15edc0be6b2fe56e8d06717ebcee3b8dccb2e6d60f20e5f175d5e9d641413492

General

Target

08d099bcb4e20bfa94a3f83db497f041.exe
Size

303KB
MD5

08d099bcb4e20bfa94a3f83db497f041
SHA1

c4fe602b2057e0dbe35fd8a6175e4ae9a8c0bb53
SHA256

15edc0be6b2fe56e8d06717ebcee3b8dccb2e6d60f20e5f175d5e9d641413492
SHA512

6795616ba57c3fd95690eeefa640165b3fd5f0a8b48d5c086671611e4cfc2baa1a75d3520b25736f734dcb40d11a65d9145f76387a862d0b7dc6f419515249c2
SSDEEP

6144:mrkX6Y0JQBkQRl7174NpNUM+UHs+h43nRLFJO2t3OEhLSMwcU9P4WbXQx7Y:mrkX63yRl1uqM+gs+2RLTf+QLShvQx7Y

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2240	08d099bcb4e20bfa94a3f83db497f041.exe
2240	08d099bcb4e20bfa94a3f83db497f041.exe
2240	08d099bcb4e20bfa94a3f83db497f041.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	08d099bcb4e20bfa94a3f83db497f041.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	08d099bcb4e20bfa94a3f83db497f041.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2240	08d099bcb4e20bfa94a3f83db497f041.exe
2240	08d099bcb4e20bfa94a3f83db497f041.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 4492	2240	08d099bcb4e20bfa94a3f83db497f041.exe	92
PID 2240 wrote to memory of 4492	2240	08d099bcb4e20bfa94a3f83db497f041.exe	92
PID 2240 wrote to memory of 4492	2240	08d099bcb4e20bfa94a3f83db497f041.exe	92

C:\Users\Admin\AppData\Local\Temp\08d099bcb4e20bfa94a3f83db497f041.exe
"C:\Users\Admin\AppData\Local\Temp\08d099bcb4e20bfa94a3f83db497f041.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin062F.bat"
  2⤵
  PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\C3D2B7BB\cfg\1.ini

Filesize
7KB

MD5
f1dfd66ea606d3878f3b6402b56c15f9

SHA1
b68c9d0d099f299382f7dabf31eccabb75e2d0cc

SHA256
779550f04c7cc674b9b11961060bc2037113ea4bd3a222b9b4a04c62db0ed015

SHA512
34d88aa8c408841a155bf2af6fdbd30783e977620daf20466ca758aa5913fa899790dd6d5cc69a0cb0ea9afa0c8b6c0dda32f91f177f112e68554299b6bd32a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsuA3420A13.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin062F.bat

Filesize
50B

MD5
bd7b60a19e6e3a0f454a5a1d83436c94

SHA1
c8fcec433be92cbc8bed06c9a47c4740b2dde2dd

SHA256
89c682bf2d12ac656393da78b8c55c17263d75196608a41965bedc2b171ccc16

SHA512
02ecd70517278a47af30f66a6d2df3cfcf910360a61c102f9af17448a9c81ba5badade37ef95bb409e957423cfe6d5f912a2e7f5ce7455cfa6b3c028b5a53f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A730FC1E-FEB3-4742-A5A9-B6917CD3DEE8}\Custom.dll

Filesize
73KB

MD5
1713b561bb7c2f3a9b699322beef883e

SHA1
da6f6c7ad03afb8bf5641388ff65eb5c89aa75cf

SHA256
f540f8a893afbb753a4c034587e3840b01ffa791930a9c3d6ea25d6700c3e688

SHA512
c13216bf04f47579e48c4b9be488f1fc68452402eb925ebd55603f61638738b9ccaadfe7d8d9843415cc252ceaee75b2d7ded8766316a9d1f4290860978b9023

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A730FC1E-FEB3-4742-A5A9-B6917CD3DEE8}\Readme.txt

Filesize
2KB

MD5
da13276642d44c80bd9a72b2c249b481

SHA1
94a1cd72c053d18399547bba8f5a116e50a8b965

SHA256
5162107743e1cffe00f459c4af6d0442040d78ae89068dd93210f1cb86db5f6e

SHA512
00cdd0223c64cacc7912bf8555311de5c7460c8bede62f9ae1c838fea4de657586f34766cd5d19b92acd197400a912130d98cc81202556ea3c17bb608dfd6dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A730FC1E-FEB3-4742-A5A9-B6917CD3DEE8}\Setup.exe

Filesize
15KB

MD5
e717f6ce3a7429bfa6d7f3cf66737a4b

SHA1
01f4042589b4ed88c351ffeac256be7a9d884818

SHA256
7be720a73ba8b084702c89f64a9b295fad92545d6ba781072cc056823f9a7633

SHA512
65a9a27430811aa01b55cf365f8b7b9f03e70d32ec60e0706242bc568242bcd493999dc1b02d92bf0d01c0095c8c38d30f282a998cafb80e60ad07e0d875ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A730FC1E-FEB3-4742-A5A9-B6917CD3DEE8}\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A730FC1E-FEB3-4742-A5A9-B6917CD3DEE8}\_Setup.dll

Filesize
166KB

MD5
bce2e58dbea7c20d5f71bc6b82f4343e

SHA1
41a14ecccc1175ed755e4e44f7bc89ed3a946a05

SHA256
f61285c41cf9396e9ce6bf38b29bfa3539c12c729582625636344e518252e4cb

SHA512
6ec4b531be8869443887a6289bad27ff483330d576bc7a18b29675dd26f2dba7b4cf513322dc6db240ee50c540abf69fb80f380e4bd64c8f839539d93ac346af

Download Submit

Analysis

Sharing