2131bf0465c1ef826f41a864e2ea183350df3169fce5180bc65cfdb22b1ced67

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e215bf7dbaafd82c074e0808cedaef57.exe
Size

200KB
MD5

e215bf7dbaafd82c074e0808cedaef57
SHA1

7b1f384fb969e33d335fbfaad825c50fa159728b
SHA256

2131bf0465c1ef826f41a864e2ea183350df3169fce5180bc65cfdb22b1ced67
SHA512

9f4d7b281630f0f07a32cb76c49e8fffcdd0d9c200b6dda9792ac35900e60e400401c983d010798268978df56798e5a6876bb485731db16c38f9b055f77dd703
SSDEEP

3072:EHHyIXRECLgDsdCtykxdaA3dYCvhOtJYVQcA5fM0LVO6u9sU2gk8TKeWZdPuIG1/:Ehmkg1dagdYhmLpqOqt0TeA2sg6/

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1968	e215bf7dbaafd82c074e0808cedaef57.exe
1968	e215bf7dbaafd82c074e0808cedaef57.exe
1968	e215bf7dbaafd82c074e0808cedaef57.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2600	1968	e215bf7dbaafd82c074e0808cedaef57.exe	28
PID 1968 wrote to memory of 2600	1968	e215bf7dbaafd82c074e0808cedaef57.exe	28
PID 1968 wrote to memory of 2600	1968	e215bf7dbaafd82c074e0808cedaef57.exe	28
PID 1968 wrote to memory of 2600	1968	e215bf7dbaafd82c074e0808cedaef57.exe	28
PID 1968 wrote to memory of 2936	1968	e215bf7dbaafd82c074e0808cedaef57.exe	31
PID 1968 wrote to memory of 2936	1968	e215bf7dbaafd82c074e0808cedaef57.exe	31
PID 1968 wrote to memory of 2936	1968	e215bf7dbaafd82c074e0808cedaef57.exe	31
PID 1968 wrote to memory of 2936	1968	e215bf7dbaafd82c074e0808cedaef57.exe	31
PID 1968 wrote to memory of 1612	1968	e215bf7dbaafd82c074e0808cedaef57.exe	32
PID 1968 wrote to memory of 1612	1968	e215bf7dbaafd82c074e0808cedaef57.exe	32
PID 1968 wrote to memory of 1612	1968	e215bf7dbaafd82c074e0808cedaef57.exe	32
PID 1968 wrote to memory of 1612	1968	e215bf7dbaafd82c074e0808cedaef57.exe	32
PID 1968 wrote to memory of 2736	1968	e215bf7dbaafd82c074e0808cedaef57.exe	34
PID 1968 wrote to memory of 2736	1968	e215bf7dbaafd82c074e0808cedaef57.exe	34
PID 1968 wrote to memory of 2736	1968	e215bf7dbaafd82c074e0808cedaef57.exe	34
PID 1968 wrote to memory of 2736	1968	e215bf7dbaafd82c074e0808cedaef57.exe	34
PID 1968 wrote to memory of 2064	1968	e215bf7dbaafd82c074e0808cedaef57.exe	35
PID 1968 wrote to memory of 2064	1968	e215bf7dbaafd82c074e0808cedaef57.exe	35
PID 1968 wrote to memory of 2064	1968	e215bf7dbaafd82c074e0808cedaef57.exe	35
PID 1968 wrote to memory of 2064	1968	e215bf7dbaafd82c074e0808cedaef57.exe	35
PID 1968 wrote to memory of 2020	1968	e215bf7dbaafd82c074e0808cedaef57.exe	36
PID 1968 wrote to memory of 2020	1968	e215bf7dbaafd82c074e0808cedaef57.exe	36
PID 1968 wrote to memory of 2020	1968	e215bf7dbaafd82c074e0808cedaef57.exe	36
PID 1968 wrote to memory of 2020	1968	e215bf7dbaafd82c074e0808cedaef57.exe	36
PID 1968 wrote to memory of 856	1968	e215bf7dbaafd82c074e0808cedaef57.exe	37
PID 1968 wrote to memory of 856	1968	e215bf7dbaafd82c074e0808cedaef57.exe	37
PID 1968 wrote to memory of 856	1968	e215bf7dbaafd82c074e0808cedaef57.exe	37
PID 1968 wrote to memory of 856	1968	e215bf7dbaafd82c074e0808cedaef57.exe	37
PID 1968 wrote to memory of 1672	1968	e215bf7dbaafd82c074e0808cedaef57.exe	38
PID 1968 wrote to memory of 1672	1968	e215bf7dbaafd82c074e0808cedaef57.exe	38
PID 1968 wrote to memory of 1672	1968	e215bf7dbaafd82c074e0808cedaef57.exe	38
PID 1968 wrote to memory of 1672	1968	e215bf7dbaafd82c074e0808cedaef57.exe	38
PID 1968 wrote to memory of 2676	1968	e215bf7dbaafd82c074e0808cedaef57.exe	39
PID 1968 wrote to memory of 2676	1968	e215bf7dbaafd82c074e0808cedaef57.exe	39
PID 1968 wrote to memory of 2676	1968	e215bf7dbaafd82c074e0808cedaef57.exe	39
PID 1968 wrote to memory of 2676	1968	e215bf7dbaafd82c074e0808cedaef57.exe	39
PID 1968 wrote to memory of 2280	1968	e215bf7dbaafd82c074e0808cedaef57.exe	41
PID 1968 wrote to memory of 2280	1968	e215bf7dbaafd82c074e0808cedaef57.exe	41
PID 1968 wrote to memory of 2280	1968	e215bf7dbaafd82c074e0808cedaef57.exe	41
PID 1968 wrote to memory of 2280	1968	e215bf7dbaafd82c074e0808cedaef57.exe	41

