11b160985512a52e0370df2e033ee365624938201c0a0c9ec43b18c1feb58c2e

Analysis

max time kernel
89s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

901d946782b7cdcca330975a6729b6ca.exe
Size

325KB
MD5

901d946782b7cdcca330975a6729b6ca
SHA1

1316a5bfce6e0fe11ca479cf15313d3ffdd8230e
SHA256

11b160985512a52e0370df2e033ee365624938201c0a0c9ec43b18c1feb58c2e
SHA512

d81aa5b1696fd5988932571ba78bc79d0f5a526f680ae5501ff876141c9309d5123f2abfcb91346635bf685c4c9848c45174141ce702b11b0443ee3b6d8f0b90
SSDEEP

6144:Er1Bh9uEo2S1YnQmCX492DkwNP3qpYFDcYgQUskKWeFCEQOiCYOqmO5oe:Er1B3u6/eIo4ArVUBQCCYOqmO5oe

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1760	901d946782b7cdcca330975a6729b6ca.exe
1760	901d946782b7cdcca330975a6729b6ca.exe
1760	901d946782b7cdcca330975a6729b6ca.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	901d946782b7cdcca330975a6729b6ca.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	901d946782b7cdcca330975a6729b6ca.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1760	901d946782b7cdcca330975a6729b6ca.exe
1760	901d946782b7cdcca330975a6729b6ca.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 636	1760	901d946782b7cdcca330975a6729b6ca.exe	90
PID 1760 wrote to memory of 636	1760	901d946782b7cdcca330975a6729b6ca.exe	90
PID 1760 wrote to memory of 636	1760	901d946782b7cdcca330975a6729b6ca.exe	90

C:\Users\Admin\AppData\Local\Temp\901d946782b7cdcca330975a6729b6ca.exe
"C:\Users\Admin\AppData\Local\Temp\901d946782b7cdcca330975a6729b6ca.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin9F8B.bat"
  2⤵
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\1AEC2E6E\cfg\1.ini

Filesize
816B

MD5
d8a90b37695439df951afb8436576bb6

SHA1
0a036568e78a2926231f94bb7b4e8f4ef83d3c2a

SHA256
f05ea018cd8245008e6e1919d8005900bbbbd393c3b4aeb512c7ceb65cf00596

SHA512
aa9b76d76ebb7225188fd24de3f8496bcac526a138a823029430dd3035ada0b7ab177ec6cffd5a84c62adbb3bd7971e95f8e9d79099d5781de6073197644f7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsuD34E3A8F.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsuD34E3A8F.dll

Filesize
71KB

MD5
28a32444423a357e1ea508f18eb8ad98

SHA1
cce5bdd9ca925e853100e599900f657b5f132935

SHA256
f35e10a4e568be0e2a13f1e6ca65b942db87e218e4e59162bf503a80b7b8c238

SHA512
e8605f4d414fa47011b555c536640156a224e033d9c8a671a2fcbbd12415d15ccc2c65bdf7cc7fe0ae712697540838f2f91433adba11bf81beeff4bf5416b2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin9F8B.bat

Filesize
50B

MD5
3a82f05bab461304cb35e60a12838356

SHA1
2eb83c311edc3c6504eb87e6aa1a17473fdad0d0

SHA256
80d89a51e19c752925887d4d6d01db3be70fb6f53b1e8a2fd0f6c5e94d0229d8

SHA512
2a9ba3fc2a4b51f03e88693c55cbee3848c9e03b1b0a08056d2afdecad71d47431593fb9c7925360aeab46ef6adc1aded085c94da8c3f9798209d03f4d678226

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7405096-2043-4D0B-AFE0-68616CA37260}\Custom.dll

Filesize
91KB

MD5
736682c6d96bb1edc84e77041faae33d

SHA1
f8f6e20cd2aa23010b85ea289c3bc3cbdbc9ae26

SHA256
54346f2e36bdb512ef4f7d702f18e59a746f0b936786bc76a30e87de0a061f17

SHA512
fe24353f0f4acafbde7d8cec7a5078668f5e6cd0b06c3e0c96cb3fed0beb3c8af2becb1d97fcbb369ac38193827c8d8a440694c79b5da3180224377e38f53777

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7405096-2043-4D0B-AFE0-68616CA37260}\Custom.dll

Filesize
64KB

MD5
e81c89ca6a8b6ad10e9e98050a0fb166

SHA1
af5f33aaf8cc222296d492c8298537215741465e

SHA256
7fe2634832a2fc0927833dabc2cb644f69ed5b2295c472104d83b6bfffcf9ee4

SHA512
38d7b844c421e49bde4bf90e5e9baace4779c073beff13ffc9100e9243045edb1f26f61c30dd386d1c04357c2b13afefea51a94c5367b978a0b3bbde3848a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7405096-2043-4D0B-AFE0-68616CA37260}\Readme.txt

Filesize
2KB

MD5
cb45f741900f51ed947f0c8061884c9f

SHA1
3c63ff4c2039094b8e86ae28d17968563061f62f

SHA256
6f1bd3c9e1ad5ed8b04a016ab26252627c47e527a75925080828db051387f3d5

SHA512
d42b62f1ad800968e19dcdd00658cd77c6106e740456b193d08141af974cf8e6f59c9551489922e160ae23a84e39d2132150fee8cf3a663d0db35516af957000

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7405096-2043-4D0B-AFE0-68616CA37260}\Setup.exe

Filesize
6KB

MD5
76153c81683a5373fb0a52062ed60ad6

SHA1
39677d40e8dd22ff36d8dbdd9b91df7c34e63c76

SHA256
1674ef5c096809f3b68293dcb7b0351d6da630d704bb586743320ba729f9518d

SHA512
ef025bf4cf28000d862a10e727325f721031b1f626e513da6051d076c5cc56aac8ff3a8da5ba6ba423919ac74f12efc4d25c17812e2ab5a9050b02293a093db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7405096-2043-4D0B-AFE0-68616CA37260}\Setup.ico

Filesize
14KB

MD5
1623bb0c615eaeed406a3253a606e71c

SHA1
e86516e730bdd2a6d0423211f236f4ae9dd4282e

SHA256
67664b6561b8bf32091bca59db37a8c8099da01236accfa85f1367bdcb5f0904

SHA512
2d854d2732d9562acfe01350fbeb0b78339d01630f114f8c5f95f7542fff2af93393b5c4f977d9602d78dbea23bf41f2f1a9b0252e51a66971facf208803ec5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7405096-2043-4D0B-AFE0-68616CA37260}\_Setup.dll

Filesize
180KB

MD5
a475792794328d8a503568cbe38e8531

SHA1
47e5c4857f272898ed515e939f92cb9243b2ce2e

SHA256
2cd6c67a711059c2245615d80ee0e7d44a003b66d5577513b1dfb1bd7f1e7312

SHA512
3ea14ace569233dd69e730b4dfae4f1292d2e950aa26aceeae78715d0831ff6919d1bbf7c70ec256dd8a5db7f2d09ea4f29a564c125b54fdf8c7de2c78631184

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7405096-2043-4D0B-AFE0-68616CA37260}\_Setup.dll

Filesize
83KB

MD5
777cc822788b972e25228237cca062c4

SHA1
427060ba85dd05064cf2c8233881ca2e5f3357f3

SHA256
fc053ed24a1e006ad027454b467358ca5f043b3b485801bbe5bd5b8c57a15c9e

SHA512
30e02511f3b93eec37d8d97ca5a3fb744817fc6d048c52f4376984846410b7c42a06f7e70949b4c1602cdb50507eafe6f76ca3583f1063bebc3de7f53e710536

Download Submit