2131bf0465c1ef826f41a864e2ea183350df3169fce5180bc65cfdb22b1ced67

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e215bf7dbaafd82c074e0808cedaef57.exe
Size

200KB
MD5

e215bf7dbaafd82c074e0808cedaef57
SHA1

7b1f384fb969e33d335fbfaad825c50fa159728b
SHA256

2131bf0465c1ef826f41a864e2ea183350df3169fce5180bc65cfdb22b1ced67
SHA512

9f4d7b281630f0f07a32cb76c49e8fffcdd0d9c200b6dda9792ac35900e60e400401c983d010798268978df56798e5a6876bb485731db16c38f9b055f77dd703
SSDEEP

3072:EHHyIXRECLgDsdCtykxdaA3dYCvhOtJYVQcA5fM0LVO6u9sU2gk8TKeWZdPuIG1/:Ehmkg1dagdYhmLpqOqt0TeA2sg6/

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
488	e215bf7dbaafd82c074e0808cedaef57.exe
488	e215bf7dbaafd82c074e0808cedaef57.exe
488	e215bf7dbaafd82c074e0808cedaef57.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 940	488	e215bf7dbaafd82c074e0808cedaef57.exe	87
PID 488 wrote to memory of 940	488	e215bf7dbaafd82c074e0808cedaef57.exe	87
PID 488 wrote to memory of 940	488	e215bf7dbaafd82c074e0808cedaef57.exe	87
PID 488 wrote to memory of 4516	488	e215bf7dbaafd82c074e0808cedaef57.exe	93
PID 488 wrote to memory of 4516	488	e215bf7dbaafd82c074e0808cedaef57.exe	93
PID 488 wrote to memory of 4516	488	e215bf7dbaafd82c074e0808cedaef57.exe	93
PID 488 wrote to memory of 2656	488	e215bf7dbaafd82c074e0808cedaef57.exe	94
PID 488 wrote to memory of 2656	488	e215bf7dbaafd82c074e0808cedaef57.exe	94
PID 488 wrote to memory of 2656	488	e215bf7dbaafd82c074e0808cedaef57.exe	94
PID 488 wrote to memory of 1680	488	e215bf7dbaafd82c074e0808cedaef57.exe	96
PID 488 wrote to memory of 1680	488	e215bf7dbaafd82c074e0808cedaef57.exe	96
PID 488 wrote to memory of 1680	488	e215bf7dbaafd82c074e0808cedaef57.exe	96
PID 488 wrote to memory of 3380	488	e215bf7dbaafd82c074e0808cedaef57.exe	97
PID 488 wrote to memory of 3380	488	e215bf7dbaafd82c074e0808cedaef57.exe	97
PID 488 wrote to memory of 3380	488	e215bf7dbaafd82c074e0808cedaef57.exe	97
PID 488 wrote to memory of 3708	488	e215bf7dbaafd82c074e0808cedaef57.exe	98
PID 488 wrote to memory of 3708	488	e215bf7dbaafd82c074e0808cedaef57.exe	98
PID 488 wrote to memory of 3708	488	e215bf7dbaafd82c074e0808cedaef57.exe	98
PID 488 wrote to memory of 2508	488	e215bf7dbaafd82c074e0808cedaef57.exe	99
PID 488 wrote to memory of 2508	488	e215bf7dbaafd82c074e0808cedaef57.exe	99
PID 488 wrote to memory of 2508	488	e215bf7dbaafd82c074e0808cedaef57.exe	99
PID 488 wrote to memory of 1884	488	e215bf7dbaafd82c074e0808cedaef57.exe	100
PID 488 wrote to memory of 1884	488	e215bf7dbaafd82c074e0808cedaef57.exe	100
PID 488 wrote to memory of 1884	488	e215bf7dbaafd82c074e0808cedaef57.exe	100
PID 488 wrote to memory of 2164	488	e215bf7dbaafd82c074e0808cedaef57.exe	101
PID 488 wrote to memory of 2164	488	e215bf7dbaafd82c074e0808cedaef57.exe	101
PID 488 wrote to memory of 2164	488	e215bf7dbaafd82c074e0808cedaef57.exe	101
PID 488 wrote to memory of 4872	488	e215bf7dbaafd82c074e0808cedaef57.exe	103
PID 488 wrote to memory of 4872	488	e215bf7dbaafd82c074e0808cedaef57.exe	103
PID 488 wrote to memory of 4872	488	e215bf7dbaafd82c074e0808cedaef57.exe	103

C:\Users\Admin\AppData\Local\Temp\e215bf7dbaafd82c074e0808cedaef57.exe
"C:\Users\Admin\AppData\Local\Temp\e215bf7dbaafd82c074e0808cedaef57.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinE37D.bat"
  2⤵
  PID:940
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin5B6D.vbs"
  2⤵
  PID:4516
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin2C36.vbs"
  2⤵
  PID:2656
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin63F7.vbs"
  2⤵
  PID:1680
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin5B6D.vbs"
  2⤵
  PID:3380
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin4F4B.vbs"
  2⤵
  PID:3708
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin546B.vbs"
  2⤵
  PID:2508
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin63F7.vbs"
  2⤵
  PID:1884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin1749.bat"
  2⤵
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinCB36.bat"
  2⤵
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\6C151807\cfg\1.ini

Filesize
1KB

MD5
8150f458ed6fb9b1db4e5cfa57a1a281

SHA1
6e5726854d28687b560d7fdcb5c782c425c7dfb9

SHA256
4c13d452dd5d49671bd93ca32f2b4f85c78e39b6ab0ad1f38d98ed267f8fd896

SHA512
4cc6a112673aef8bb8bb8a385c26791b805d43bb707b509880e894f1c83bab4e16f13de187036c5f660c3bec1d286258396b7bde65c5d7945c5019665196818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C151807\Setup.exe

Filesize
15KB

MD5
011c08dab1dd0bad6960ddabba460c50

SHA1
0864a756ec8bf0e51cce91cff93c7c2c404208da

SHA256
2a095e2ae908ac5e5e3268b5f5fd12752e92c6d46b847d324c9cae67174a1c10

SHA512
db7ded3195156aa835cc32f2e8676e2c8f7c2449a56fd823c3f29ec5f200deb2e4389dee9ec3c96d3c27aa01d80d5cff8d8ed39f7592b955ba484ae90aacc165

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C151807\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C151807\_Setup.dll

Filesize
74KB

MD5
730707ba34c5d81c2c165cedb4d07e0e

SHA1
6ff7cb793aaef8133123badf2a819df4c3305c7c

SHA256
6052cd79fabac32b1a27d3cd42f6a12f67f28962737abef1c39d896d5bdb8108

SHA512
9391b6f8a08ccdf0c2565f66e857ae9810deb81da579c86a9e932d8cbb94adce67b98ce9a8701bc76e9cebe0e11dc55a91ec554f5c620b9d657e6a35772965cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C151807\_Setupx.dll

Filesize
16KB

MD5
a3e3a7c55dac05898f398f0ef4ef16fd

SHA1
2245eebc8ef1d3c1ae7f395ce168b0a93fb0f016

SHA256
25e262cf0f72f8e8bcd0bc6f4cabcd8dcf397ac027cce46ce8ac19511afabffe

SHA512
e7d8e21b6f40caccf519ba27895c09ae07ade7c82982265c249228ed0bd18179b6e25dedf2596e6be60db782d80cfeb014c43c5d25757c156d54fd5ae4193d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu-01E8.dll

Filesize
245KB

MD5
0ad3f6b76368a27813d3d941458bafc2

SHA1
ce21514b78dd67d8d9562b3983abf8755a8c0a88

SHA256
8fbd7e9bcd9f281aed0f5e8d06c821dd2b33fce0ddc17b864e0ceca6b90b31b2

SHA512
c75210165ecf296ba4d04cbab2323118afbab9ddb420b8309cf744b3273485cb1e152027fe35354047c4c0bd0d83ec17a73c8eea8575bc0a4714c98cc5a478b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin1749.bat

Filesize
50B

MD5
026afc324dd02c5aadbab4febf93d0c2

SHA1
ccfd9f240cd65cb1722310131c2eae75e91959c8

SHA256
257075de27a25bf8fa4762dcfdf569e76a1243ff202ea845eb14a193d194cd9a

SHA512
bb6b01d12476b87ff27f0429118a14d4ccaa9a1d7771272490fc873505df416c731c74561bb1c124a997785debd35ee9cca02007a3099d725aad6c7bd0894d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin2C36.vbs

Filesize
1KB

MD5
c5f60673fa66157209c81f0357f78787

SHA1
d32e3ad5b78e1d0a197bf21b29cd3aa90ba2014a

SHA256
48f44c055104ce6b13daffc49e4a1eec513032a4796d51040efa42505c451ef5

SHA512
37001815ba4c540ba164ecc5655cb49165b7dcd5ff67ff25f8509749a30e02d2b9782cc5e4eb6a9518f8a69eab7dd8ddaee4da8d604aea7d9e3978c231de6a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin4F4B.vbs

Filesize
419B

MD5
b0ae6dbb3e5c80bfbdb9799994bae073

SHA1
108d264af12b578f4b30cc97aeb237c511127caa

SHA256
0aafcebc22e31e2ef84fc2a224a102b1fe64c1d18f5aa4547604269ac6f131d5

SHA512
37164a926b2ea221b3d4df57602d94c4606d7381c7ef23275de52f6e96ac61e18a9ace07624ccd499a53524d203272c6c8334a7e0b808612010bf6a7259e98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin546B.vbs

Filesize
819B

MD5
30dbc9199e7125f76e0e9e5fd7ab1029

SHA1
df9321e4a4315637a4177aeb31ce62e465038bee

SHA256
04aeb7f283e932f92b68e8753eebbb8e06a9f0d0ef3b635f5ae181a6e6e1300c

SHA512
7355018eb67e5530faa04ecb75c0f40eb3c2efac0ba800e72ac71417285bf5121e955e9f170871fe850db997dd28fd923b3d37a8319c4f93e18002df8da828e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin5B6D.vbs

Filesize
304B

MD5
f1f5db2f7dd9f17541ffc661a95e6044

SHA1
416349d37bf5299fcf62193f4da693292f1d1874

SHA256
886ad5dcb380b5456ef78e600bc453006c59e68235af450709826d949ee3d6ce

SHA512
b05842b9ca04a06ed9bfb76ab7bcdb1b3b755e35224d6e4872688572a7d7684d72d4ee3825ad2105843da85925287cf42401dc1fb5a49db3160e74070361f358

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin63F7.vbs

Filesize
2KB

MD5
8229e48a0810a18a62789064842d3ef8

SHA1
8fa92184837b6f1768e96bd488e02db14b932608

SHA256
1fdaaab9af1e8467891961afbdc9db7f77c286da5736f80dd3836a23207b306c

SHA512
fc12a4ede2bf90c84b67004a6f230020b20d476c6791edc9cf350f3d6061a7967eb5c68b7120b2b95a55bfee5c2bcc0d7cd604775671edef89ebbe2d88609a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinCB36.bat

Filesize
46B

MD5
3d31b90bbdc05823a2f60875a25881bb

SHA1
c1dd62685f069c6ac3313d3fd3d0e4f30594132a

SHA256
2b81b81b483fce9834fe4e330dd05faa2308a319a435deabf9f870ddf42947c1

SHA512
82b2d02e26b4401537bf4c879d97b4723ace9017d8ae54efd5a8c5e9b8f6f1ef46db5005070275d626811b9c75f401a16096d3f8e74b07d854d153653bcb004d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinE37D.bat

Filesize
44B

MD5
e9f1123d451e9ab201ba8972b60f5a7f

SHA1
fc351a93ef597e5f8c94926d6638c3c4e7f240dd

SHA256
2d0f07b7fc4bb9bfa13e774cc1d4ad9ca53dc15d6da08f9fb73aafcf9243e9a6

SHA512
58282ade80d43255b820bb63fa396ae5e0480abb0cc673a2f015d54619bcd7badb373fce2d52eab0fdffcc2fca63a67a142df32af7814a5abcd22cfc80662d03

Download Submit