e0ce91b218042472071b89ff937c867878ee9a2033929521197c321c1e4dfc4b

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a6885d94dd5b263def5cbf9c266d53c.exe
Size

230KB
MD5

3a6885d94dd5b263def5cbf9c266d53c
SHA1

678adb5d012adb0454d5366617f3d718e3f9dc5b
SHA256

e0ce91b218042472071b89ff937c867878ee9a2033929521197c321c1e4dfc4b
SHA512

15b24462d981ac1baa9f156a05e84045953e77d7dbd7483bb166a42d4f2bca10cd81e50e32801f8637d5f67b922c62867a922cfc0983d9e20829039cb275e8dc
SSDEEP

6144:rn+TdrqSJnIjyfENiv2bpbyW38gOhOQKd1:rnad3nIucov2brMgOhdC

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe
3572	3a6885d94dd5b263def5cbf9c266d53c.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4300	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	27
PID 3572 wrote to memory of 4300	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	27
PID 3572 wrote to memory of 4300	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	27
PID 3572 wrote to memory of 1704	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	68
PID 3572 wrote to memory of 1704	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	68
PID 3572 wrote to memory of 1704	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	68
PID 3572 wrote to memory of 3768	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	67
PID 3572 wrote to memory of 3768	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	67
PID 3572 wrote to memory of 3768	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	67
PID 3572 wrote to memory of 1892	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	58
PID 3572 wrote to memory of 1892	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	58
PID 3572 wrote to memory of 1892	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	58
PID 3572 wrote to memory of 2936	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	59
PID 3572 wrote to memory of 2936	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	59
PID 3572 wrote to memory of 2936	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	59
PID 3572 wrote to memory of 1568	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	60
PID 3572 wrote to memory of 1568	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	60
PID 3572 wrote to memory of 1568	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	60
PID 3572 wrote to memory of 2176	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	66
PID 3572 wrote to memory of 2176	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	66
PID 3572 wrote to memory of 2176	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	66
PID 3572 wrote to memory of 1056	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	61
PID 3572 wrote to memory of 1056	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	61
PID 3572 wrote to memory of 1056	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	61
PID 3572 wrote to memory of 648	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	63
PID 3572 wrote to memory of 648	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	63
PID 3572 wrote to memory of 648	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	63
PID 3572 wrote to memory of 2496	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	65
PID 3572 wrote to memory of 2496	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	65
PID 3572 wrote to memory of 2496	3572	3a6885d94dd5b263def5cbf9c266d53c.exe	65

C:\Users\Admin\AppData\Local\Temp\3a6885d94dd5b263def5cbf9c266d53c.exe
"C:\Users\Admin\AppData\Local\Temp\3a6885d94dd5b263def5cbf9c266d53c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinBADD.bat"
  2⤵
  PID:4300
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinB0AF.vbs"
  2⤵
  PID:1892
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF2ED.vbs"
  2⤵
  PID:2936
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinED32.vbs"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinB0AF.vbs"
  2⤵
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6CD6.bat"
  2⤵
  PID:648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin927B.bat"
  2⤵
  PID:2496
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin8E83.vbs"
  2⤵
  PID:2176
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinD504.vbs"
  2⤵
  PID:3768
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF2ED.vbs"
  2⤵
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\9D8B6313\cfg\1.ini

Filesize
1KB

MD5
0bde7d4b3da67537eaf9188e6f8049cf

SHA1
64300fc482d01d38b40ab20e15960b6509665e5a

SHA256
5dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807

SHA512
2d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D8B6313\Setup.exe

Filesize
15KB

MD5
620c469559fab74b64c7a18e3960c13a

SHA1
c2e1aab11c99808fc03f2e875aa72b23000d0cfa

SHA256
ed13de9a4a1b65a3b5c7263d71907c99d05b01ca065f1879bd6f0555e70e58a5

SHA512
fde0220ea0cc6e4d78b27bdee100358040191514d66f33122a3fec6de996be467560dc1a594e8e47e4a7e4531beb5325f829a5779347ac4534ecb0ec342f4394

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D8B6313\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D8B6313\_Setup.dll

Filesize
102KB

MD5
e1977b0f63e5e8f99774bbf1208cc2ae

SHA1
b3166733be46d9e1af34e69570ee864e124d0943

SHA256
c8a724380b65cd7c0bf6fad385d95f9e55c146f691570aef881fe6a85827f515

SHA512
12fc661069791050fc0b9f42ccb403a7bf7f73363d84c4ee3d1459828ece9569a0033247fdd3b14969cdb2a7714fe88a54239cf8186f866884e610cebefc2b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D8B6313\_Setupx.dll

Filesize
17KB

MD5
eadbe643b191796334fef30a1eea793c

SHA1
7f2812e4133cf60089f31a6211c2a43cef0056a6

SHA256
4fabbdba8e89e45f109f1d78a12c0554440be8287bd3d697a01c5982c1acca84

SHA512
3e9feaf21b60411e05e5362a065a8f34b1f407803cc8800d26e84060ede779adb5c101921611e80f6a68b986f897bd691ad3d51207527f3591a4d37488617ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu-0DF4.dll

