12c88bb02450d0a590cdae200351e13acaa400b07595e531a13699eee8dc706b

General

Target

0697057c61226781aadc5a0f99f57b7c.exe
Size

315KB
MD5

0697057c61226781aadc5a0f99f57b7c
SHA1

b9120b3ede27ecebbb62cca3930fdb7e2345bb89
SHA256

12c88bb02450d0a590cdae200351e13acaa400b07595e531a13699eee8dc706b
SHA512

2743299f9873362efafd306556b8f60fd8c659377f121f173bda8d7ba56ae7ae90ade187a47ecbd0b286b9377a20c95292ae128b8f6e87fa02c4857f14a6276e
SSDEEP

6144:ur2bUzkuvcBYC47l2xib6HwzFyytCr88oDG1GI25i1snqq0Q:ur/kuveY3dGwUECr88oDG1GIS+bq0Q

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
828	0697057c61226781aadc5a0f99f57b7c.exe
828	0697057c61226781aadc5a0f99f57b7c.exe
828	0697057c61226781aadc5a0f99f57b7c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0697057c61226781aadc5a0f99f57b7c.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	0697057c61226781aadc5a0f99f57b7c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
828	0697057c61226781aadc5a0f99f57b7c.exe
828	0697057c61226781aadc5a0f99f57b7c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 4376	828	0697057c61226781aadc5a0f99f57b7c.exe	92
PID 828 wrote to memory of 4376	828	0697057c61226781aadc5a0f99f57b7c.exe	92
PID 828 wrote to memory of 4376	828	0697057c61226781aadc5a0f99f57b7c.exe	92

C:\Users\Admin\AppData\Local\Temp\0697057c61226781aadc5a0f99f57b7c.exe
"C:\Users\Admin\AppData\Local\Temp\0697057c61226781aadc5a0f99f57b7c.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6711.bat"
  2⤵
  PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\849D10BA\cfg\1.ini

Filesize
368B

MD5
3a9830a2f57ef1e602de02bd9cc8eb56

SHA1
5135a0295755e536b833c6c6010900ff99cdbabf

SHA256
8d138bedf3228f7ef9405940526a73f49395fd2917aa22e7d5596297e222da42

SHA512
87ed85acdc1509bb02e437f50e7a90695f66b2a7a996a526f0310ba277de9ce8d7343983e2ae0b5dbedcca832bb90da802d7182972f1b14be0a203cfbd14cc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsuF930F9B2.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6711.bat

Filesize
50B

MD5
a0704b7e13054debf81739a4d484648a

SHA1
d6deda6b96726ba805613b7e7022a7b2b2d29165

SHA256
69b647982c8f8da6c89833788621ecdcccc9c2838deaf48e9ba9deac75420ee0

SHA512
40b05ffa22c4c504c74b20f199a21c9510f81433de6fdfc9eadc72cf9707b5635f448a030b65c4b2a921afac3d4c90881c552991b8c1eea42772d81e0fd198fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{01F33F34-0EC8-40DA-A231-46EADA101DC2}\Custom.dll

Filesize
91KB

MD5
1e003f7cd537f729059dbf13c4b177ed

SHA1
8b13d68eeee3e3be94d961e03a57353245df2fdd

SHA256
3b4b5014529df5e4884b64e60c2bbb0a21c986a15f84d82dc2d4490a020741f4

SHA512
7ca111f01d6e9180bf1c5b8d6875e92182edf40c211888716ee1288d08dd7b68dacaeeaf2acc614d2cf4ca49a1eaa5228b5124572f628a937f895b05f5764fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{01F33F34-0EC8-40DA-A231-46EADA101DC2}\Readme.txt

Filesize
2KB

MD5
0741869b7a2ba1b03c786427671272be

SHA1
d66e5450264d65653cfbd28cf61e88847da2c86b

SHA256
11e23a437ea1071bea16172258577ef7a8fb2b86382f895597f58953695f03f9

SHA512
403bf96446e10d04b5f540780907ebe3f75ce43764e5fb5126b2d9b891553fc14d7f1d110e34ef70fe68df8df45df8859cd16b9770afea9e92ec394120d882fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{01F33F34-0EC8-40DA-A231-46EADA101DC2}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{01F33F34-0EC8-40DA-A231-46EADA101DC2}\Setup.ico

Filesize
4KB

MD5
6c80269225128ee55311a1ae6167b38a

SHA1
b82893276e5b2464b22d745d29746b7042f58a46

SHA256
592e44bfe0cc5c5d39a10908f86654b233e676e724d04c9cf45c03f2cda49e05

SHA512
6bb8c51441463c379f5156ea0cba058e9267d0f6e2d9f477034d9eb5095f7fb46e1c8c989f926ff76153fae87cd1d26178bb58566e8be05eecb96874d5887668

Download Submit
C:\Users\Admin\AppData\Local\Temp\{01F33F34-0EC8-40DA-A231-46EADA101DC2}\_Setup.dll

Filesize
173KB

MD5
f6d936594abe3af2e6a7aa6e58cb26c4

SHA1
4592b94ae4ccd795cdc758627239073264ac4ae9

SHA256
3cc0918fc22ec780a8523c53dc114c854ef204849b493b95426d3d70e5e673a5

SHA512
a85066315502e32002cc56bb0f126f26a4b1048424888f102611c0095d24db67d437f61e1cca0346f7c3e6453fc6c572ff5de2cc0029d501163e7abc7030c84a

Download Submit

Analysis

Sharing