052fb311740ae04a0ade1401a1a9312db0e7f1d8f1602950eda24498e624354c

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21d3f9689561df6f1111c30c2681555f.exe
Size

327KB
MD5

21d3f9689561df6f1111c30c2681555f
SHA1

932843a307487852cc76f340808ec0763ac529d5
SHA256

052fb311740ae04a0ade1401a1a9312db0e7f1d8f1602950eda24498e624354c
SHA512

8a28071c506cfba2e27c04ca32e5dbc82cd64f1a1db7b74b47ad2394d88ee62b0f1afaf01891f093d524259d5e5bf182900f7e92dda06638bb2a016d6bc0486b
SSDEEP

6144:Zr469uEo2S1YnQmCX492DkwNP3qpYFGgjwuBGVdLAt4ZHd2i3gjd+ZD/6Fr:Zr4iu6/eIo4Rsw33AtsmQ6

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2548	21d3f9689561df6f1111c30c2681555f.exe
2548	21d3f9689561df6f1111c30c2681555f.exe
2548	21d3f9689561df6f1111c30c2681555f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	21d3f9689561df6f1111c30c2681555f.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	21d3f9689561df6f1111c30c2681555f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2548	21d3f9689561df6f1111c30c2681555f.exe
2548	21d3f9689561df6f1111c30c2681555f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3028	2548	21d3f9689561df6f1111c30c2681555f.exe	95
PID 2548 wrote to memory of 3028	2548	21d3f9689561df6f1111c30c2681555f.exe	95
PID 2548 wrote to memory of 3028	2548	21d3f9689561df6f1111c30c2681555f.exe	95

C:\Users\Admin\AppData\Local\Temp\21d3f9689561df6f1111c30c2681555f.exe
"C:\Users\Admin\AppData\Local\Temp\21d3f9689561df6f1111c30c2681555f.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin7053.bat"
  2⤵
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\860EDDE3\cfg\1.ini

Filesize
1020B

MD5
939cc2388bb1ce9629259aab647df0a3

SHA1
9cae7ae54376858144765944f1bededeb787f7f7

SHA256
82c6e4432e96398f4472385e965ef268fea0c00e826a4244a6e93132184f31a0

SHA512
95bc32f112d00f9a5ce1676a4c020eecfe64db49f03c45e9ab4375bf3a9d7a3bb1fed74e815b06159dc2714afa6ba0cd4b770c303f429ae9c886cf19be7d5649

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu4AC25364.dll

Filesize
92KB

MD5
1f905acec7b77e7b5a1c6c85c397acfc

SHA1
22331834ed8b991c4db0695f9c677316b0b7c592

SHA256
bb6cb380d01828b1f53b98f8dada1e9b879cf1b959145f3071ed5bf4016307be

SHA512
c8d925b0d8636ae9434f0c1c6bed739a2c3e7108642e9e32e5aac28a383cab9a2aa63773eea20e1cd0504a75bb2c0fbb7923cacb2ab1d0450e307e5e4cf507d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{659508FF-3792-4B6D-A986-7FB0BE762A09}\_Setup.dll

Filesize
92KB

MD5
69d3b5145a4ad4bbd7e060a64d6ba852

SHA1
8ee672aa1cedd924381304784344a62a40f39c29

SHA256
89250bf73e501d37ad85c84468ffeab70241763da4705b98776a788a5171b8e1

SHA512
6451887d9c0a4370bf8cbcfc85ed1458f08a5c62ba458a80e2b0f6bf78f32cd96a47d8f635e3e13a82a048a587191ba1106aec36e65dc0ab6030b5a9c8cdd349

Download Submit