2474dfd5a80086835a02853e614ac3bb5e7f6d139273fdba0c5c28deb7775390

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d51b35be62abc6bc07e0aa489dbb55f.exe
Size

313KB
MD5

4d51b35be62abc6bc07e0aa489dbb55f
SHA1

fd21be14c955fa0a63e390771c1731982cea6d34
SHA256

2474dfd5a80086835a02853e614ac3bb5e7f6d139273fdba0c5c28deb7775390
SHA512

6612a41de91b3312183f557a59176104e80bfbc6c395e47f63bfe5e56532177c131c7c104cecfb063973c68028377a4b360a694255d46f35b18beff4b4c01017
SSDEEP

6144:4rkA9uEo2S1YnQmCX492DkwNP3qpYF0lu7tIYxFtApNhiYLE2/5yr3+LijYP:4rk4u6/eIo4nlu7trxFtApfgMyrpjYP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2380	4d51b35be62abc6bc07e0aa489dbb55f.exe
2380	4d51b35be62abc6bc07e0aa489dbb55f.exe
2380	4d51b35be62abc6bc07e0aa489dbb55f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	4d51b35be62abc6bc07e0aa489dbb55f.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	4d51b35be62abc6bc07e0aa489dbb55f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2380	4d51b35be62abc6bc07e0aa489dbb55f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2728	2380	4d51b35be62abc6bc07e0aa489dbb55f.exe	31
PID 2380 wrote to memory of 2728	2380	4d51b35be62abc6bc07e0aa489dbb55f.exe	31
PID 2380 wrote to memory of 2728	2380	4d51b35be62abc6bc07e0aa489dbb55f.exe	31
PID 2380 wrote to memory of 2728	2380	4d51b35be62abc6bc07e0aa489dbb55f.exe	31

C:\Users\Admin\AppData\Local\Temp\4d51b35be62abc6bc07e0aa489dbb55f.exe
"C:\Users\Admin\AppData\Local\Temp\4d51b35be62abc6bc07e0aa489dbb55f.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6FE1.bat"
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\297F5FED\cfg\1.ini

Filesize
867B

MD5
5b3d38697a7b3ea0973e58eb1961c586

SHA1
5973e9d474fd89d169619d6b02205e2765a2eeac

SHA256
925e52db31bd99a55e4e441ecdca05ed782a97758e33b59bf3f6a96091e91505

SHA512
5a813a80a70f0359bab7bce656e5e020f64cfa5f2a9247abc00366635e30803a3963bbcc6790e1116735cb94f6d252415042e7fe66843ebdfc89c499d9d085a5

Download Submit
C:\ProgramData\InstallMate\{8A70E061-9B7D-45EE-A705-D35F5193C297}\Custom.dll

Filesize
91KB

MD5
ed92e425cd374788afede25d2dd9d84a

SHA1
666fcb0dc635af7ba075e48c8f8c72a16dd30a67

SHA256
a50e3750c29b54f7b304064bb843972dba4094ee9ceef4e6942c61d2a5690d46

SHA512
8afa88d37eaef17822c7fe9285f30d4766af63cabf0dea05b5e74b5a2cd5dfced7729418d42979a7ab006cda6a17731c59b93400c4f2be3f3b59e81e2800687d

Download Submit
C:\ProgramData\InstallMate\{8A70E061-9B7D-45EE-A705-D35F5193C297}\TsuDll.dll

Filesize
251KB

MD5
5ee67cf5d808d096b77a445e1f2599c1

SHA1
cbfe8a53046a58f841d3770a1ec6a1cb690b55a0

SHA256
3e437a931d5a215dc6c0420e668d0ed703b2feee41d9cf7c933dc24f90bd4bfe

SHA512
eb01e70624f3f079d1476811eaa5c91af252756685417e0d955866dabc1da3978e0d159a4fcbd55d47f28a95df310c1332fb91f0eb4f9e8b2a200fb4759fdb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6FE1.bat

Filesize
50B

MD5
589f752df93afbf084cb26897e0702c3

SHA1
bdd87a01478cb64cb88aa84e4e49b1d39ce8e8a4

SHA256
5effca807144d8414348f4ccc1de5d6b58267cfc94049ed4cfdc1a3cbd87ed43

SHA512
32d352b72f9cf10e3e7cd6beec2aebe804ab7459310e6c5fbb0cb9d086b62ee569ecb5c9b8ceea1361d43b1cb9967aaeb2313eafc33f4d6bc6d0356441e5cb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8A70E061-9B7D-45EE-A705-D35F5193C297}\Readme.txt

Filesize
2KB

MD5
4a8f844355927fbe8bd85e03aab45e0b

SHA1
9d978f61b6a6ce746de4bbde9e1252575ca28caf

SHA256
d98c50857b3915c7af124a2982165e6139cc378aaad92df699ca2cc95c930d08

SHA512
f912d4bc848eab7d1d39e75448e6b81ef313bed2426a06524ddc1162b2ed379ed16aad362e3576419a56979c5926c0e64f8316e08dce38fa573a43be2f247727

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8A70E061-9B7D-45EE-A705-D35F5193C297}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8A70E061-9B7D-45EE-A705-D35F5193C297}\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8A70E061-9B7D-45EE-A705-D35F5193C297}\_Setup.dll

Filesize
169KB

MD5
204a2b4cd7d5022c92d0d15d33051795

SHA1
7742a0d36b16c07dde8c2d29b8d2bbeed17130d2

SHA256
d6267d0770d1e2ae443e2217ed5f326cf17a0a67454783af4e109db5f040fe85

SHA512
b4aeda6dbb92e070a5d650dfe28f1c0fac5125d9bc1603c8321124aa335d4842da774d68dc6c0f6415579b337a3527d991bc444e5a6167c672f8920759de86e3

Download Submit
\Users\Admin\AppData\Local\Temp\TsuD5F9BA9A.dll

Filesize
80KB

MD5
f8fca79ca4a7971958e9cb653c9a5d4a

SHA1
775030f16ebbdcd80dd6dde47664c95148acc9a4

SHA256
156e747f564e785ff9449a01bd0798b3bfa43277c0530a6398f18d97ac42b477

SHA512
6d3800881117a6fadad0b2916f90e392244f1d0a2cd3a644f4ba9cfc9d2715814510884825920a5f85a8db25cba128c8c238de818f277580e665a40fb4ad5468

Download Submit
\Users\Admin\AppData\Local\Temp\{8A70E061-9B7D-45EE-A705-D35F5193C297}\Custom.dll

Filesize
78KB

MD5
c37b9783144275144a3359c74dd9b318

SHA1
af89c154bab068acc72d13351c50ea98df35db5f

SHA256
e36b09131821bee1c4aed7cb53283c36a6377c6aa2cccdb8232101b48c7f863f

SHA512
a6ca0f01943174468dfdff832c2c56cafc8a9b4e76cbb700d9c5ddc21f4932c0f90c63cca226af4036660eb4b64c573a72f34df8397da03d57f7fe0444cabdda

Download Submit
\Users\Admin\AppData\Local\Temp\{8A70E061-9B7D-45EE-A705-D35F5193C297}\_Setup.dll

Filesize
24KB

MD5
550fc7e3f286c3232d00ebae681b675d

SHA1
0419fd6c5e4cfe436afaf3435a9c0775bcaf1d59

SHA256
efb064843153c1b4f3456c337238bbb4648d2662185cc02e2d086f1228558125

SHA512
b4b95d516e878a40f2060ada6eab47f0e6a7f5167d38e363813fa7817245ce80e29fb6392bca2f520597c597efa244eee81f944d513560fd5834c0a8066c8905

Download Submit