e64b8ad0df9b2ffc01daac06a95abbf52f0169883387d9b182c1feee4cf8b665

Analysis

max time kernel
184s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e6f9a81d67227964b700f7da818cd3f.exe
Size

238KB
MD5

3e6f9a81d67227964b700f7da818cd3f
SHA1

e097a14a50a2832b0f7f7e9c1d9d01c127e9c115
SHA256

e64b8ad0df9b2ffc01daac06a95abbf52f0169883387d9b182c1feee4cf8b665
SHA512

d7512ebb58639c5da65e338bdd36c37851cc18017b5e38ef891a0bb2bcb9f46d17a36c5c17bcfb1149dcae690fe7ceef009d5f9d718ea4dd9214f6cb5232a4e1
SSDEEP

6144:WR+4UQ/l+yaA3loTp4fIRX1PJVuHusG5mlab8j2:WRFUQ/FboTyfIRRJVuHusamlaYj2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1496	3e6f9a81d67227964b700f7da818cd3f.exe
1496	3e6f9a81d67227964b700f7da818cd3f.exe
1496	3e6f9a81d67227964b700f7da818cd3f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1496	3e6f9a81d67227964b700f7da818cd3f.exe
1496	3e6f9a81d67227964b700f7da818cd3f.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1104	1496	3e6f9a81d67227964b700f7da818cd3f.exe	93
PID 1496 wrote to memory of 1104	1496	3e6f9a81d67227964b700f7da818cd3f.exe	93
PID 1496 wrote to memory of 1104	1496	3e6f9a81d67227964b700f7da818cd3f.exe	93
PID 1496 wrote to memory of 3240	1496	3e6f9a81d67227964b700f7da818cd3f.exe	95
PID 1496 wrote to memory of 3240	1496	3e6f9a81d67227964b700f7da818cd3f.exe	95
PID 1496 wrote to memory of 3240	1496	3e6f9a81d67227964b700f7da818cd3f.exe	95
PID 1496 wrote to memory of 4540	1496	3e6f9a81d67227964b700f7da818cd3f.exe	103
PID 1496 wrote to memory of 4540	1496	3e6f9a81d67227964b700f7da818cd3f.exe	103
PID 1496 wrote to memory of 4540	1496	3e6f9a81d67227964b700f7da818cd3f.exe	103
PID 1496 wrote to memory of 1116	1496	3e6f9a81d67227964b700f7da818cd3f.exe	104
PID 1496 wrote to memory of 1116	1496	3e6f9a81d67227964b700f7da818cd3f.exe	104
PID 1496 wrote to memory of 1116	1496	3e6f9a81d67227964b700f7da818cd3f.exe	104
PID 1496 wrote to memory of 676	1496	3e6f9a81d67227964b700f7da818cd3f.exe	107
PID 1496 wrote to memory of 676	1496	3e6f9a81d67227964b700f7da818cd3f.exe	107
PID 1496 wrote to memory of 676	1496	3e6f9a81d67227964b700f7da818cd3f.exe	107

C:\Users\Admin\AppData\Local\Temp\3e6f9a81d67227964b700f7da818cd3f.exe
"C:\Users\Admin\AppData\Local\Temp\3e6f9a81d67227964b700f7da818cd3f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin08A4.bat"
  2⤵
  PID:1104
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinAFB1.vbs"
  2⤵
  PID:3240
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinAFB1.vbs"
  2⤵
  PID:4540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin567C.bat"
  2⤵
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinAB21.bat"
  2⤵
  PID:676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\4F6554EB\cfg\1.ini

Filesize
1KB

MD5
0bde7d4b3da67537eaf9188e6f8049cf

SHA1
64300fc482d01d38b40ab20e15960b6509665e5a

SHA256
5dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807

SHA512
2d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F6554EB\Setup.exe

Filesize
15KB

MD5
d55b64beb146e15559e4bc16a4aefeb8

SHA1
40f55addbec338dcac20ca72d3a4ba04e82d3e73

SHA256
5188778e5cb9407d6027f4c07d5b5f8286010c082a7e843130dd1588c523f49f

SHA512
83d35919dd5f8520a66934c1013a836d7e452c7524699e898483cdc52cadbb657737c5a2f812a21ef1b74c056c662527a83dfb17e425a6a661a9d3edb45f7d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F6554EB\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F6554EB\_Setup.dll