Filesize
245KB

MD5
3f722c6545511e5482fdcf8f4f4d07ba

SHA1
d777b6cc6f7044853a70c88938a5d5ffd23362e4

SHA256
3fa55e2bcff703f901ee858ee98df979f93ecbdda3f8fad9b45878a06fcf4bd5

SHA512
d9dd26e4e3aa08e0648fafe7d764138f1784638ecb7362f9ea7333bee1d49856244be20040e444d8226b8848e08abc230d60d447826428d359a8d674c188a2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6CD6.bat

Filesize
50B

MD5
13c9044ad2611e16f3c7688bf09d6694

SHA1
1c05bafd8c1983001d5250aafb4dea3ade8e0456

SHA256
a694034ea87b27b272e60a46043ec819e5d4ac6b48588302d7407471ffe053d7

SHA512
63a9e63edfea5d2cf8c1eea8a17d5ff19d9c15aa53bf9e4419bae364520d759ab7581f55831c448d589327e5f8534d4273a5ab8e70d2edd04b62f1bd56072b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin8E83.vbs

Filesize
819B

MD5
0e54e31efb93fee40ad4fa0bec0cd0f2

SHA1
3c4a23c08656bff761e6227028d4f084f8a9e54e

SHA256
ddf1b412061672b1a115c51791ea2880fedf2ad417afb93daaf77faaccf7ba98

SHA512
1c8ed49a3be05bbbbc00631bbe9c2acace76ece876921f2f10221c56953632a1a52944bdcf212d010c0ef1a234c44277fe2c272a4e00638ab7b12fee5311a12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin927B.bat

Filesize
46B

MD5
80f1cc6f43afc11d8798ab250354bbf9

SHA1
294f70324dfebc7e4404fe606c22f3e6f5bf9bb2

SHA256
1d812da20af82c73075deb8c9ec1c8d112ccb2aa5867574957d65815c9c64241

SHA512
868b94669205f203ab8791407d947de32786d57105f637a76c800add01b32e5d44068eb7c0058beef11d253344abe949c4834269375b55452836cc2778141278

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinB0AF.vbs

Filesize
2KB

MD5
dc05c314c8834978db43a3b03b84649f

SHA1
4fdec522611200541499a2a382e7e19cdff547b3

SHA256
b0f0a79a3ffe8d4b0ebe48d035bed75b00ed0b39bcb1cf1fdb1e1d6021c4647a

SHA512
af30efe248e3fdfd380df159f95f76fc21eaf285def8e36add155495ce2cb5cd8183509f92eb5507c13a86a167024cbedb17f53f4d113662be1e971a72eb42b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinBADD.bat

Filesize
44B

MD5
8b9bff3d078e6c9c4c4fbeb116df10c9

SHA1
67b5ddd83a9bada45573938293efca9560dc7dd5

SHA256
b1ede9cea6b65cc628fe1724ea208e837225b04013d3cf7e9b72ac3e96a420b0

SHA512
19e682a120757a27a1732643cecdfeb20e579be33e2371f2440f800b399e8fd9ca205b8d843080d91a071d85d4cc276d1eb03985625e3cc088dad1e38375ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinD504.vbs

Filesize
753B

MD5
550b4df803bcd1fffff94a5d57f155cc

SHA1
875a3db1dc3598d7dbd2e7df5ce6a5eba0487a46

SHA256
c4e485aca83c9382ff94e7b641e38e00ffddba92edd2142e1bfab97daed66d5f

SHA512
cb9e6d311e64577f4d8a5ab36b59f54318d69d6c89a335d9b1737eb0fa4998fce6be2b77b05a1a56108adb3ccd07c708ad285c003522bd78954b9f24bf003677

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinED32.vbs

Filesize
419B

MD5
deeff84ff30a7c9f1e6a1cf5bde44c34

SHA1
0d5baefee53264a999796eac8e8aec6216625e93

SHA256
605c32bb32e5f33a460b67da07e18ee0a3b1958804af493c2c6adb30988a6c0a

SHA512
74ac266ec5cb17a6b22f2b9d1fce2ee4b4d2dcbd21c2b19e8e766f0ffe40b756cf16c78dafca37d705aa546b423e49e0f6969f1d7a64fd69a7c5c5e685afb411

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinF2ED.vbs

Filesize
304B

MD5
8a03e2dbf2f891bd7bcbaf9c58645e32

SHA1
6c49157954d36fb221348ca621108bebc5fb3430

SHA256
41085af0c4f71a2481259fd4451bc95515a5906d2c21ae625111365503062ffa

SHA512
a7e18186b8b07be1efdaba3bab5127521353504725ae219363daf937b1baaf5ff40df5ebb27254ef640b3ef1a9827d05f87c1ba1a96a4145cc2e80cbea48baf1

Download Submit