C:\Users\Admin\AppData\Local\Temp\e215bf7dbaafd82c074e0808cedaef57.exe
"C:\Users\Admin\AppData\Local\Temp\e215bf7dbaafd82c074e0808cedaef57.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinE37D.bat"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin5B6D.vbs"
  2⤵
  PID:2936
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin2C36.vbs"
  2⤵
  PID:1612
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin63F7.vbs"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin5B6D.vbs"
  2⤵
  PID:2064
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin4F4B.vbs"
  2⤵
  PID:2020
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin546B.vbs"
  2⤵
  PID:856
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin63F7.vbs"
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin1749.bat"
  2⤵
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinCB36.bat"
  2⤵
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\570EE64D\cfg\1.ini

Filesize
1KB

MD5
8150f458ed6fb9b1db4e5cfa57a1a281

SHA1
6e5726854d28687b560d7fdcb5c782c425c7dfb9

SHA256
4c13d452dd5d49671bd93ca32f2b4f85c78e39b6ab0ad1f38d98ed267f8fd896

SHA512
4cc6a112673aef8bb8bb8a385c26791b805d43bb707b509880e894f1c83bab4e16f13de187036c5f660c3bec1d286258396b7bde65c5d7945c5019665196818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\570EE64D\Setup.exe

Filesize
15KB

MD5
011c08dab1dd0bad6960ddabba460c50

SHA1
0864a756ec8bf0e51cce91cff93c7c2c404208da

SHA256
2a095e2ae908ac5e5e3268b5f5fd12752e92c6d46b847d324c9cae67174a1c10

SHA512
db7ded3195156aa835cc32f2e8676e2c8f7c2449a56fd823c3f29ec5f200deb2e4389dee9ec3c96d3c27aa01d80d5cff8d8ed39f7592b955ba484ae90aacc165

Download Submit
C:\Users\Admin\AppData\Local\Temp\570EE64D\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin1749.bat

Filesize
50B

MD5
882a503feb9df891ed31a079f88ff08f

SHA1
47f6addab10dc38c27207f74c8cbd3fd9931a941

SHA256
31042819b11c51593180a4e718ec4492c18a5bff2d16a84ce38a0db587f9eee8

SHA512
9c3655eaf3a34c3f8a05c03c16929e17bb137358b5270084d525168409628dba0534007bd2f86d19233cc3dc5f29011fd89858327c5ec84fabaa3c1f33674c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin2C36.vbs

Filesize
1KB

MD5
a90ebd920e0fb3e061e0ddc902d15172

SHA1
952d0fb4a1fb6b04db5e0c467a0ffef1c944e29f

SHA256
ea996d33053a8745151c75e1855a35e38bf51961c13c1e36edf90acff8429ed2

SHA512
693723c6a84eaf6535df63cc87dab88b8517764c67391e56929f85807fd8eca0af6df0630656bca333cb38b1f7fc0e153c27b438969712b1381070495219fe50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin4F4B.vbs

Filesize
419B

MD5
e6e62a8adcf4c349f876283ba0a0875b

SHA1
7cdd90e47897d065810c3a1ff88d2e81c31d69fb

SHA256
57f1bb991447a33ac15dd6274932863e9734c8f272612a59a66b1d8d7668341a

SHA512
8347789c4a54d7c461f53acaa775179f896856e2938f995929b18eda35151af0d697f6083f5d321846e182288a08b4b18519cc0927f065791b606f4e9508cf19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin546B.vbs

Filesize
819B

MD5
12ae60c8c91af5d9d8ed467c574cdf6f

SHA1
a9c4995f72a6688b469ccf6a003088253466c60c

SHA256
fbc82fe658adcea42fd59862531afbe31a0dda98f910368bc11db21bb3da3a0a

SHA512
99dcd8dca70716ec589665ca6eddcb7c651f26ca3216e7ca037807a5805c7893e3d295f2400013f90b3df664d3ccdfbfb4f61aa994590a45547483ff19356394

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin5B6D.vbs

Filesize
304B

MD5
9beae0dc2d364c9969ccfbdadeaec86c

SHA1
e8320f98d17a9fa80d82b8b97efea43ecd9a6a60

SHA256
c121d86af7a3a707defc4d9f534cf0d54f1924a275db2feed88e32767b6ca3c2

SHA512
9c71cc031520cd9c5f9d4af9344a46f81074e93f770342a92a26a39687318d9ec42849c8aafa822bc16669c8967bf85525ac7d1b563183608667874bb694636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin63F7.vbs

Filesize
2KB

MD5
01a3e070dc10d6b28180252a06657c15

SHA1
4770452703b92f52273af515d41340654723bc90

SHA256
9c48d285ff8e6c0d684c37627ee4779f6e2a11ec5ff2fad4a508b670981c726c

SHA512
252591eb310561b88b13f036a83c9eae6f068dd23868ffb6f99df1a6e398bb012995d71d769ddd86ada7f285be155dc8048df1a1f28498e26572a27dc38ea849

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinCB36.bat

Filesize
46B

MD5
b593cf3db5f272b65c3afa729a21728d

SHA1
1a0b460b5760b84896b023d2eea2678766fca011

SHA256
6f25c149ffe77e59de9d76ebf3009f71d98c6aa57628fc49067d8704c3ffbd2a

SHA512
bbc39749ec4dc514e5fb6c36ea74e81be7910387eb8326bf4f5093be8f783d4b2f5c3d5f20f751186c763a1ed195ad2831442a516a62c7220dc3b3502a5a1d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinE37D.bat

Filesize
44B

MD5
92104e1449637dce33276ce28005c9e2

SHA1
fe4a1a1fb606e964d180c9d0a2009af3b4dc989f

SHA256
3bfed3974fe70b84131521fd982b53e7606375edde23dafeb2f41b99b951cca7

SHA512
18c13f3ec7c51dee7dddc9a0de1b42b4932dc303fc2b098e9294d7876cda6aa2b0c48270f032da28054e218edbc01428d4df08a690b6b48a72ae591c4fea9af7

Download Submit
\Users\Admin\AppData\Local\Temp\570EE64D\_Setup.dll

Filesize
74KB

MD5
730707ba34c5d81c2c165cedb4d07e0e

SHA1
6ff7cb793aaef8133123badf2a819df4c3305c7c

SHA256
6052cd79fabac32b1a27d3cd42f6a12f67f28962737abef1c39d896d5bdb8108

SHA512
9391b6f8a08ccdf0c2565f66e857ae9810deb81da579c86a9e932d8cbb94adce67b98ce9a8701bc76e9cebe0e11dc55a91ec554f5c620b9d657e6a35772965cc

Download Submit
\Users\Admin\AppData\Local\Temp\570EE64D\_Setupx.dll

Filesize
16KB

MD5
a3e3a7c55dac05898f398f0ef4ef16fd

SHA1
2245eebc8ef1d3c1ae7f395ce168b0a93fb0f016

SHA256
25e262cf0f72f8e8bcd0bc6f4cabcd8dcf397ac027cce46ce8ac19511afabffe

SHA512
e7d8e21b6f40caccf519ba27895c09ae07ade7c82982265c249228ed0bd18179b6e25dedf2596e6be60db782d80cfeb014c43c5d25757c156d54fd5ae4193d90

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu-07B0.dll

Filesize
245KB

MD5
0ad3f6b76368a27813d3d941458bafc2

SHA1
ce21514b78dd67d8d9562b3983abf8755a8c0a88

SHA256
8fbd7e9bcd9f281aed0f5e8d06c821dd2b33fce0ddc17b864e0ceca6b90b31b2

SHA512
c75210165ecf296ba4d04cbab2323118afbab9ddb420b8309cf744b3273485cb1e152027fe35354047c4c0bd0d83ec17a73c8eea8575bc0a4714c98cc5a478b0

Download Submit