Filesize
109KB

MD5
4f5c81df83e9d75770e9e01f19225a12

SHA1
24d927a10b4e6d33ca659a5f4e39c32fe0b9745e

SHA256
601382d3a5525adc3e6044d744dd49b42bc40c04809c326c26e41e9c0791c6d5

SHA512
c721ee90f901161dfaeed0931bd35cfd5378775d5e307dc1eab7e71165df0490fe45fddcdcf0551017be9529e47dc00cd3bb96d4864405d26be4cc64da8ad2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F6554EB\_Setupx.dll

Filesize
18KB

MD5
e5a8bd01702b38c47b49de16496e9763

SHA1
24bcc3ad281eed13158f9eb51e70e8c261c7a8cc

SHA256
df8be2dfdc45b64dfb2da33f7c986b3ef2dc86ffa54bdfcbae97224e62aa34d9

SHA512
1925ae827691f724f95ee6c9095e060961f3f607c5892661212a9d6e1805f79e0456192a75446c5f3c149c10ce9becca7c2e72171a9b0122bdfe6a010cf6b10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu-05D8.dll

Filesize
245KB

MD5
2eff60fe81b1a071c30c1fd6fca1413c

SHA1
ccbd845debfad81ccabdabadb2a38b5d421eb610

SHA256
b30a29bf2af725c5cc5e1fd0bdb2a30eff11ef5b32b2cfca173e6350cbf407ac

SHA512
253d4b2b92f85d36447d3808d0757c8d8d58f48b04b9134c7a7d03bfb3af6a3401c71a6a9366840b493505126929cb3ff62619af65c6ff597e5b8449793b5e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin08A4.bat

Filesize
44B

MD5
854beca23ccb6c25886f60f937854134

SHA1
94a59f39931168165b5fa93b484998da23793b24

SHA256
88129836899c4d53f47f9da09f0466e4f1dbca5624d59c16f9a105f973882b29

SHA512
db95a5189abdce53b82887afdb797f089c36a8f8883f08ce649ff5cd7179e73df5b0db515bdf94d8af56ea892b560b3cbe0f715f3a6122c5c69089423171b5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin567C.bat

Filesize
50B

MD5
ed3d3cb9d6079330bd13780e26989d99

SHA1
84cb96766b2540cc53cc24e2b70412a3a2f8ef28

SHA256
5e399a79fcc8d597f845517697804b27f38dce5d97f14847ff429edef8fdd523

SHA512
fd668efd3f38e506f7b58a5568e403fe45bf047756b40a93cc4bcf47e55557bfe008426bccc27f1a787411bfd26950b51d9bdef627767dfa68b700d939b5df14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinAFB1.vbs

Filesize
3KB

MD5
a5631e7d5e5b554426a632eb7fa6f5c3

SHA1
f36814778ce3263adcdee7ffb3b0154ba44852e9

SHA256
654e85816289c9dd58259509f301000285c0f409552c418638e23402d3d28692

SHA512
27f171e4713b06591f4e370431f40a714d01e00fcafc250038725a4630d4dc6950346e12f6025b280650858ec3f4019cde1c273103cea68b2782522795077321

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinAFB1.vbs

Filesize
4KB

MD5
cffd6e36f2a981f03110a48b22f493ba

SHA1
d74248edb15a07f67063a39de6d163c741723c85

SHA256
79257febd7f26d80827a78155cf18690283c7f67616331cbc2c14473642ea72e

SHA512
6dd25c111a3e9af4ab90a70f153539992a6baac742c07716e3d4a6b18f6a68f050905cd8b75d293f8fbfd156fa2b85c395f6cdc83c7fd4e1c1358aa9859aa79d

Download Submit