2474dfd5a80086835a02853e614ac3bb5e7f6d139273fdba0c5c28deb7775390

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d51b35be62abc6bc07e0aa489dbb55f.exe
Size

313KB
MD5

4d51b35be62abc6bc07e0aa489dbb55f
SHA1

fd21be14c955fa0a63e390771c1731982cea6d34
SHA256

2474dfd5a80086835a02853e614ac3bb5e7f6d139273fdba0c5c28deb7775390
SHA512

6612a41de91b3312183f557a59176104e80bfbc6c395e47f63bfe5e56532177c131c7c104cecfb063973c68028377a4b360a694255d46f35b18beff4b4c01017
SSDEEP

6144:4rkA9uEo2S1YnQmCX492DkwNP3qpYF0lu7tIYxFtApNhiYLE2/5yr3+LijYP:4rk4u6/eIo4nlu7trxFtApfgMyrpjYP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2448	4d51b35be62abc6bc07e0aa489dbb55f.exe
2448	4d51b35be62abc6bc07e0aa489dbb55f.exe
2448	4d51b35be62abc6bc07e0aa489dbb55f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	4d51b35be62abc6bc07e0aa489dbb55f.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	4d51b35be62abc6bc07e0aa489dbb55f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	4d51b35be62abc6bc07e0aa489dbb55f.exe
2448	4d51b35be62abc6bc07e0aa489dbb55f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2852	2448	4d51b35be62abc6bc07e0aa489dbb55f.exe	51
PID 2448 wrote to memory of 2852	2448	4d51b35be62abc6bc07e0aa489dbb55f.exe	51
PID 2448 wrote to memory of 2852	2448	4d51b35be62abc6bc07e0aa489dbb55f.exe	51

C:\Users\Admin\AppData\Local\Temp\4d51b35be62abc6bc07e0aa489dbb55f.exe
"C:\Users\Admin\AppData\Local\Temp\4d51b35be62abc6bc07e0aa489dbb55f.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6FE1.bat"
  2⤵
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads