbf4bab41b79e7e9da4c2

SHA512
9163bab79e8b7d952f665d228d6f27deef36b27c2bd9aa75addbf219c437b9dfb3658097316ca9be2443afb759d597d65c020578ec57856f608fe2ecf9fd20c8

Download Submit