e64b8ad0df9b2ffc01daac06a95abbf52f0169883387d9b182c1feee4cf8b665

Analysis

max time kernel
121s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e6f9a81d67227964b700f7da818cd3f.exe
Size

238KB
MD5

3e6f9a81d67227964b700f7da818cd3f
SHA1

e097a14a50a2832b0f7f7e9c1d9d01c127e9c115
SHA256

e64b8ad0df9b2ffc01daac06a95abbf52f0169883387d9b182c1feee4cf8b665
SHA512

d7512ebb58639c5da65e338bdd36c37851cc18017b5e38ef891a0bb2bcb9f46d17a36c5c17bcfb1149dcae690fe7ceef009d5f9d718ea4dd9214f6cb5232a4e1
SSDEEP

6144:WR+4UQ/l+yaA3loTp4fIRX1PJVuHusG5mlab8j2:WRFUQ/FboTyfIRRJVuHusamlaYj2

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1752	3e6f9a81d67227964b700f7da818cd3f.exe
1752	3e6f9a81d67227964b700f7da818cd3f.exe
1752	3e6f9a81d67227964b700f7da818cd3f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1752	3e6f9a81d67227964b700f7da818cd3f.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2840	1752	3e6f9a81d67227964b700f7da818cd3f.exe	27
PID 1752 wrote to memory of 2840	1752	3e6f9a81d67227964b700f7da818cd3f.exe	27
PID 1752 wrote to memory of 2840	1752	3e6f9a81d67227964b700f7da818cd3f.exe	27
PID 1752 wrote to memory of 2840	1752	3e6f9a81d67227964b700f7da818cd3f.exe	27
PID 1752 wrote to memory of 1988	1752	3e6f9a81d67227964b700f7da818cd3f.exe	30
PID 1752 wrote to memory of 1988	1752	3e6f9a81d67227964b700f7da818cd3f.exe	30
PID 1752 wrote to memory of 1988	1752	3e6f9a81d67227964b700f7da818cd3f.exe	30
PID 1752 wrote to memory of 1988	1752	3e6f9a81d67227964b700f7da818cd3f.exe	30
PID 1752 wrote to memory of 1932	1752	3e6f9a81d67227964b700f7da818cd3f.exe	31
PID 1752 wrote to memory of 1932	1752	3e6f9a81d67227964b700f7da818cd3f.exe	31
PID 1752 wrote to memory of 1932	1752	3e6f9a81d67227964b700f7da818cd3f.exe	31
PID 1752 wrote to memory of 1932	1752	3e6f9a81d67227964b700f7da818cd3f.exe	31
PID 1752 wrote to memory of 1352	1752	3e6f9a81d67227964b700f7da818cd3f.exe	35
PID 1752 wrote to memory of 1352	1752	3e6f9a81d67227964b700f7da818cd3f.exe	35
PID 1752 wrote to memory of 1352	1752	3e6f9a81d67227964b700f7da818cd3f.exe	35
PID 1752 wrote to memory of 1352	1752	3e6f9a81d67227964b700f7da818cd3f.exe	35
PID 1752 wrote to memory of 2380	1752	3e6f9a81d67227964b700f7da818cd3f.exe	34
PID 1752 wrote to memory of 2380	1752	3e6f9a81d67227964b700f7da818cd3f.exe	34
PID 1752 wrote to memory of 2380	1752	3e6f9a81d67227964b700f7da818cd3f.exe	34
PID 1752 wrote to memory of 2380	1752	3e6f9a81d67227964b700f7da818cd3f.exe	34

C:\Users\Admin\AppData\Local\Temp\3e6f9a81d67227964b700f7da818cd3f.exe
"C:\Users\Admin\AppData\Local\Temp\3e6f9a81d67227964b700f7da818cd3f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin08A4.bat"
  2⤵
  PID:2840
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinAFB1.vbs"
  2⤵
  PID:1988
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinAFB1.vbs"
  2⤵
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinAB21.bat"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin567C.bat"
  2⤵
  PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Tsu-06D8.dll

Filesize
245KB

MD5
2eff60fe81b1a071c30c1fd6fca1413c

SHA1
ccbd845debfad81ccabdabadb2a38b5d421eb610

SHA256
b30a29bf2af725c5cc5e1fd0bdb2a30eff11ef5b32b2cfca173e6350cbf407ac

SHA512
253d4b2b92f85d36447d3808d0757c8d8d58f48b04b9134c7a7d03bfb3af6a3401c71a6a9366840b493505126929cb3ff62619af65c6ff597e5b8449793b5e91

Download Submit