20faadf54224deeba9d015aa255c3d131eea04024c415c2a9f86dfaa8d20746b

General

Target

424e325b7eca28db7df2c5a960ec08a5.exe
Size

304KB
MD5

424e325b7eca28db7df2c5a960ec08a5
SHA1

4e2d9d78bd7c617b5897267139f4483a1f3df7fc
SHA256

20faadf54224deeba9d015aa255c3d131eea04024c415c2a9f86dfaa8d20746b
SHA512

32fe916a0816cb874c244c303724ca858b8040fe31c9673f601ea7a55e0fe0847771556ea5fcdf73b89111d25e92c0bc7706afa4af0b822fde98ad4854bb1a1f
SSDEEP

6144:Crkx9uEo2S1YnQmCX492DkwNP3qpYFkXdlP5IO5/OoCVHuy6SHZ86riVZkiizG:CrkHu6/eIo4RXdrIO5/OpVHd6Ky6rizL

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2588	424e325b7eca28db7df2c5a960ec08a5.exe
2588	424e325b7eca28db7df2c5a960ec08a5.exe
2588	424e325b7eca28db7df2c5a960ec08a5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	424e325b7eca28db7df2c5a960ec08a5.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	424e325b7eca28db7df2c5a960ec08a5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2588	424e325b7eca28db7df2c5a960ec08a5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1536	2588	424e325b7eca28db7df2c5a960ec08a5.exe	32
PID 2588 wrote to memory of 1536	2588	424e325b7eca28db7df2c5a960ec08a5.exe	32
PID 2588 wrote to memory of 1536	2588	424e325b7eca28db7df2c5a960ec08a5.exe	32
PID 2588 wrote to memory of 1536	2588	424e325b7eca28db7df2c5a960ec08a5.exe	32

C:\Users\Admin\AppData\Local\Temp\424e325b7eca28db7df2c5a960ec08a5.exe
"C:\Users\Admin\AppData\Local\Temp\424e325b7eca28db7df2c5a960ec08a5.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin5E92.bat"
  2⤵
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\283F15CD\cfg\1.ini

Filesize
40KB

MD5
f2b28b165747468c88ef4e1df60a6601

SHA1
0515cb22048f232872251630c28b97bcb4f18dda

SHA256
be70bd6ea6c6c0779570a02324dc1fb8847a6202faf35efb9a189ef2f19138c4

SHA512
9b0abea9158437a8c5ff422b5debeaf7600611efc4b845dffb3098884d3a090ecf3449b66b4051a9e1319141096a5542f0b6ba9454960561bff85be0a3f303ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin5E92.bat

Filesize
50B

MD5
c429c3828d87afb66225b7e37dfec134

SHA1
472cba5691e779e7f065ab88255e764661898247

SHA256
09dab9833190830a46937645c43ed9271186154812ac5810f971c635cf38b046

SHA512
18238cf7f3f5a476d54cbfb1ad14ad65338122a8f3594518c192af6ef65cc1b3895bf2c3f52ec509f453ce84f9cb557ce3588a933b4a72272e3b7697c0841bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EC77AC80-1D6F-4F39-ADD2-554D37948E76}\Readme.txt

Filesize
2KB

MD5
699229b3fe2ee75aefa3d2b54f7e13cb

SHA1
d7cb88e3b7baa98f0c99e89340121a92d315676f

SHA256
1221a175847d62688165a53d220c70d2d4b3a79709d92a56e42becb851af854f

SHA512
c946a55c4ccf4016d2ad52d82fb9e3b13bcb50847d74a8dded515b580fb67b351e7b59a714699f411e2d4e582b020cd6a9283c376bbd6bbb72075fe3ec302463

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EC77AC80-1D6F-4F39-ADD2-554D37948E76}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EC77AC80-1D6F-4F39-ADD2-554D37948E76}\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu8C197E47.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{EC77AC80-1D6F-4F39-ADD2-554D37948E76}\Custom.dll

Filesize
73KB

MD5
e8d86c771d7e23b080921b9803f1654c

SHA1
49d8ef6835a6de734ead4e0b2cbbc65735cd5c17

SHA256
cc7a340bffc39d8d8f704314f0383404590438b8cd16e780e0a26723bceedd21

SHA512
b9902e0112bbf053ec4e3aa633ac2f2dd938b23507ff58ed69ac580656e42874c4b0ccb0d393b26637ae2b98feee78023d62378adb99140736e314de74fb399b

Download Submit
\Users\Admin\AppData\Local\Temp\{EC77AC80-1D6F-4F39-ADD2-554D37948E76}\_Setup.dll

Filesize
167KB

MD5
262cc5a5e5a007ae182c45e41ac35adf

SHA1
999582209e73d92d0040b8092666087aac2cee90

SHA256
ecc186e0284593db51463f104ba8486b1de656d47a290d27c6fea157cb1495bd

SHA512
2f59e23646774c3e5034d464242ac128cfb3ced1a0498dd0f719308b5854fbba20d457127e01b414f12b63d8bc3baf7ffcf89d91300ca43b90ed6cc933e4bd5b

Download Submit

Analysis

Sharing